diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12026.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12026.cs
new file mode 100644
index 0000000000..d4a5aaf206
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12026.cs
@@ -0,0 +1,38 @@
+////////////////////////////////
+//
+// Copyright 2023 Battelle Energy Alliance, LLC
+//
+//
+////////////////////////////////
+using System;
+using Microsoft.Data.SqlClient;
+using System.IO;
+namespace UpgradeLibrary.Upgrade
+{
+ internal class ConvertDatabase12026 : ConvertSqlDatabase
+ {
+ public ConvertDatabase12026(string path) : base(path)
+ {
+ myVersion = new Version("12.0.2.6");
+ }
+
+ ///
+ /// Runs the database update script
+ ///
+ ///
+ public override void Execute(SqlConnection conn)
+ {
+ try
+ {
+ RunFile(Path.Combine(this.applicationPath, "VersionUpgrader", "SQL", "12025_to_12026.sql"), conn);
+ RunFile(Path.Combine(this.applicationPath, "VersionUpgrader", "SQL", "12025_to_12026_data.sql"), conn);
+
+ this.UpgradeToVersionLocalDB(conn, myVersion);
+ }
+ catch (Exception e)
+ {
+ throw new DatabaseUpgradeException("Error in upgrading database version 12.0.2.5 to 12.0.2.6: " + e.Message);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12027.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12027.cs
new file mode 100644
index 0000000000..e438e6e64a
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12027.cs
@@ -0,0 +1,37 @@
+////////////////////////////////
+//
+// Copyright 2023 Battelle Energy Alliance, LLC
+//
+//
+////////////////////////////////
+using System;
+using Microsoft.Data.SqlClient;
+using System.IO;
+namespace UpgradeLibrary.Upgrade
+{
+ internal class ConvertDatabase12027 : ConvertSqlDatabase
+ {
+ public ConvertDatabase12027(string path) : base(path)
+ {
+ myVersion = new Version("12.0.2.7");
+ }
+
+ ///
+ /// Runs the database update script
+ ///
+ ///
+ public override void Execute(SqlConnection conn)
+ {
+ try
+ {
+ RunFile(Path.Combine(this.applicationPath, "VersionUpgrader", "SQL", "12026_to_12027_data.sql"), conn);
+
+ this.UpgradeToVersionLocalDB(conn, myVersion);
+ }
+ catch (Exception e)
+ {
+ throw new DatabaseUpgradeException("Error in upgrading database version 12.0.2.6 to 12.0.2.7: " + e.Message);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12025_to_12026.sql b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12025_to_12026.sql
new file mode 100644
index 0000000000..c66553f602
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12025_to_12026.sql
@@ -0,0 +1,109 @@
+/*
+Run this script on:
+
+ (localdb)\INLLocalDb2022.CSETWeb12025 - This database will be modified
+
+to synchronize it with:
+
+ (localdb)\INLLocalDb2022.CSETWeb12026
+
+You are recommended to back up your database before running this script
+
+Script created by SQL Compare version 14.10.9.22680 from Red Gate Software Ltd at 8/14/2023 5:25:17 PM
+
+*/
+SET NUMERIC_ROUNDABORT OFF
+GO
+SET ANSI_PADDING, ANSI_WARNINGS, CONCAT_NULL_YIELDS_NULL, ARITHABORT, QUOTED_IDENTIFIER, ANSI_NULLS ON
+GO
+SET XACT_ABORT ON
+GO
+SET TRANSACTION ISOLATION LEVEL Serializable
+GO
+BEGIN TRANSACTION
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Altering [dbo].[SECTOR]'
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+ALTER TABLE [dbo].[SECTOR] ADD
+[Is_NIPP] [bit] NOT NULL CONSTRAINT [DF__SECTOR__Is_NIPP__4C214075] DEFAULT ((0)),
+[NIPP_sector] [int] NULL
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Altering [dbo].[SECTOR_INDUSTRY]'
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+ALTER TABLE [dbo].[SECTOR_INDUSTRY] ADD
+[Is_NIPP] [bit] NOT NULL CONSTRAINT [DF__SECTOR_IN__Is_NI__4D1564AE] DEFAULT ((0)),
+[Is_Other] [bit] NOT NULL CONSTRAINT [DF__SECTOR_IN__Is_Ot__4E0988E7] DEFAULT ((0)),
+[NIPP_subsector] [int] NULL
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Creating [dbo].[DETAILS_DEMOGRAPHICS]'
+GO
+CREATE TABLE [dbo].[DETAILS_DEMOGRAPHICS]
+(
+[Assessment_Id] [int] NOT NULL,
+[DataItemName] [nvarchar] (100) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL,
+[StringValue] [nvarchar] (max) COLLATE SQL_Latin1_General_CP1_CI_AS NULL,
+[IntValue] [int] NULL,
+[FloatValue] [float] NULL,
+[BoolValue] [bit] NULL,
+[DateTimeValue] [datetime] NULL
+)
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Creating primary key [PK_DETAILS_DEMOGRAPHICS] on [dbo].[DETAILS_DEMOGRAPHICS]'
+GO
+ALTER TABLE [dbo].[DETAILS_DEMOGRAPHICS] ADD CONSTRAINT [PK_DETAILS_DEMOGRAPHICS] PRIMARY KEY CLUSTERED ([Assessment_Id], [DataItemName])
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Creating [dbo].[DETAILS_DEMOGRAPHICS_OPTIONS]'
+GO
+CREATE TABLE [dbo].[DETAILS_DEMOGRAPHICS_OPTIONS]
+(
+[Option_Id] [int] NOT NULL IDENTITY(1, 1),
+[DataItemName] [nvarchar] (50) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL,
+[Sequence] [int] NOT NULL,
+[OptionValue] [nvarchar] (50) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL,
+[OptionText] [nvarchar] (100) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL
+)
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Creating primary key [PK_DETAIL_DEMOG_OPTIONS] on [dbo].[DETAILS_DEMOGRAPHICS_OPTIONS]'
+GO
+ALTER TABLE [dbo].[DETAILS_DEMOGRAPHICS_OPTIONS] ADD CONSTRAINT [PK_DETAIL_DEMOG_OPTIONS] PRIMARY KEY CLUSTERED ([Option_Id])
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+COMMIT TRANSACTION
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+-- This statement writes to the SQL Server Log so SQL Monitor can show this deployment.
+IF HAS_PERMS_BY_NAME(N'sys.xp_logevent', N'OBJECT', N'EXECUTE') = 1
+BEGIN
+ DECLARE @databaseName AS nvarchar(2048), @eventMessage AS nvarchar(2048)
+ SET @databaseName = REPLACE(REPLACE(DB_NAME(), N'\', N'\\'), N'"', N'\"')
+ SET @eventMessage = N'Redgate SQL Compare: { "deployment": { "description": "Redgate SQL Compare deployed to ' + @databaseName + N'", "database": "' + @databaseName + N'" }}'
+ EXECUTE sys.xp_logevent 55000, @eventMessage
+END
+GO
+DECLARE @Success AS BIT
+SET @Success = 1
+SET NOEXEC OFF
+IF (@Success = 1) PRINT 'The database update succeeded'
+ELSE BEGIN
+ IF @@TRANCOUNT > 0 ROLLBACK TRANSACTION
+ PRINT 'The database update failed'
+END
+GO
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12025_to_12026_data.sql b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12025_to_12026_data.sql
new file mode 100644
index 0000000000..aeb3223b03
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12025_to_12026_data.sql
@@ -0,0 +1,7073 @@
+/*
+Run this script on:
+
+(localdb)\INLLocalDb2022.CSETWeb12025TestUpgrade - This database will be modified
+
+to synchronize it with:
+
+(localdb)\INLLocalDb2022.CSETWeb12026
+
+You are recommended to back up your database before running this script
+
+Script created by SQL Data Compare version 14.10.9.22680 from Red Gate Software Ltd at 8/15/2023 7:37:02 AM
+
+*/
+
+SET NUMERIC_ROUNDABORT OFF
+GO
+SET ANSI_PADDING, ANSI_WARNINGS, CONCAT_NULL_YIELDS_NULL, ARITHABORT, QUOTED_IDENTIFIER, ANSI_NULLS, NOCOUNT ON
+GO
+SET DATEFORMAT YMD
+GO
+SET XACT_ABORT ON
+GO
+SET TRANSACTION ISOLATION LEVEL Serializable
+GO
+BEGIN TRANSACTION
+
+PRINT(N'Disable DML triggers on [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] DISABLE TRIGGER [trg_update_maturity_groupings]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_SOURCE_FILES]')
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] NOCHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] NOCHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_REFERENCES]')
+ALTER TABLE [dbo].[MATURITY_REFERENCES] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCES_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_REFERENCES] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCES_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_REFERENCE_TEXT]')
+ALTER TABLE [dbo].[MATURITY_REFERENCE_TEXT] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCE_TEXT_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_QUESTIONS]')
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK__MATURITY___Matur__5B638405]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_GROUPINGS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_LEVELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_MODELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_OPTIONS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTION_TYPES]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK__HYDRO_DAT__Mat_Q__38652BE2 from [dbo].[HYDRO_DATA]')
+ALTER TABLE [dbo].[HYDRO_DATA] NOCHECK CONSTRAINT [FK__HYDRO_DAT__Mat_Q__38652BE2]
+
+PRINT(N'Drop constraint FK__ISE_ACTIO__Mat_Q__7F2CAE86 from [dbo].[ISE_ACTIONS]')
+ALTER TABLE [dbo].[ISE_ACTIONS] NOCHECK CONSTRAINT [FK__ISE_ACTIO__Mat_Q__7F2CAE86]
+
+PRINT(N'Drop constraint FK_MATURITY_QUESTIONS_MAT_QUESTION_ID from [dbo].[ISE_ACTIONS]')
+ALTER TABLE [dbo].[ISE_ACTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MAT_QUESTION_ID]
+
+PRINT(N'Drop constraint FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1 from [dbo].[MATURITY_ANSWER_OPTIONS]')
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS] NOCHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1]
+
+PRINT(N'Drop constraint FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS from [dbo].[MATURITY_QUESTION_PROPS]')
+ALTER TABLE [dbo].[MATURITY_QUESTION_PROPS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS from [dbo].[TTP_MAT_QUESTION]')
+ALTER TABLE [dbo].[TTP_MAT_QUESTION] NOCHECK CONSTRAINT [FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_GROUPING_TYPES]
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_MODELS]
+
+PRINT(N'Drop constraint FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS from [dbo].[MATURITY_DOMAIN_REMARKS]')
+ALTER TABLE [dbo].[MATURITY_DOMAIN_REMARKS] NOCHECK CONSTRAINT [FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS]
+
+PRINT(N'Update rows in [dbo].[MATURITY_REFERENCE_TEXT]')
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Identify the organization''s high-value services, associated assets, and activities. A fundamental risk management principle is to focus on those activities that protect and sustain services and assets that most directly affect the organization''s ability to achieve its mission. This information should be made available to the Incident Management Function to support the prioritization of its detection and response efforts.
' WHERE [Mat_Question_Id] = 1291 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Prioritize and document the list of high-value services that must be provided if a disruption occurs. Consideration of the consequences of the loss of high-value organizational services is typically part of a business impact analysis. In addition, the consequences of risks to high-value services are identified and analyzed in risk assessment activities. The organization must consider this information when prioritizing high-value services. This information should be made available to the Incident Management Function to support the prioritization of its detection and response efforts.
' WHERE [Mat_Question_Id] = 1292 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Identify and inventory high-value assets (technology, information, people, and facilities). An organization must be able to identify its high-value assets, document them, and establish their value in order to develop strategies for protecting and sustaining assets commensurate with their value to services.
Consider the following attributes for each asset:
- protection and sustainment requirements
- owners and custodians
- physical Locations
- organizational communications and data flows
- critical service(s) supported
- configuration standards
- baseline of network operations associated
- baseline of expected data flows
' WHERE [Mat_Question_Id] = 1293 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Organizational mission-critical systems and data should be identified, and an up-to-date inventory should be provided to event detection, and incident handling and response personnel to support their detection and response efforts.
' WHERE [Mat_Question_Id] = 1294 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Security monitoring is an important function that enables an organization to detect suspicious activity across its enterprise. Suspicious activity includes unauthorized, security-relevant changes to organizational systems and networks. This capability ensures that the organization can:
- monitor networks and systems
- analyze or monitor the output of the security monitoring activities to detect possible intrusions
- notify stakeholders of suspicious behavior
- provide guidance and recommendations on tool selection, installation, and configuration; analysis and monitoring techniques and methodologies; and network monitoring strategies
Technologies involved in security monitoring and analysis can include IDSs, IPSs, ADSs, AVSs, netflow analysis tools, NFAT, host-based monitoring, and other similar tools.
Personnel monitor a variety of data (e.g., host logs, firewall logs, netflows) and use intrusion detection and prevention software to monitor network behavior, looking for indications of suspicious activity. Personnel performing proactive detect capabilities may be located in various areas of an organization such as an IT group, telecommunications group, security group, or CSIRT. In some organizations, the IT or network operations staff perform this capability and communicate any suspicious activity, or relevant incident or vulnerability information to an established incident handling and response team.
' WHERE [Mat_Question_Id] = 1295 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Assets (people, information, technology, and facility) that support the organization''s critical services should be monitored to include the observation of events occurring within the systems, or their boundaries, to meet the monitoring objectives established. A comprehensive information system monitoring capability can be achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software, log correlation and alerts). The granularity of monitoring information collected should be based on organizational monitoring objectives and the capability of information systems to support such objectives. Information system monitoring is a foundational part of incident response.
The organization may need to assign priority to monitoring requirements due to resource constraints; as such, the organization''s critical services may be higher priority.
' WHERE [Mat_Question_Id] = 1296 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Proactive detection requires actions by the designated staff to identify suspicious activity. The data are analyzed, and any unusual or suspicious event information is communicated to the appropriate individuals for handling.
Personnel performing proactive detect capabilities communicate any suspicious activity or relevant incident or vulnerability information to an established incident handling and response team. In such cases, it is important to have established procedures for communicating this information. Personnel performing the monitoring must have criteria to help them determine what type of alerts or suspicious activity should be escalated.
' WHERE [Mat_Question_Id] = 1297 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Define the methods of event detection and reporting. Define the criteria and responsibilities for reporting events, and distribute throughout the organization as appropriate.
Examples of methods of detection:
- monitoring of technical infrastructure, including network architecture and network traffic
- reporting of problems or issues to the organization''s helpdesk
- observation of organizational managers and users of IT services
- reporting of environmental and geographical events through media such as television, radio, and the Internet
- reporting from legal or law enforcement staff
- observation of a breakdown in processes or productivity of assets
- external notification from other entities such as CERT
- notification of results of audits or assessments
' WHERE [Mat_Question_Id] = 1298 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Develop and implement an incident management knowledge base that allows for the entry of event reports (and the tracking of declared incidents) through all phases of their life cycle. Guidelines and standards for the consistent documentation of events should be developed and communicated to all those involved in the reporting and logging processes.
' WHERE [Mat_Question_Id] = 1299 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'The organization should identify the most effective methods for event detection and provide a process for reporting events and incidents so that they can be triaged, analyzed, and addressed. This should include the types of events and incidents (potential and declared) to report, and the methods.
- Require personnel to report suspected security incidents to the organization''s incident response capability within a time period specified by the organization.
- Require partners, suppliers, and others to report suspected or verified security incidents within a time period specified in applicable contracts, SLAs, and other relevant documents.
- Report security incident information to the appropriate authorities.
These activities address incident reporting requirements in an organization. Ensure that the types of security incidents reported, the content and timeliness of the reports, and the reporting authorities designated, all reflect applicable laws, directives, regulations, policies, standards, and guidance.
' WHERE [Mat_Question_Id] = 1300 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Assign a category to events from the organization''s standard category definitions during the triage process to assist with prioritization and correlation, and to develop proper responses.
' WHERE [Mat_Question_Id] = 1301 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Perform correlation analysis on event reports to determine if there is affinity between two or more events.
' WHERE [Mat_Question_Id] = 1302 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Identify the tools, techniques, and methods that the organization will use to perform event correlation. Pre-approving tools, techniques, and methods ensures consistency and cost-effectiveness, as well as validity of results. This list should include both procedural and automated methods.
Perform correlation analysis on detected or reported events to determine if there is affinity between two or more events. Ensure that the Incident Management Function has access to the schedule of activities that may trigger false positive alerts, to deconflict detected events as known (benign) activity. Evidence of a single incident may be captured in several logs. Correlating events among multiple indication sources can be invaluable in validating whether a particular incident occurred, as well as rapidly consolidating the pieces of data. Develop specific correlative metadata and ensure that the event logs capture (and parse or align) this data, to be correlated by either technology or by manual process(es) such as IP addresses, ports, protocols, services, timestamps, or other indicators of compromise that could be common between multiple log sources.
' WHERE [Mat_Question_Id] = 1303 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Prioritize events. Events may be prioritized based on event knowledge, system affected, potential impact, the results of categorization and correlation analysis, incident declaration criteria and experience with past-declared incidents. Events and incidents can be categorized in a variety of ways, such as by the attack vector or method used (e.g., probe, scan, unpatched vulnerability, password cracking, social engineering, or phishing attack); by the impact (e.g., denial of service, compromised account, data leakage); by the scope (e.g., number of systems affected); by the success or failure of the attack; or other factors.
' WHERE [Mat_Question_Id] = 1304 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'The organization should have a documented process for logging events as they are identified and for tracking them through the incident life cycle. Logging and tracking ensure that the event is properly progressing through the incident life cycle and that, most importantly, is closed when an appropriate response and post-incident review have been completed. Logging and tracking facilitate event triage and analysis activities; provide the ability to quickly obtain a status of the event and the organization''s disposition; provide the basis for conversion from event to incident declaration; and may be useful in post-incident review processes when trending and root-cause analysis are performed.
' WHERE [Mat_Question_Id] = 1305 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Periodically review the event and incident management tracking system for events that have not been closed or that do not have a disposition. Events that have not been closed or that do not have a disposition should be reprioritized and analyzed for resolution.
Possible dispositions for events include:
- closed
- referred for further analysis
- referred to organizational unit or line of business for disposition
- declared an incident and referred to incident handling and response process
' WHERE [Mat_Question_Id] = 1306 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Ensure that processes are put in place to monitor compliance and identify corrective measures to increase future compliance. These corrective measures may take the form of formal reminders to individuals, establishment of corrective plans to improve performance, or administrative actions taken, as appropriate.
Provide training to the assigned staff on the appropriate roles and responsibilities based on the detailed job descriptions in the incident management plan, including event detection and handling. In addition to job performance, the job descriptions and training should identify areas where noncompliance yields specific consequences for the organization, and what role(s) take accountability for various types of failures at each step of incident response.
' WHERE [Mat_Question_Id] = 1307 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Incident escalation procedures should consider the extent of the incident and the appropriate stakeholders. Incidents that the organization has declared and that require an organizational response must be escalated to those stakeholders who can implement, manage, and bring to closure an appropriate and timely solution. Typically, these stakeholders are internal to the organization but could be external, such as contractors or other suppliers. The organization must establish processes to ensure that incidents are referred to the appropriate stakeholders because failure to do so will impede the organization''s response and may increase the level to which the organization is impacted.
' WHERE [Mat_Question_Id] = 1316 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Identify relevant rules, laws, regulations, and policies for which forensic evidence should be collected to address events and incidents. Evidence should be collected according to procedures that meet all applicable laws and regulations that have been developed from previous discussions with legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court.
' WHERE [Mat_Question_Id] = 1324 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Post-incident reviews are a part of the incident closure process. Establish criteria to determine the extent of the review required for incident closure. Some examples of criteria could include:
- severity of damage
- assets involved
- duration of incident
- processes not followed
- visibility to public or stakeholders
- legal or regulatory requirements
It is important to develop these criteria with the stakeholders to ensure that post-incident reviews occuron all appropriate incidents, and do not consume unnecessary resources on those that do not meet the established thresholds
' WHERE [Mat_Question_Id] = 1327 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'This practice ensures that the results and findings of the post-incident analysis meetings or reviews of “significant” incidents are generated, documented, and reported. The organization defines the meaning of “significant.” The purpose of the reviews is to identify issues encountered and lessons learned, to propose areas for improvement, and to act on the findings and recommendations. Post-incident analysis of the handling of an incident may often reveal a missing step or procedural inaccuracy, providing impetus for change. This report should detail the organization''s recommendations for improvement in administrative, technical, and physical controls, as well as in event and incident management processes.
' WHERE [Mat_Question_Id] = 1331 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Guidance helps ensure regular and consistent testing of the incident detection, handling, and response processes. Periodic testing should be conducted to ensure that these activities are effective and complete, and that personnel understand their roles and responsibilities. A comprehensive, organization-wide schedule for testing should be established based on factors such as risk, potential consequences to the organization, and other organizationally-derived factors.
' WHERE [Mat_Question_Id] = 1333 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Maintain a change history with rationale for performing the changes. Change management is a continuous process and, therefore, requires that the organization effectively assign responsibility and accountability for it. The organization must monitor the change management process to ensure that it is being performed as expected.
' WHERE [Mat_Question_Id] = 1338 AND [Sequence] = 1
+UPDATE [dbo].[MATURITY_REFERENCE_TEXT] SET [Reference_Text]=N'Periodically test the organization''s backup and storage procedures and guidelines to ensure continued validity as operational conditions change. Stored information assets should be tested periodically to ensure that they are complete, accurate, and current, and can be used for restorative purposes when necessary.
' WHERE [Mat_Question_Id] = 1359 AND [Sequence] = 1
+PRINT(N'Operation applied to 24 rows out of 24')
+
+PRINT(N'Update rows in [dbo].[MATURITY_QUESTIONS]')
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EH:G1.Q1', [Question_Text]=N'Are the Organization’s Critical Services identified?', [Supplemental_Info]=N'Question Intent: To determine if critical services are identified.
- A service is a set of activities that the organization carries out in the performance of a duty or in the production of a product.
- Services can be externally or internally focused. Examples include:
- a customer-facing website, such as an online payment system
- human resources transactions
- Ideally, the organization will focus on activities to protect and sustain the identified services and assets that most directly affect the organization''s ability to achieve its mission.
Criteria for “Yes” Response:
- The organization has identified all critical services.
Criteria for “Incomplete” Response:
- The organization has identified some critical services.
Question Intent: To determine if the organization prioritizes services.
- The organization should conduct analysis of each identified service (e.g., a business impact analysis) to determine the impact on the organization of the loss or disruption of each service.
- The results of this analysis should then be used to prioritize the organizational services. This prioritization will allow the organization to focus protection and sustainment efforts (e.g., event detection and incident response) on those services with the most impact to the organization.
Typical work products:
- results of risk assessment and business impact analyses
- prioritized list of organizational services, activities, and associated assets
Criteria for “Yes” Response:
- The organization has prioritized all critical services (identified in G1:Q1).
Criteria for “Incomplete” Response:
- The organization has prioritized some critical services.
Question Intent: To determine if the assets that support the organization''s critical services are inventoried.
- The organization should inventory the assets (people, information, technology, and facilities) required for the delivery of its critical services.
- Inventories of assets may exist in multiple forms or physical locations.
Criteria for “Yes” Response:
- The organization inventories all assets (technology, information, people and facilities) for all services designated as critical by the organization.
Criteria for “Incomplete” Response:
- The organization inventories some assets for all services designated as critical or the organization inventories all assets for some of the services designated as critical.
Question Intent: To ensure that a more efficient response and remediation can be performed, incident management personnel should have access to the organizational asset inventory.
- The organization should provide all appropriate event and incident handling and response personnel access to the organization''s inventory of assets that support the organization''s services that are designated “critical.” This is necessary to support the event and incident handling and response activities.
- Appropriate personnel are those who are involved in performing event and incident detection, handling and response duties, and others that may have a need to know.
Criteria for “Yes” Response:
- All appropriate incident handling and response personnel have access to the organization''s asset inventory.
Criteria for “Incomplete” Response:
- Some of the appropriate incident handling and response personnel have access to the organization''s asset inventory.
Question Intent: To determine if the organization has implemented security monitoring activities, because these activities are an important aspect of event and incident detection.
Security monitoring is an important function that allows an organization to detect suspicious activity and other events throughout the enterprise. Suspicious activity also includes unauthorized, security-relevant changes to the organization''s systems and networks. Security monitoring activities should be based on a strategy to ensure continuous and complete monitoring of organizational networks and systems.
Typical work products:
- Samples of logs, alerts, and reports generated by security monitoring tools
- Network diagrams showing placement of monitoring tools on constituent networks
- Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Active Directory Services (ADS), or Anti-Virus System (AVS) configuration files that specify the anomalous events that trigger an alarm
- Documentation of actions for responding to alerts and reports generated by security monitoring tools
- Observations of actual monitoring activities including devices, software, and/or outputs
Criteria for “Yes” Response:
- Security monitoring activities have been implemented to detect suspicious activity and other security-related events.
Criteria for “Incomplete” Response:
- Security monitoring is in development and partially implemented.
Question Intent: To determine if assets are being monitored by the organization''s security monitoring activities that can provide early warnings about malicious activity and other types of security events.
Security monitoring is an important proactive capability that allows an organization to detect suspicious activity and other types of events throughout the enterprise. Suspicious activity also includes unauthorized, security-relevant changes to the organization''s systems and networks. Such monitoring can:
- provide early warnings about malicious threats or activity in the organization''s infrastructure
- allow response actions to be initiated in a timely manner
- help contain the damage and impact to the organization
Technologies involved in network monitoring and analysis include:
- IDS, IPS, anomaly detection systems (ADS)
- antivirus detection systems
- netflow analysis tools
- network forensics analysis tools
Incident management personnel might assist organizations with monitoring tool selection, configuration, and installation, and analysis of output for detection of possible intrusions.
Criteria for “Yes” Response:
- Security monitoring activities are performed for all assets that support any service designated as critical.
Criteria for “Incomplete” Response:
- Security monitoring activities are performed for some assets that support any service designated as critical.
An event is one or more occurrences that affect assets, and has the potential to disrupt the critical service.
Question Intent: To ensure that, in all situations, any suspicious activity or other security-related events obtained through the organization''s security monitoring activities are reported to the appropriate incident handling and response personnel.
Network security monitoring is an important proactive capability that allows an organization to detect suspicious activity throughout the enterprise. Suspicious activity also includes unauthorized, security-relevant changes to the organization''s systems and networks. Events collected from security monitoring activities should be reported to the appropriate event and incident handling and response personnel.
If an external party performs detection activities for the organization, any suspicious activity or other security-related events obtained through the external party''s security monitoring activities should be reported to the appropriate incident handling and response personnel.
Criteria for “Yes” Response:
- All security events obtained from the security monitoring activities are reported to the appropriate event and incident handling and response personnel.
Criteria for “Incomplete” Response:
- Some security events are reported to the appropriate event and incident handling and response personnel.
Question Intent: To determine if events are detected and reported.
- An event is one or more occurrences that affect assets, and has the potential to disrupt the critical service.
- Events should be captured and analyzed to determine if the event will become (or has become) an incident that requires action.
Examples of event detection and reporting include:
- monitoring of the technical infrastructure, including information, network traffic, servers, control systems, etc.
- service desk ticketing and reporting
- monitoring of personnel
- reporting from law enforcement or legal staff
- observation of breakdowns in processes or productivity of assets
- external notification from other entities, such as US-CERT
- results of audits or assessments
Criteria for “Yes” Response:
- Events are detected and reported for all assets.
Criteria for “Incomplete” Response:
- Events are detected and reported for some assets.
Question Intent: To determine if event data is logged in an incident knowledgebase or similar mechanism.
- Logging and tracking event data in an incident knowledgebase or similar mechanism:
- facilitates event triage and analysis activities
- provides the ability to obtain a status and disposition of the event
- An incident knowledgebase should contain basic event (and incident) information, such as:
- a unique identifier
- a brief description of the event
- an event category (e.g., denial of service, virus intrusion, physical access violation)
- the assets, services, and organizational units that are affected by the event
- a brief description of how the event was identified and reported, by whom, and other relevant details (e.g., application system, network segment, operating system)
- the individuals or teams to whom the event (or incident) was assigned
- relevant dates
- the actions taken and the resolution of the event
Criteria for “Yes” Response:
- The organization logs all event data relevant to the organization in an incident knowledgebase or similar mechanism.
Criteria for “Incomplete” Response:
- The organization logs relevant data on some events.
Question Intent: To determine if events are categorized.
- Event categories can help the organization understand and communicate the severity and potential impact that the event will have on the organization.
- Events may be categorized by:
- type (e.g., security, safety, unauthorized access, user issue, denial of service, virus intrusion, physical access violation)
- severity (e.g., critical, high, medium, low)
- other categorization labels (e.g., internal, external, physical, technical)
Criteria for “Yes” Response:
- The organization categorizes all events.
Criteria for “Incomplete” Response:
- The organization categorizes some events.
Question Intent: To determine if events are analyzed for any potential relationship to other events because correlation may indicate that larger issues, problems, or incidents exist.
Event correlation can identify where activity is more widespread than originally thought, and identify any relationships among malicious attacks, compromises, and exploited vulnerabilities. Often events are reported individually; correlation enables analysts to recognize that a particular malware may have affected multiple systems on their organizational infrastructure instead of just one.
Manual processes may be used to perform an examination of event logs in a routine manner to look for relationships between events (e.g., events related to the same IP address or time stamp, etc.). The organization may also have automated systems (such as a SIEM) that perform the initial correlation of all events.
Criteria for “Yes” Response:
- The organization analyzes all events to determine if they are related to other events and or incidents.
Criteria for “Incomplete” Response:
- The organization analyzes some events.
Question Intent: To determine if a standard set of tools and/or methods are in use for event correlation during all phases of the incident management life cycle.
Event correlation can identify where activity is more widespread than originally thought, and identify any relationships among malicious attacks, compromises, and exploited vulnerabilities. Often events are reported individually; correlation enables analysts to recognize that a particular malware may have affected multiple systems on their organizational infrastructure instead of just one.
- Pre-approving tools, techniques, and methods ensures consistency, as well as validity, of results.
- The tools and methods can be both procedural (scheduled log review) and automated (SIEM-based).
- The tools and methods should cover all asset types.
Examples of event correlation data sources are:
- a known/expected activity database
- metadata-tagged logs or data sources within an organization, such as IP addresses, ports, protocols, timestamps, etc.
- domain names, IP addresses (source and target), hostnames, ports, protocols, and services
- vulnerability scans
- exercises
- penetration testing
- system configuration changes
Criteria for “Yes” Response:
- The organization has a standard set of tools and/or methods that are used in event correlation.
Criteria for “Incomplete” Response:
- A standard set of tools and/or methods to perform event correlation is in development.
Question Intent: To determine if events are prioritized.
- Prioritization determines the order in which events should be addressed.
- Events may be prioritized based on:
- the results of categorization and correlation analysis (severity, type, etc.)
- experience with past events and incidents
- potential impact to the organization
Criteria for “Yes” Response:
- The organization prioritizes all events.
Criteria for “Incomplete” Response:
- The organization prioritizes some events.
Question Intent: To determine if the status of events is tracked.
- The status of events should be checked regularly to ensure that the events are moving through the organization''s established incident handling life cycle.
- The status of events should be recorded in an incident knowledge base. Possible status types for events include:
- closed
- referred for further analysis
- referred to an organizational unit or line of business for disposition
- declared as an incident
Criteria for “Yes” Response:
- The organization tracks the status of all events.
Criteria for “Incomplete” Response:
- The organization tracks the status of some events.
Question Intent: To determine if events are managed and tracked to resolution.
- Periodically (as defined by the organization) review the incident knowledge base for events that have not been closed or that do not have a disposition.
- Events that have not been closed or that do not have a disposition should be reprioritized, analyzed, and tracked to resolution.
Criteria for “Yes” Response:
- The organization manages and tracks all events to resolution.
Criteria for “Incomplete” Response:
- The organization manages and tracks some events to a resolution.
Question Intent: To ensure that event and incident handling and response personnel are held accountable for performing their event handling and response duties.
Managers are ultimately responsible for ensuring that incident response activities are performed properly. The immediate level of managers responsible for the process should review the event handling and response activities, status, and results, and identify issues. The reviews are intended to provide the immediate level of managers with appropriate information about those activities.
The reviews can be:
- periodic (for example, planned as part of a regular audit of the organization''s event handling capability or of an employee''s performance). The frequency to be defined by the organization.
- event-driven (if needed, between periodic reviews).
Those assigned the responsibility for event detection and reporting should understand their tasks and have committed to performing them. Managers should initiate corrective measures to address all identified issues.
Criteria for “Yes” Response:
- The organization periodically (as defined by the organization) evaluates event handling and response activities and holds staff accountable for performing their duties.
Criteria for “Incomplete” Response:
- The organization has not established a review frequency for evaluating the event handling and response activities and staff performance of their duties.
- Or, only some staff are evaluated and held accountable.
- Or, only some of the event handling and response duties are evaluated.
Question Intent: To determine if incidents are declared based on a documented process.
- Incident declaration defines when the organization has established that an incident has occurred, is occurring, or is imminent.
- Incident declaration may occur based on a specific event or when multiple events are occurring to ensure that the organization makes a distinction between events and incidents (and the respective processes and differences in its handling).
Criteria for “Yes” Response:
- The organization declares all incidents based on a documented process.
Criteria for “Incomplete” Response:
- The organization declares some incidents.
- Or, the organization declares incidents but not in accordance with a documented process.
Question Intent: To determine if criteria for the consistent declaration of incidents are established.
- Declaration criteria guide the organization in determining when to declare an incident (particularly if incident declaration is not immediately apparent).
Examples of incident declaration criteria:
- The event is (or is not) isolated.
- The event surpasses one or more predefined thresholds of impact.
- A past occurrence of the event resulted in an incident declaration.
- The impact of the event is imminent or immediate.
- The organization is experiencing negative effects from the event.
- The life or safety of people is at risk.
- The integrity and operability of a facility is at risk.
- The integrity and operability of a high-value service or system is at risk.
- The event constitutes fraud or theft.
- There were impacts, such as damage to the organization''s reputation.
- There is a potential legal infraction.
- The event is security-related.
- There was a successful violation of policy.
- The source of attack was from a specified list.
Criteria for “Yes” Response:
- The organization has a documented list of criteria for the declaration of incidents.
Criteria for “Incomplete” Response:
- A documented list of criteria is in development and partially documented.
Question Intent: To determine if there is a process that prioritizes incidents and guides the transfer to the appropriate queue, group, or personnel for input and/or resolution.
- Prioritization may be tied to the organization''s:
- risk appetite
- impact to the organization
- other organizationally-defined prioritization criteria
- Incidents that the organization has declared should be assigned to the appropriate queue, group, or personnel who can manage and resolve the incident.
- The queue, group, or personnel can be internal to the organization (such as a standing incident response team or an incident-specific team) or external, in the form of contractors or other suppliers.
Criteria for “Yes” Response:
- The organization has a process to prioritize all incidents and provides guidance on how to transfer incidents to the proper queue, group, or personnel for input and resolution.
Criteria for “Incomplete” Response:
- The organization has a process but does not include one of the following: a process to prioritize all incidents, or guidance on how to transfer them to the proper queue, group, or personnel for input and resolution.
- Or, a process is in development and partially documented.
Question Intent: To determine if incidents are analyzed to determine a response.
- Incident analysis should focus on properly defining the underlying problem, condition, or issue.
- Incident analysis should help the organization prepare the most appropriate and timely response to the incident.
- Incident analysis should determine whether the incident has second-order ramifications (e.g., legal, regulatory, reputation).
Examples of incident analysis activities:
- interviews with those who reported the underlying event(s) and were affected by it
- interviews of specific knowledge experts
- review of relevant logs and audit trails of network and physical activity
- consultation of vulnerability and incident databases (US-CERT Vulnerability Notes Database / MITRE''s Common Vulnerabilities and Exposures List)
- consultation with law enforcement, legal, audit, product vendors, and emergency management
- timeline development
- malware analysis
- system forensics captures / imaging
Typical work products:
- incident analysis report
- reports from analysis tools and techniques
- updated incident knowledgebase
Criteria for “Yes” Response:
- The organization analyzes all incidents to determine a response.
Criteria for “Incomplete” Response:
- The organization analyzes some incidents to determine a response.
Question Intent: To determine if incidents are analyzed for their relationship to other incidents or events because correlation may indicate that larger issues, problems, or incidents exist.
- Incident correlation can identify where activity is more widespread than originally thought, and identify any relationships among malicious attacks, compromises, and exploited vulnerabilities. Often incidents are declared individually; correlation enables analysts to recognize that the underlying cause of the incident may have affected more systems in the infrastructure than identified in the single incident.
- The organization needs to have a task in the process, either automated or manual, to perform correlation analysis of the incident.
- Manual processes may be used to perform an examination of incident records in a routine manner to look for relationships (e.g., events or incidents related to the same IP address or time stamp, etc.). The organization may also have automated systems that perform the correlation of incidents.
Criteria for “Yes” Response:
- The organization analyzes all incidents to determine if they are related to other incidents or events.
Criteria for “Incomplete” Response:
- The organization analyzes some incidents.
Question Intent: To determine if a standard set of tools and/or methods are in use for incident correlation during all phases of the incident management life cycle.
Incident correlation can identify where activity is more widespread than originally thought, and identify any relationships among malicious attacks, compromises, and exploited vulnerabilities, or deconflicting with nonmalicious activity. Often incidents are declared individually; correlation enables analysts to recognize that the underlying cause of the incident may have affected more systems in the infrastructure than identified in the single incident.
- Pre-approving tools, techniques, and methods ensures consistency, as well as validity, of results.
- The tools and methods can be both procedural (such as log review) and automated.
- The tools and methods should cover all asset types.
Examples of incident correlation data sources are:
- metadata-tagged logs or data sources within an organization, such as IP addresses, ports, protocols,
- timestamps, etc.
- domain names, IP addresses (source and target), hostnames, ports, protocols, and services
- vulnerability scans
- exercises
- penetration testing
- system configuration changes
Criteria for “Yes” Response:
- The organization has a standard set of tools and/or methods that are used in incident correlation.
Criteria for “Incomplete” Response:
- A standard set of tools and/or methods to perform incident correlation is in development.
' WHERE [Mat_Question_Id] = 1313
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'IR:G2.Q4', [Question_Text]=N'Is the impact to the organization''s services assessed in the course of incident analysis?', [Supplemental_Info]=N'Question Intent: The intent is to determine if incident analysis includes assessing the impact of the incident on the organization.
- The purpose of impact analysis is to determine the breadth and severity of an incident to facilitate additional steps in the incident response process.
- Without information about how an incident has affected an organization, incident responders cannot accurately plan containment, remediation, or eradication efforts.
- Incident management personnel may use the results of impact analysis to further prioritize incidents and related events during and after the triage process.
Typical work products or examples:
- Records of incident analyses containing impact assessments
- Standardized forms or categories for recording and assessing impact
Criteria for a "Yes" response:
- The impact on the organization is assessed for all incidents.
Criteria for an "Incomplete" response:
- The impact on the organization is assessed for some incidents.
Question Intent: To determine if the organization employs commonly available techniques to preform root cause analysis as a means of ensuring the appropriate response, and potentially preventing future incidents of a similar type and impact.
Root cause analysis may require the results or information from other types of analyses, such as:
- system analysis
- network analysis
- malware analysis
- vulnerability analysis
- retrospective/lateral analysis (what else did the attacker do?)
- trend analysis
- threat vector analysis
Typical work products include:
- a list, catalog, or taxonomy of possible causes or threat vectors
- a timeline of the incident and relevant events leading to it
- a root cause analysis report
Criteria for “Yes” Response:
- The organization analyzes all incidents to determine the root cause.
Criteria for “Incomplete” Response:
- The organization analyzes some incidents to determine the root cause.
Question Intent: To determine if the Incident Management Function leverages the appropriate stakeholders to solicit input and assist with incident resolution.
- Incidents that the organization has declared should be escalated to stakeholders who can help manage and resolve the incident.
- Stakeholders can be internal to the organization (such as a permanent incident response team, an incident-specific team, IT Operations or, in some cases, additional business resources) or external (such as third-party contractors or other suppliers).
Criteria for “Yes” Response:
- The organization escalates all incidents to the proper stakeholders for input and resolution.
Criteria for “Incomplete” Response:
- The organization escalates some incidents to the proper stakeholders for input and resolution.
Question Intent: To identify if guidance exists that describes what (categories of incidents to report, and required information), when (timeframes), and how (contact mechanisms) they will be provided to external and internal stakeholders.
- Accessible and well-documented guidance of this information ensures that the data shared is accurate, timely, and complete.
- Special consideration should be made for insider threat-related incidents, because they often require unique handling in an organization due to the sensitivity and legalities involved.
Criteria for “Yes” Response:
- The organization has documented guidance that describes categories of incidents to report, required information, timeframes, and contact mechanisms for internal and external stakeholders.
Criteria for “Incomplete” Response:
- The guidance is in development or partially documented.
Question intent: To determine if the guidance contains operational and information security requirements. It is essential to protect sensitive information that could further damage the organization if exposed.
For each stakeholder who is notified or leveraged for response to the incident, there may be specific security requirements that must be met to communicate details about the incident. These requirements may include:
- specific encrypted communications (that the recipients have a capability to decrypt)
- omission of certain information that is not appropriate to be shared with certain individuals or organizations
- specific marking/classification schema that may be different than those of the internal organization
Criteria for "Yes" response:
- There is documented guidance that includes operational and information security requirements for each stakeholder.
Criteria for "Incomplete" response:
- The guidance is in development and partially documented.
Question Intent: To determine if responses to declared incidents are developed and implemented according to pre-defined procedures.
- The organization''s response to an incident should be described in pre-defined incident response procedures.
- Pre-defined procedures describe the actions the organization takes to prevent or contain the impact of an incident.
- Incident response may be as simple as notifying users to avoid opening a specific type of email message or as complicated as having to implement service continuity plans.
The specific actions detailed in the pre-defined procedures may include:
- identification of potential impact plan of action (including the allocation of resources)
- containment of damages (i.e., taking hardware or systems offline or locking down a facility)
- collection of evidence (including logs and audit trails)
- interviews of relevant staff
- communication to stakeholders
- development and implementation of corrective actions and controls
- implementation of continuity and restoration plans, or other emergency actions
Criteria for “Yes” Response:
- The organization uses predefined procedures to develop and implement a response to all declared incidents.
Criteria for “Incomplete” Response:
- The organization uses predefined procedures to develop and implement a response to some declared incidents.
- Or; pre-defined procedures for responding to declared incidents are in development and partially documented.
Question Intent: To determine if incident status and response are communicated to affected parties.
- Incident status and response should be communicated in a controlled and regular manner to internal and external stakeholders.
- Incident status and response should be managed throughout the incident lifecycle.
- There is coordination with these groups to share information and response actions on intrusions, attacks, and suspicious activities.
- Depending on the organizational structure or model used for their incident response team, this coordination may be led by a centralized response team or across distributed response teams.
The incident communication process should include:
- the stakeholders with whom communication about incidents are required
- the level of communication appropriate to various stakeholders
- special controls of communication (i.e., encryption or secured communications) that are appropriate for some stakeholders
- the frequency and timing of communication
Examples of stakeholders who may need to be included in incident communication:
- internal staff who have incident handling and management responsibilities
- asset owners and service owners
- information technology staff
- business continuity staff
- affected customers or suppliers
- local, state, and federal emergency management staff
- support functions, such as legal, audit, and human resources
- law enforcement staff (including federal agencies)
- regulatory and governing agencies
- local utilities (power, gas, telecommunications, water, etc.)
- CIO, CISO, and/or head of information security
- local information security officer
- other incident response teams within the organization
- external incident response teams (if appropriate)
- public affairs (for incidents that may generate publicity)
Criteria for “Yes” Response:
- The organization communicates incident status and response to all affected parties.
Criteria for “Incomplete” Response:
- The organization communicates incident status and response to some affected parties.
Question Intent: To ensure that the incident management organization provide alerts, notifications, and warnings to promote awareness of relevant/active incidents for internal and external stakeholders.
For circumstances where stakeholder or user awareness or actions are necessary to help contain or remediate the incident, or prevent more widespread impact, it is essential to communicate these details effectively during the incident response process.
Incident management personnel work to provide such notifications and warnings to promote awareness of threats and malicious activity, and to help support organizational response actions. Depending on the mission of the incident management function, alerts and warnings may be shared with other relevant stakeholders and external parties.
Notifications, reports, and warnings should be distributed in a manner commensurate with the sensitivity of the information related to the activity. Sensitive information should be handled only through appropriate mechanisms.
Criteria for “Yes” Response:
- The organization communicates alerts, notifications, and warnings for all ongoing incidents.
Criteria for “Incomplete” Response:
- The organization communicates alerts, notifications, and warnings for some incidents.
Question Intent: To determine if incidents are tracked and managed to resolution.
- The organization should have a process for the formal closure of incidents that results in formally logging a status of “closed” in the incident knowledge base.
- The status of incidents in the incident knowledge base should be reviewed regularly to determine if open incidents should be closed or need additional action.
Typical work products:
- criteria for incident closure
- incident closure reports
- updated incident knowledgebase
Criteria for “Yes” Response:
- The organization tracks and manages all incidents to resolution.
Criteria for “Incomplete” Response:
- The organization tracks and manages some incidents to resolution.
Question Intent: To determine if requirements for identifying event and incident evidence for forensic purposes have been identified.
- Collecting, retaining, and analyzing event and incident information in a way that is acceptable in a court of Law is essential in order to prosecute criminal activities.
- If proper methods are not used, organizations may not be able to prosecute due to insufficient, corrupted, or inconclusive data.
- An event may become an organizational incident that has the potential to be a violation of local, state, or federal rules, laws, and regulations.
This is often not known early in the investigation of an event, therefore the organization should ensure that it has identified the requirements that dictate what event and incident evidence is handled forensically.
The requirements may come from:
- Securities and Exchange Commission regulatory requirements
- state privacy laws
- Food and Drug Administration regulatory requirements
- chain of custody requirements
- other sector-specific regulatory bodies
Criteria for “Yes” Response:
- The organization has identified and documented relevant requirements for identifying event evidence for forensic purposes.
Criteria for “Incomplete” Response:
- Requirements for identifying event evidence are in development and partially documented.
Question Intent: To determine if the organization has documented criteria defining when forensic analysis is to be performed on events and incidents.
- Fulfillment of the forensic requirements may be resource-intensive, therefore criteria are established to filter which events/incidents will have forensic analysis performed.
- This is often not known early in the investigation of an event, therefore the organization should ensure that it has identified the criteria that describe the event and incident evidence to be handled forensically.
Examples of criteria:
- perceived threat vector or actor
- perceived malicious activity
- perceived insider threat activity
- potential criminal activity
- activities with potential for legal implications
- regulatory requirements
Criteria for “Yes” Response:
- The organization has identified and documented criteria for when forensic analysis should be conducted.
Criteria for “Incomplete” Response:
- Criteria for performing forensic analysis are in development, or partially documented.
Question Intent: To determine if the organization has documented a process to ensure that event and incident evidence is handled as required by law or other obligations.
- Based on applicable requirements, the organization should develop a process that uses standards and guidelines for the collection, documentation, and preservation of event and incident evidence.
- Staff should be trained on the organizational process for proper identification and handling of evidence to ensure that the evidence is not altered and its integrity is maintained.
Criteria for “Yes” Response:
- There is a documented process to ensure that event and incident evidence is handled as required by law or other obligations.
Criteria for “Incomplete” Response:
- A process is in development and partially documented.
Question Intent: To determine if the organization provides the results of forensic analysis to the appropriate stakeholders.
- Based on applicable requirements, the organization should develop a forensic analysis reporting process.
- The process should describe the stakeholders to whom the results of the forensic analysis must be communicated and the means of communication.
- Forensic analysis may be performed for law enforcement purposes, or for detailed incident analysis to determine root cause or other information about what occurred.
- Additional sensitivities may need to be taken into consideration, because the results of forensic analysis during an incident may contain personal or organizationally sensitive data not typically encountered in incident response.
- Staff should be trained on the organizational process for reporting the results of forensic analysis, to ensure that the appropriate stakeholder(s) receive the results.
Criteria for “Yes” Response:
- Forensic analysis results and reports are provided to all the appropriate stakeholders.
Criteria for “Incomplete” Response:
- Forensic analysis results and reports are provided to some of the appropriate stakeholders.
Question Intent: To determine if there are documented criteria that determines which incidents require a post incident review.
- This practice ensures that post-incident analysis meetings or reviews are held after significant incidents. The organization will use the criteria to help define “significant.”
- The intent of these reviews is to identify any issues encountered or lessons learned, to propose areas for improvement, and to act on any findings or recommendations.
Examples of documented criteria:
- departure from standard procedures
- incidents of significant impact
- incidents with unknown root cause
- incidents of potential criminal activity
- incidents of potential insider threat
- incidents required by regulation to be reviewed
Criteria for “Yes” Response:
- The organization uses documented criteria to evaluate all incidents for post-incident review.
Criteria for “Incomplete” Response:
- The criteria for post-incident review is in development and partially documented.
- Or, the criteria exist, but are used for only some incidents.
Question Intent: To determine if the organization performs a post-incident review for incidents that require (meet the organization''s selection criteria) a review for the purpose of ensuring lessons learned are identified.
- Post-incident analysis meetings or reviews should be held after significant incidents. The organization will need to define what “significant” means. The intent of these reviews is to identify any issues encountered or lessons learned, to propose areas for improvement, and to act on any findings or recommendations.
- Lessons-learned meetings or reviews can be extremely helpful in improving security measures and the incident handling process itself. A lessons-learned meeting or review should be held after a major incident with all involved parties.
Questions to be answered in the meeting may include:
- Exactly what happened, and at what times?
- How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
- What information was needed sooner?
- Were any steps or actions taken that might have hindered the recovery?
- What would the staff and management do differently the next time a similar incident occurs?
- How could information sharing with other organizations have been improved?
- What corrective actions can prevent similar incidents in the future?
- What precursors or indicators should be watched for in the future to detect similar incidents?
- What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
Criteria for “Yes” Response:
The organization performs post-incident reviews for all incidents that require (meet the organization''s selection criteria) a review.
Criteria for “Incomplete” Response:
The organization performs post-incident reviews for some incidents that require (meet the organization''s selection criteria) a review.
' WHERE [Mat_Question_Id] = 1328
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'PI:G1.Q3', [Question_Text]=N'Are lessons learned from post incident review and analysis used to improve organizational asset protection and sustainment strategies?', [Supplemental_Info]=N'Question Intent: To determine if lessons learned are used to improve the organization''s asset protection and sustainment strategies.
- Lessons learned from post-incident review should help determine the validity and effectiveness of the organization''s current strategies for protecting and sustaining assets.
- Lessons learned can be extremely helpful in improving an organizations protection and sustainment strategies and the incident handling process itself.
- A lessons-learned meeting or review should be held after a major incident with all stakeholders.
- Lessons-learned data can be incorporated into the organization''s risk management process, ultimately leading to the selection and implementation of additional controls and improvements to the organization''s protection and sustainment strategies.
Criteria for “Yes” Response:
- The organization uses lessons learned from all incidents that required post-incident review, to improve asset protection and sustainment strategies.
Criteria for “Incomplete” Response:
- The organization uses lessons learned from some incidents that required post-incident review, to improve asset protection and sustainment strategies.
- Or, the organization uses some lessons learned to improve asset protection and sustainment strategies.
Question Intent: To determine if the results of post-incident reviews are used to identify improvements to the incident detection, handling, or response process.
- Updating incident response policies and procedures is another important part of the lessons learned process.
- Post-incident review of the way an incident was handled will often reveal a missing step, inaccuracy, or inefficiencies in a procedure, providing impetus for change.
- Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
Criteria for “Yes” Response:
- The organization uses lessons learned from all incidents that required post-incident review, to improve the event and incident detection, handling or response process.
Criteria for “Incomplete” Response:
- The organization uses lessons learned from some incidents that required post-incident review, to improve the event and incident detection, handling or response process.
Question Intent: To determine if the organization generates post-incident analysis reports and stores them in a controlled manner.
- It is important to document all lessons learned, the major points of agreement, and action items, and to communicate them to parties who could not attend the meeting.
- Lessons learned should be documented according to the organization''s required format and needs to meet any regulatory reporting requirements.
- The report provides a reference that can be used to assist in handling similar incidents.
- Reports from these meetings or reviews are good material for training new team members by showing them how more experienced team members respond to incidents.
Criteria for “Yes” Response:
- Post-incident analysis reports are documented and archived for all incidents that require a post-incident review.
Criteria for “Incomplete” Response:
- Post-incident analysis reports are documented and archived for some incidents that require a post-incident review.
Question Intent: To determine if standards for testing incident detection, handling, and response process have been developed and implemented.
- Test standards ensure that test processes are consistent, effective, and meet the organization''s requirements.
- Testing should be conducted in a controlled environment.
- Testing is often the only opportunity for an organization to know whether the plans meet their stated objectives.
- The testing program and standards should be enforced to ensure consistency and the ability to interpret results at the organizational level.
Standards for incident detection, handling, and response process can include:
- types of tests or operational exercises (e.g., walkthroughs, tabletops, functional involving penetration testing or red teaming, etc.)
- required test plan components and templates
- example and required incident handling and response scenarios
- standard questions to be used in all test scenarios
- instructions for participating in an exercise
- standards for documenting lessons learned
- testing frequency
- quality assurance standards
- involvement and commitment of stakeholders
- reporting standards
- measurement standards
- test plan maintenance
Typical work products include:- Documented test standards
Criteria for “Yes” Response:
- There are documented standards for testing the incident detection, handling, and response processes.
Criteria for “Incomplete” Response:
- Standards for testing the incident detection, handling, and response processes are in development and partially documented.
Question Intent: To determine if the organization has documented guidance requiring the periodic testing of the incident detection, handling, and response activities.
- Documented guidance can take the form of guidelines, policies, or standards.
Criteria for “Yes” Response:
- There is documented guidance that requires the periodic testing of incident detection, handling, and response activities.
Criteria for “Incomplete” Response:
- Documented guidance that requires periodic testing is in development and partially documented.
Question Intent: To determine if a schedule for testing the incident detection, handling, and response process is established and documented.
- The test schedule should meet the requirements set by the organization.
- Periodic testing and evaluation of the effectiveness of incident detection, handling, and response process, procedures, and practices should be performed with a frequency informed by the organization''s risk process.
Typical work products include:
- documented test schedule
- distribution and coordination list of relevant stakeholders
Criteria for “Yes” Response:
- There is a documented schedule for testing the incident detection, handling and response process, procedures and activities.
Criteria for “Incomplete” Response:
- The schedule for testing the incident detection, handling and response processes is in development and partially documented.
Question Intent: To determine if the organization''s incident detection, handling, and response processes are tested.
- The tests should establish the viability, accuracy, and completeness of the incident detection, handling and response processes, procedures, and activities. For example:
- Perform triage.
- Respond to events and incidents in a timely manner.
- Notify correct people.
- Protect data during transmission.
- Meet SLAs.
- The tests results should provide information about the organization''s level of preparedness.
- The tests should be performed under conditions established by the organization, and the results of the test should be recorded and documented.
Typical work products include:
Criteria for “Yes” Response:
- All Incident detection, handling, and response processes, procedures and activities are tested.
Criteria for “Incomplete” Response:
- Some incident detection, handling, and response processes, procedures, and activities are tested.
Question Intent: To determine if all relevant elements of the organization are involved in testing the incident detection, handling and response process, procedures and activities.
- All relevant stakeholders, both internal and external, should be identified and involved in testing the incident detection, handling, and response processes, procedures and activities.
- The level of involvement and commitment of stakeholders in the testing of the plan should be established.
- Methods of communicating with all relevant stakeholders should be established.
- All relevant stakeholders should understand and accept their roles and responsibilities.
Typical work products include:
- Documented Incident detection, handling, and response processes, procedures, and activities that include relevant stakeholders.
- Documented Incident detection, handling, and response test plans that include relevant stakeholders.
- Documented test report that show all relevant participating stakeholders.
Criteria for “Yes” Response:
- All relevant elements (stakeholders) of the organization are involved in testing the Incident detection, handling, and response processes, procedures and activities.
Criteria for “Incomplete” Response:
- Some relevant elements (stakeholders) of the organization are involved in testing.
Question Intent: To determine if test results are compared to test objectives to identify improvements to incident detection, handling, and response processes.
- The objective of incident detection, handling, and response process testing is to ensure that processes, procedures, and activities, work as intended.
- Testing identifies improvements to the incident detection, handling, and response processes, as well as improvements to the test plans.
- The evaluation of test results involves comparing the documented test results against the established test objectives.
- Areas where objectives could not be met are recorded, and strategies are developed to review and revise the incident detection, handling and response processes, procedures and activities.
- Improvements to the testing process and plans should also be identified, documented, and incorporated into future tests.
Improvement areas may include:
- lack of sufficient resources
- lack of appropriate resources
- training gaps for plan staff and stakeholders
- plan conflicts (if multiple plans are tested simultaneously)
- the test objectives or test procedures
- the incident detection, handling, and response processes
Typical work products include:
- documented test results
- list of improvements to incident detection, handling, and response processes
- list of improvements to incident detection, handling, and response processes test plans
Criteria for “Yes” Response:
- Test results for all incident detection, handling, and response process tests are compared with test objectives to identify needed improvements.
Criteria for “Incomplete” Response:
- Test results for some incident detection, handling, and response process tests are compared with test objectives to identify needed improvements.
Question Intent: To determine if a change management process is used to manage asset modifications.
- Change management is a continuous process of controlling and approving changes to assets that support organizational services.
This process addresses the
- addition of new assets
- changes to the asset, including ownership, custodianship, and location
- elimination of assets
Typical work products
- change requests
- change implementation plan
- backout plan
- change and configuration management board meeting minutes
- change approvals
- change tracking and status
- change documentation, including test results
Criteria for “Yes” Response:
- A change management process is used to control changes to all assets that support the organizational services.
Criteria for “Incomplete” Response:
- A change management process is used to control changes to some assets.
Question Intent: To determine if event and incident handling personnel are notified when there are changes to organizational assets.
- The organization should establish communication channels to ensure that event and incident handling personnel are aware of changes, maintenance, and outages to organizational assets.
Typical work products
- examples of notification methods
- email message
- internal webpage
- text message
- voice message
- schedule of upcoming changes
Criteria for “Yes” Response:
- Event and incident handling personnel are notified of all changes to organizational assets.
Criteria for “Incomplete” Response:
- Event and incident handling personnel are notified of some changes to organizational assets.
Question Intent: To determine if a repository for recording information about vulnerabilities and their resolution (if known) is used.
- A vulnerability repository should be used as the central source of vulnerability lifecycle information.
- A vulnerability repository supports analysis, disposition, trending, root cause analysis, and vulnerability management.
Typical work products:
- The vulnerability repository can take the form of any of the following:
- database
- document
- worksheet
- list
- archive
Information that should be recorded includes:
- a unique identifier
- a description of the vulnerability
- the date(s) of the information entered into the repository
- references to the source(s) of the vulnerability
- the priority of the vulnerability (high, medium, low)
- categorization and disposition of the vulnerability
- individuals or teams assigned to analyze and remediate the vulnerability
- a log of actions taken to reduce or eliminate the vulnerability
- resolution of the vulnerability
Criteria for “Yes” Response
- The organization uses a repository to record all vulnerability and resolution information for all assets.
Criteria for “Incomplete” Response:
- The organization uses a repository to record some vulnerability and resolution information.
- Or; the organization uses a repository to record all vulnerability and resolution information for some assets.
Question Intent: To determine if the incident handling personnel have access to an up-to-date vulnerability management repository.
- A vulnerability repository supports the incident handling and response team''s analysis efforts.
- The information in the repository needs to be up-to-date.
Typical work products:
- access list showing that incident handling personnel have access to the vulnerability management repository
Criteria for “Yes” Response:
- The vulnerability management repository is accessible to all appropriate incident handling personnel.
Criteria for “Incomplete” Response:
- The vulnerability management repository is accessible to some of the appropriate incident handling personnel.
Question Intent: To determine if the event and incident handling personnel have been notified of existing, unmitigated vulnerabilities or of compensating controls that need to be monitored.
- Event and incident handling personnel should be notified and aware of all known, unmitigated vulnerabilities, to enable them to be aware of potential attack vectors.
- Event and incident handling personnel should be notified and aware of compensating controls that may need to be monitored.
Typical work products:
- examples of notification methods of unmitigated vulnerabilities or compensating controls may include the following:
- email message
- internal webpage
- vulnerability analysis report
- text message
- voice message
Criteria for “Yes” Response:
- Event and incident handling personnel are notified of all unmitigated vulnerabilities and of all compensating controls that may need to be monitored.
Criteria for “Incomplete” Response:
- Event and incident handling personnel are notified of some unmitigated vulnerabilities.
- Or, event and incident handling personnel are notified of some compensating controls that may need to be monitored.
Question Intent: To determine if Incident Management Function is aware of and integrated into all of the organization''s service continuity plans.
- The Incident Management Function should be considered during the development, maintenance, and testing of the organization''s service continuity plans.
- The Incident Management Function should be specifically integrated as a stakeholder in the organization''s service continuity plans.
Typical work products:
- service continuity plans
- after action reviews of service continuity execution or testing
Criteria for “Yes” Response:
- The Incident Management Function is integrated into all organizational service continuity plans.
Criteria for “Incomplete” Response:
- The Incident Management Function is integrated into some organizational service continuity plans.
Question Intent: To determine if the service continuity plans are periodically reviewed and updated to ensure that the Incident Management Function is integrated into the plans.
- Service continuity plans should be periodically reviewed and updated at an interval that the organization determines to be appropriate.
- The Incident Management Function should be included in the review and update of any service continuity plan, to ensure that the Incident Management Function''s perspective, input, and agreement are maintained.
Typical work products:
- service continuity plan with a recent (according to any defined period for review) date or change history
- record of any updates to the service continuity plans that were proposed by the Incident Management Function
- service continuity review processes or instructions that include actions that are required by the Incident Management Function
Criteria for “Yes” Response:
- All service continuity plans are periodically reviewed and updated to include the Incident Management Function.
Criteria for “Incomplete” Response:
- Some service continuity plans are periodically reviewed and updated to include the Incident Management Function.
Question Intent: To determine if the organization has implemented a threat monitoring capability.
- Effective threat monitoring requires people, procedures, and technology that need to be deployed and managed to meet monitoring requirements.
- Procedures ensure the timeliness, consistency, and accuracy of threat information and the distribution of this information to relevant stakeholders.
- Roles and responsibilities have been defined and assigned.
Procedures may address:
- source identification
- monitoring frequency
- threat identification
- threat validation and analysis
- threat communication
Typical work products:
- threat monitoring procedures
- threat reports
- list of threat intelligence sources (vendors, industry groups, others)
- third-party notifications (vendors, law enforcement, etc.)
- threat database
Criteria for “Yes” Response:
- The organization has implemented a threat monitoring capability with documented procedures, assigned roles and responsibilities, and appropriate methods and technology.
Criteria for “Incomplete” Response:
- The threat monitoring capability is in development.
Question Intent: To determine if threat information is communicated to all identified internal and external incident management personnel. The intent of communicating threat information is to assist incident handling and response personnel to perform their duties.
- Threat information must be communicated according to established procedures.
- Communication requirements may dictate that various communications methods and channels should be considered and identified.
Typical work products:
- threat communications to the incident handling team
- threat communication standards and guidelines
- standardized report templates
- communication escalation protocols
- list of incident management personnel and contact information
- stakeholder communication requirements
- documented methods and channels
- tools and techniques for communication
Criteria for “Yes” Response:
- Threat information is communicated to all identified incident handling and response personnel.
Criteria for “Incomplete” Response:
- Threat information is communicated to some of the identified incident management personnel.
Question Intent: To determine if the assets that support the Incident Management Function are inventoried.
- The organization should inventory the assets (people, information, technology, and facilities) required for the delivery of the incident management activities to the organization.
- Inventories of assets may exist in multiple forms or physical locations.
Criteria for “Yes” Response:
- The organization inventories all assets that support the Incident Management Function.
Criteria for “Incomplete” Response:
- The organization inventories some assets.
Question Intent: To determine if the Incident Management Function''s asset descriptions include protection and sustainment requirements.
- Protecting and sustaining the assets that support the Incident Management Function ensure that the incident handling and response activities will be delivered to the organization even in times of stress.
- Including protection and sustainment requirements in asset descriptions provides a common source for communicating and updating those requirements.
- The confidentiality, integrity, and availability requirements of the Incident Management Function are used to derive the collective protection and sustainment requirements of associated assets.
- Activities that implement protection and sustainment requirements often appear as processes, procedures, policies, controls, and plans.
- Protection requirements describe how an asset''s exposure to sources of disruption and to the exploitation of vulnerabilities must be minimized. Examples include:
- People - Ensure that all employees are skilled in their role to protect against accidental disruption.
- Information - All information assets will be disposed of according to policy to prevent unintentional disclosure.
- Technology - All network boundaries should be protected; use approved methods and tools to deny unauthorized access.
- Facilities - Physical access to all Incident Management Function-related information and technology assets must be limited to approved personnel to protect against accidental and malicious disruption.
- Sustainment requirements describe how assets must be kept operating when faced with disruptive events. Examples include:
- People - All critical personnel shall have a designated backup who can fulfill their service continuity role.
- Information - No more than 4 hours of the Incident Management Function data can be lost to ensure the continuity of the service.
- Technology - The technology assets required for the delivery of the Incident Management Function must be operational within 48 hours to ensure the continuity of the service.
- Facilities - The backup facility must meet the service continuity requirements of the Incident Management Function.
Criteria for “Yes” Response:
- The protection and sustainment requirements are documented in asset descriptions for all assets supporting the Incident Management Function.
Criteria for “Incomplete” Response:
- The protection and sustainment requirements are documented in asset descriptions for some assets.
Question Intent: To determine if administrative, technical, and physical controls are designed and implemented for the Incident Management Function at a level equal to or greater than the organization''s other critical assets.
Controls that are implemented to protect and sustain the Incident Management Function should, at a minimum, meet requirements established for the organization''s other critical assets. Controls are then designed to meet those requirements and deployed to protect those assets needed to deliver the Incident Management Function activities.
Criteria for “Yes” Response:
- The organization has implemented controls to protect and sustain all the Incident Management Function''s assets at a level equal to or greater than the organization''s other critical assets.
Criteria for “Incomplete” Response:
- Controls have been implemented for some of the Incident Management Function''s assets.
- Or; controls have been implemented but are not at a level equal to or greater than the controls established for the organization''s other critical assets
Question Intent: To determine if a change management process is used to manage modifications to assets that directly support the Incident Management Function.
- Change management is a continuous process of controlling and approving changes to assets.
- A process exists for determining, documenting, submitting, and authorizing changes to the infrastructure that supports incident management. This process can exist as an independent process that supports only the Incident Management Function or can be incorporated as part of the larger organizational change management processes.
This process addresses:
- addition of new assets
- changes to the asset''s configuration, ownership, custodianship, and location
- elimination of assets
Typical work products:
- change requests
- update of configuration baselines
- change implementation plan
- backout plan
- change and configuration management board meeting minutes
- change approvals
- change tracking and status
- change documentation, including test results
Criteria for “Yes” Response:
- A change management process is used to control changes to all assets that support the Incident Management Function.
Criteria for “Incomplete” Response:
- A change management process is used to control changes to some assets.
Question Intent: To ensure physical measures are implemented to protect the Incident Management Function''s technology, facilities, information, and people assets.
- The term “measures” includes the relevant policies, standards, controls, and regulations for securing the facilities and space where incident management systems and personnel reside.
- These measures should comply with relevant standards, guidelines, or organizational policies.
Typical work products include:
- policies, standards, controls, regulations, or similar artifacts that ensure physical protection of incident management function assets
- audit results indicating that the physical protection measures are being properly followed
Criteria for “Yes” Response:
- The organization has the physical protection measures in place for all assets that support the incident management function.
Criteria for “Incomplete” Response:
- The organization has the physical protection measures in place for some assets.
Question Intent: To ensure the organization is performing security monitoring activities for the systems and networks that support the Incident Management Function.
Documented processes should exist that direct the security monitoring of incident management function''s systems and networks.
These processes should include:
- methods for detecting events, incidents, anomalous activity, intrusion attempts, and other potential threats.
- Identification of critical incident management systems, components, and assets
Due to the sensitivity/criticality of the event and incident information, security monitoring should be performed at a level equal to or greater than the organization''s other critical systems and networks.
Criteria for “Yes” Response:
- The organization performs security monitoring on all of the Incident Management Function''s systems and networks.
Criteria for “Incomplete” Response:
- The organization performs security monitoring on some of the Incident Management Function''s systems and networks.
Question Intent: To ensure that event and incident detection and response activities are performed for the assets that support the Incident Management Function.
- Information collected by incident management personnel and stored on incident management systems and applications, such as incident tracking systems, data analytics engines, or stakeholder contact lists, can contain sensitive information.
- If the incident management system is not maintained and is disrupted, it will affect the organization''s ability to respond to incidents.
- It is critical that such information be sustained with the same rigor applied to other key organizational data and assets.
Criteria for “Yes” Response:
- Event detection and incident response activities are performed for all assets that directly support the Incident Management Function.
Criteria for “Incomplete” Response:
- Event detection and incident response activities are performed for some assets that directly support the Incident Management Function.
Question Intent: To determine if guidelines exist for properly handling, transmitting, storing, and disposing of event and incident information assets.
- Properly handling, transmitting, storing, and disposing of event and incident information is necessary to ensure that there are no unauthorized disclosures.
- Guidelines should consider:
- confidentiality requirements
- sensitivity categorization
- applicable rules, laws, and regulations
- data retention requirements
- document markings policy
Criteria for “Yes” Response:
- There are documented guidelines for properly handling, transmitting, storing, and disposing of event and incident information.
Criteria for “Incomplete” Response:
- Guidelines are under development and partially documented.
Question Intent: To determine if event and incident information assets are backed up and retained.
Event and incident information assets should be backed up and retained to meet the protection and sustainment requirements of the Incident Management Function.
The protection and sustainment requirements for the information assets that support the Incident Management Function should be used to establish:
- frequency of backup and storage
- retention period
- acceptable backup and retention media
- authorized storage locations and methods
- encryption and other protection requirements for data at rest or data in transit, as applicable
- accessing information backups
- physical access controls of backups
Criteria for “Yes” Response:
- All event and incident information assets that support the Incident Management Function are backed up and retained.
Criteria for “Incomplete” Response:
- Some event and incident information assets are backed up and retained.
Question Intent: To determine if backup and storage procedures for event and incident information assets are tested.
- Backup and storage of information assets should meet the protection and sustainment requirements of the Incident Management Function.
- Testing of backup and storage procedures is done to ensure that those requirements are being met.
- Periodic testing of the Incident Management Function''s backup and storage procedures ensures continued validity as operational conditions change.
Criteria for “Yes” Response:
- Backup and storage procedures are tested for all event and incident information assets that support the Incident Management Function.
Criteria for “Incomplete” Response:
- Backup and storage procedures are tested for some event and incident information assets.
Question Intent: To determine if integrity requirements of event and incident information assets are used to determine which staff members are authorized to modify those assets.
- Integrity requirements address qualifications to ensure the information is:
- complete and intact
- accurate and valid
- authorized and official
- Integrity requirements are a specific form of protection requirement.
- Controlling which staff members are authorized to modify information assets helps ensure the continued integrity of those assets. Role-based access is a method of defining and implementing this form of integrity re-equipment.
- A fundamental way of controlling modifications to information assets is to limit access to those assets, both:
- electronically (by controlling access to networks, servers, application systems, and databases and files); and
- physically (by limiting access to file rooms, work areas, computer rooms, and facilities)
Criteria for “Yes” Response:
- The integrity requirements for all event and incident information assets are used to determine which staff members are authorized to modify those assets.
Criteria for “Incomplete” Response:
- The integrity requirements for some event and incident information assets are used to determine which staff members are authorized to modify those assets.
Question Intent: To determine if the organization has a documented plan for detecting and triaging events, and handling and responding to incidents.
- The organization''s plan for managing incidents should address the identification, analysis, and response to an incident.
- An event is one or more occurrences that affect organizational assets, and has the potential to disrupt operations.
- An incident significantly impacts the organization, and requires response actions to prevent or limit impact on the organization.
- An incident may result from an event or a series of events that requires a response that is beyond standard operating procedures for managing events.
The organization must plan for how it will:
- identify events and incidents
- analyze these events and incidents, and determine an appropriate response
- develop declaration criteria
- respond to incidents
- communicate incident information to stakeholders (including external dependencies)
- staff the plan to meet plan objectives
- structure the incident management staff (including roles and responsibilities)
- train staff to identify, analyze, and respond to incidents
Criteria for “Yes” Response:
- There is a documented plan for detecting and triaging events and, handling and responding to incidents.
Criteria for “Incomplete” Response:
- A plan is in development and partially documented.
Question Intent: To determine if the incident management plan is periodically reviewed and updated at an interval to be defined by the organization.
- The knowledge gained through managing incidents can be used by the organization to improve the plan.
- The plan review should include all relevant stakeholders to ensure proper coordination of requirements.
- The date of the most recent review (even if no changes are necessary) should be annotated in the plan.
- Details on how the plan is to be reviewed (periodicity, stakeholders, approving authority, etc.) should be documented in the plan or other governance documentation for the organization.
Criteria for “Yes” Response:
- The organization periodically reviews and updates the incident management plan.
Criteria for “Incomplete” Response:- The organization has reviewed and updated the plan, but has not established a frequency for the review.
Question Intent: To determine if staff have been assigned to the roles and responsibilities detailed in the incident management plan.
- The organization should establish a list of skilled staff and alternates to fill each role and responsibility defined in the incident management plan.
- The organization should assign staff to each role and responsibility defined in the plan.
- The organization should be careful when assigning multiple roles to a single staff member, because it can cause severe capacity issues and put delivery of the incident handling and response activities at risk.
Example Work Products:
- Incident Management Function roster
- Contact list for roles outside the Incident Management Function
- Position Descriptions for each role
Criteria for “Yes” Response:
- Staff have been assigned to all defined roles and responsibilities in the incident management plan.
Criteria for “Incomplete” Response:- Staff have been assigned to some defined roles and responsibilities.
Question Intent: To determine if employees are held accountable for executing the roles and responsibilities defined in the incident management plan.
- The organization should define the roles and responsibilities required to achieve the plan''s objectives.
- Job descriptions are a means to ensure that incident management staff understand their roles and are aware of their responsibilities.
- Employee reviews should include assessment of their performance of incident management roles and responsibilities.
- Specific remediation actions should be taken when employees do not perform their roles and responsibilities properly.
Criteria for “Yes” Response:
- All employees are held accountable for executing their roles and responsibilities.
Criteria for “Incomplete” Response:
- Some employees are held accountable for executing their roles and responsibilities.
- Or, employees are sometimes held accountable for executing their roles and responsibilities.
Question Intent: To determine if senior leadership understands their roles and responsibilities outlined in the incident management plan.
- The organization should define the roles and responsibilities of senior leadership in the incident management plan.
- Senior leadership should formally approve and endorse the incident management plan.
- Senior leadership should also be trained in their roles and responsibilities.
Criteria for “Yes” Response:
- All senior leadership have been made aware and understand their roles in the incident management plan.
Criteria for “Incomplete” Response:
- Some senior leadership have been made aware and understand their roles in the incident management plan.
Question Intent: To determine that all relevant parts of the organization are involved in creating, reviewing, and revising the incident management plan to ensure that the plan addresses all parts of the organization.
- Incident management plan content covers all organizational components and sub-components required for effective incident response (industrial control system managers, elections system owners, other components or sub-components of the organization needed for the response, etc.).
- Organizational stakeholders support and endorse the plan.
- All stakeholders should take part in:
- creating and endorsing the plan,
- periodically reviewing the plan, and,
- revising the incident management plan.
- As organizational changes occur, the plan is adjusted, and stakeholders are added or removed from the plan.
- The plan identifies the elements of the organization and appropriate stakeholders for coordination.
Criteria for “Yes” Response:
- All relevant elements of the organization are involved in the creation of and in revisions to the incident management plan.
Criteria for “Incomplete” Response:
- Some relevant elements of the organization are involved in the creation of and in revisions to the incident management plan.
Question Intent: To ensure that the continuity of incident handling and response activities and the tracking and sharing of data occur consistently and as intended by following a documented workflow.
Incident handling continuity problems arise because teams must deal with many problems, large amounts of data, multiple sources of data, and changing events during long periods of time. This practice focuses on the processes and mechanisms that should be in place to ensure that incident management personnel address incidents in a consistent and uniform manner.
A documented workflow ensures that incident management personnel have a well-maintained, complete picture of incident response activity across multiple teams, shifts, and days of effort. In addition, a documented workflow should address:
- documentation of information related to an incident throughout the incident''s lifecycle (this includes analysis, response, and follow-up activities)
- the availability of information to the team
- the transition of incidents from one staff member to another
- the display of the status of each incident
- the providing of storage and correlation of incident and vulnerability data and related artifacts
- access by all relevant members of the team to information about any incident or vulnerability being handled
Criteria for “Yes” Response:
- The organization has a documented workflow for all of its incident management operations.
Criteria for “Incomplete” Response:
- A workflow is in development and partially documented.
Question Intent: To determine that a communication plan has been established and documented for use during incident management activities to assist with quick and effective response.
The communication plan for incident management activities may be incorporated into the organization''s larger communication plan, and should be readily available to the incident handling and response personnel and appropriate stakeholders.
The incident management communication plan should include:
- the individuals, groups, and designated POCs to be contacted (both internal and external)
- criteria for contacting and communicating with stakeholders
- the process and mechanism for contacting each POC, including required secure mechanisms
- the timeframe(s) for contacting (possibly guided by contracts, SLAs, or other regulatory guidance)
- information that specifically should NOT be communicated externally
- the approving authorities for external communication messages, where applicable
- guidance that describes the handling of media questions and calls related to incidents and vulnerabilities
Criteria for “Yes” Response:
- The organization has a documented communication plan for incident management activities.
Criteria for “Incomplete” Response:
- The communication plan is in development and partially documented.
Question Intent: To determine that the communication plan for incident management activities has been disseminated to internal and external stakeholders for situational awareness.
Typical work products:
- a list of stakeholders for dissemination
- record of recent distribution
- a record of receipt by stakeholders
Criteria for “Yes” Response:
- The organization has disseminated its incident management communications plan to all internal and external stakeholders.
Criteria for “Incomplete” Response:
- The organization has disseminated its incident management communications plan to some internal and external stakeholders.
Question Intent: To determine if the individual roles and responsibilities for all parties are defined and documented for each information exchange interface.
- The intent of this capability is to ensure that activities of the incident handling and response personnel and all internal and external stakeholders are described and understood by all participants, and that the roles and responsibilities are defined to accomplish those activities.
- The interface documentation should include the process and POCs for resolving conflicts or issues.
Criteria for “Yes” Response:
- The organization has documented the roles and responsibilities for all internal and external stakeholders for each information exchange interface.
Criteria for “Incomplete” Response:
- The organization has documented some of the roles and responsibilities for the internal and external stakeholders for each information exchange interface.
- Or, the organization has documented the roles and responsibilities for some information exchanges interfaces.
Question Intent: To determine if external dependencies that are critical to the Incident Management Function are identified and documented.
An external dependency exists when an external entity (contractor, customer, service provider, etc.) has:
- access to
- control of
- ownership in
- possession of
- responsibility for
- or, other defined obligations related to the organization''s incident management capability and its associated assets.
Examples of services provided to the Incident Management Function from external entities can include:
- outsourced activities that support the operation or maintenance of the Incident Management Function''s assets
- security operations, IT service delivery and operations management, or services that directly affect incident handling and response activities
- backup and recovery of data, provision of backup facilities for operations and processing, and provision of support technology, or similar services
- infrastructure, such as power and dark fiber
- telecommunications (telephony and data)
- public services, such as fire and police support, emergency medical services, and emergency management services
- technology and information assets, such as application software and databases
Criteria for “Yes” Response:
- The organization has documented all external dependencies that are critical to the operation of the Incident Management Function.
Criteria for “Incomplete” Response:
- The organization has documented some of the external dependencies.
Question Intent: To determine if the formal agreements are in place for coordinating service between the Incident Management Function and its external dependencies.
Types of agreements may include:
- contracts
- service level agreements
- memoranda of agreement
- purchase orders
- licensing agreements
The agreement should:
- be enforceable by the organization
- coordinate service delivery
- include detailed and complete requirements that the external entity must meet
- include required performance standards and/or work products
- be updated to reflect changes in requirements over the life of the relationship
Example requirements can include:
- performance standards
- communication standards for status information and reporting information
- security, confidentiality, and privacy requirements
- disclosure obligations for security breaches
- business resumption and contingency plans
- staff performance or prescreening
- controls
- regulatory, legal, and compliance obligations
Typical work products include:
- agreements with external entities
- service level agreements
- requirements traceability matrix
- requirements specification
Criteria for “Yes” Response:
- Formal agreements are in place for all external dependencies to coordinate services with the Incident Management Function.
Criteria for “Incomplete” Response:
- Formal agreements are in place with some external dependencies.
Question Intent: To determine if the requirement to meet the organization''s security standards is included in formal agreements with the external entities that support the Incident Management Function.
Formal agreements will form the basis for monitoring the performance of the external entity. Including the organization''s security standards in the formal agreements ensures that the external dependencies understand that they are expected to meet those standards.
Criteria for “Yes” Response:
- The organization requires that all formal agreements between the Incident Management Function and its external dependencies mandate that those dependencies must meet the organization''s security standards.
Criteria for “Incomplete” Response:
- Some formal agreements between the Incident Management Function and its external dependencies mandate that those dependencies must meet the organization''s security standards.
Question Intent: To determine if responsibility for monitoring the performance of external entities that support the Incident Management Function is assigned to ensure that monitoring is performed on a timely and consistent basis.
Some key characteristics are:
- The organization should assign responsibility for monitoring each external entity.
- Responsibility is typically assigned to the owner of the relationship with the external entity.
- The responsible staff should establish procedures that determine the frequency, protocol, and responsibility for monitoring a particular external entity.
- These procedures should be consistent with the terms of the agreement in place with the external entity.
Criteria for “Yes” Response:
- The responsibility for monitoring the performance of each external entity that supports the Incident Management Function has been assigned.
Criteria for “Incomplete” Response:
- The responsibility for monitoring the performance of some external entities has been assigned.
Question Intent: To determine if the Knowledge, Skill, and Ability requirements necessary to fulfill specific roles that support the Incident Management Function have been identified.
Baseline competencies represent the staffing and skill set needs, not necessarily the organization''s current staff and skills.
Sources of baseline competencies may include:
- role and associated tasks (security administrator, network administrator, CIO, etc.)
- position (CIO, senior security analyst, network engineer, etc.)
- organizational processes such as vulnerability management, incident management, service continuity management, etc.
- skills (Java programming, Oracle DBA, etc.)
- certifications (CISSP, MCSE, etc.)
- aptitudes and job requirements (able to work long hours, travel, or be on call)
“Knowledge” is a body of information applied directly to the performance of a function, such as incident handling and response.
“Skill” is an observable competence to perform a function using various tools, frameworks, and processes. For each role, identify the technologies or systems that the organization uses to perform the tasks assigned to that role.
“Ability” is the proficiency to perform an observable behavior or a behavior that results in an observable product. For example, some roles may require abilities to effectively communicate or analyze a problem; other roles, to develop technical documentation; and managers, to organize work or tasks and lead others effectively.
Criteria for “Yes” Response:
- The organization documents Knowledge, Skill, and Ability requirements for all of the Incident Management Function roles that personnel and appropriate external dependencies will be assigned.
Criteria for “Incomplete” Response:
- The organization documents Knowledge, Skill, and Ability requirements for some roles,
- Or, the Knowledge, Skill, and Ability requirements are in development and partially documented.
Question Intent: To determine if cybersecurity training activities for the Incident Management Function are conducted to address the training needs of the incident handling and response personnel and thereby meet the identified Knowledge, Skill, and Ability requirements.
- The organization must perform training to ensure that staff is appropriately skilled in their roles.
- Training should be planned and scheduled.
- Training should be conducted by experienced instructors and in settings that closely resemble the actual performance conditions.
- Training provided should address identified KSA gaps and associated training needs of the incident handling and response personnel (established in Prepare Response, Goal 5 Question 2) including:
- training in the use of specialized tools
- training in procedures that are new to the individuals who will perform them
Typical work products include:
- delivered training courses
- training schedule
Criteria for “Yes” Response:
- The organization has conducted training activities for all incident handling and response personnel to meet the identified KSA requirements.
Criteria for “Incomplete” Response:
- The organization has conducted training activities for some of the incident handling and response personnel to meet the identified KSA requirements.
Establish a process to declare incidents. Events that exit the triage process warranting more attention may be referred to additional analysis processes for resolution, or declared as an incident and subsequently referred to incident response processes for resolution. These events may be declared as incidents during triage, through further event analysis, through the application of incident declaration criteria, or during the development of response strategies.
Follow an established process to declare incidents. Incident declaration defines the point at which the organization has established that an incident has occurred, is occurring, or is imminent, and will need to be handled and responded to. The time from event detection to incident declaration may be immediate, requiring little additional review and analysis. In other cases, incident declaration requires more thoughtful analysis.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1309, 1, N'Establish incident declaration criteria for use in guiding when to declare an incident. To guide the organization in determining when to declare an incident (particularly if incident declaration is not immediately apparent), the organization must define incident declaration criteria.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1310, 1, N'Develop an incident escalation process. The incident escalation process should consider the type and extent of incident and the appropriate stakeholders. Incidents that the organization has declared and that require an organizational response must be escalated to those stakeholders who can implement, manage, and bring to closure an appropriate and timely solution. The organization must establish processes to ensure that incidents are referred to the appropriate stakeholders, because failure to do so will impede the organization''s response and may increase the impact on the organization. Incidents should not be handled on a first-in, first-out basis. Instead, organizations should establish written guidelines that outline how quickly the team must respond to the incident and what actions should be performed, based on relevant factors such as the impact of the incident, and the likely recoverability from the incident.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1311, 1, N'Incident analysis is primarily focused on helping the organization determine an appropriate response to a declared incident by examining its underlying causes and actions as well as the effects of the underlying event(s). Incident analysis should be focused on properly defining the underlying problem, condition, or issue and in helping the organization prepare the most appropriate and timely response to the incident.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1312, 1, N'Correlating activity across incidents can determine any interrelations, patterns, common intruder signatures, common targets, or exploitation of common vulnerabilities.
Incident correlation:
- broadens the view of the nature, scope, and impact of malicious activity.
- identifies relationships and interdependencies that can help develop and implement comprehensive solutions.
Types of information that can be correlated include:
- IP addresses, hostnames, ports, protocols, and services
- targeted applications, OSs, organizational sectors, site names, and business functions
- common attacks and exploits
Incident correlation can identify where activity is more widespread than originally thought and identify any relationships among malicious attacks, compromises, and exploited vulnerabilities. Open event reports may correlate to the incident under analysis and provide additional information that is useful in developing an appropriate response. Reviewing documentation on previously declared incidents may inform the development of a response action plan, particularly if significant organizational (and external) coordination is required.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1313, 1, N'Identify relevant analysis tools, techniques, and activities that the organization uses to analyze incidents and develop appropriate responses. Provide appropriate levels of training for incident management staff on analysis tools and techniques.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1314, 1, N'Impact analysis can help determine the breadth and severity of an incident. Incident management personnel may use the results of impact analysis to further prioritize cases during and after the triage process. Without information about how an incident affects an organization, incident responders cannot adequately plan containment, remediation, or eradication efforts.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1315, 1, N'Identify root-cause analysis tools and techniques and ensure that all staff who participate in analysis are trained in their use. These tools and techniques may include cause-and-effect diagrams, interrelationship diagrams, causal factor tree analysis, and others.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1317, 1, N'Organizations should have clear guidance on how to report incidents so the correct information gets to the right people at the right time. Incident information reported should include the timeframes, details, and any other relevant information. Relevant stakeholder can include asset owners, information technology staff, physical security staff, auditors, and legal staff, as well as external stakeholders such as vendors and suppliers, law enforcement staff, and others.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1318, 1, N'The incident reporting guidance should address the stakeholders with whom communications about incidents are required, and include specific details such as the methods, and under what operational circumstances the stakeholders must be notified.
Document the information security requirements, because not all stakeholders may have access to the same communication methods, and not all may be authorized to receive the full details of the incident. Document the process, procedures and any other guidance to identify what information is provided to individual or organizational stakeholders.
Ensure that the organizational incident reporting guidance addresses the various message types and level of communications appropriate to various stakeholders. For example, incident communications may be vastly different for incident response leadership than for those who may simply need to have situational awareness. The plan should detail any special controls over communication (e.g., encryption or secured communications) that are appropriate for some stakeholders, possibly depending on the type of incident.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1319, 1, N'Develop predefined procedures to provide a consistent response and to limit the effect of the incident on the organization. The response to an incident describes the actions the organization takes to prevent or contain the impact of an incident on the organization while it is occurring or shortly after it has occurred. The range, scope, and breadth of the organizational response may vary widely depending on the nature of the incident. The incident response procedures should address at a minimum:
- the essential activities (administrative, technical, and physical) that are required to contain or limit damage and provide service continuity
- existing continuity of operations and restoration plans
- coordination activities with other internal staff and external agencies that must be performed to implement the procedures
- the levels of authority and access needed by responders to carry out the procedures
- the essential activities necessary to restore services to normal operation (recovery), and the resources involved in these activities
- legal and regulatory obligations that must be met by the procedure
- standardized responses for certain types of incidents
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1320, 1, N'Develop and implement an organizational incident management communications plan. The organization must proactively manage communications when incidents are detected and throughout their life cycle. This requires the organization to develop and implement a communications plan that can be readily implemented to manage communications to internal and external stakeholders on a regular basis and as needed. Additionally, ensure that steps within the incident management process and workflow are documented to prompt updates to status and response activities to appropriate stakeholders.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1321, 1, N'Part of an effective incident management process is the ability to quickly disseminate the correct information to the right people at the right time. The internal and external stakeholders need to understand what threats or vulnerabilities might impact them, the associated level of risk, and how to protect against or mitigate them. Incident management personnel provide such notifications and warnings to promote awareness of threats and malicious activity and to help support organizational response actions. Depending on the mission of the incident management function, alerts and warnings may be shared with other external parties. Notifications, reports, and warnings should be distributed in a manner commensurate with the classification of the information related to the activity. Sensitive and classified activity should be handled only through appropriate, secure mechanisms and within the appropriate facilities.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1322, 1, N'Incidents may be open for an extended period of time, may not have followed the organization''s incident management process or may not have been formally closed. The organization must have a process for tracking and managing incidents to closure which results in formally logging a status of “closed” in the incident knowledge base. A “closed” status indicates to all relevant stakeholders that no further actions are required or outstanding for the incident. It also provides notification to those affected by the incident that it has been addressed and that they should not be subject to continuing effects. The status of incidents in the incident database should be reviewed regularly to determine if open incidents should be closed or need additional action.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1323, 1, N'Identify relevant rules, laws, regulations, and policies for which event and incident evidence may be required. This practice must be considered in the context of the organization''s compliance program because there may be compliance issues related to the collection and preservation of event and incident data.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1325, 1, NULL)
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1326, 1, N'Forensic analysis results can be used to determine the extent to which a system or network has been compromised or otherwise affected and to provide a better understanding of what malicious activity occurred and what other systems or services may have been affected. Such analysis can also facilitate the development and implementation of comprehensive solutions, ensuring the use of more effective protective strategies. The results of forensics analysis can also be used to prosecute malicious intruders.
Policies, procedures, and training are needed to ensure personnel performing this analysis do not damage or invalidate forensic evidence. These efforts include outlining how and when law enforcement is involved in the analysis. In addition, personnel performing this function for forensic purposes may need to be prepared to act as expert witnesses in court proceedings if the evidence analyzed is used in a court of law to prosecute the intruder.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1328, 1, N'Ensure that the processes or mechanisms used to track the resolution of incidents also indicate which incidents require review in accordance with established guidance. This allows the organization''s auditing function or incident management leadership to easily identify incidents that require post-incident reviews, and ensure that they are performed. The post-incident review should determine if the incident response plan or process was followed. The review should also identify any needed improvements to the incident response plan or process. Ensure that the organization''s auditing function checks for completion of these reviews as part of regular Incident Management reviews.
Multiple incidents may be covered in a single meeting to optimize the resources necessary to perform this function. Some organizations may find it useful to have a pre-scheduled periodic review on the stakeholders'' calendars to ensure availability, which they can simply cancel if no incidents have occurred that meet the review criteria.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1329, 1, N'Review the incident knowledge-base information and update the following areas accordingly:
- protection strategies and controls for assets involved in the incident
- continuity plans and strategies for sustaining assets involved in the incident
- information security and other organizational policies that need to reflect new standards, procedures, and guidelines based on what is learned in the incident handling
- training for staff on incident response, information security, business continuity, and IT operations
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1330, 1, N'Updating event and incident response policies and procedures is an important part of the lessons learned process. Any issues encountered or lessons learned should be reviewed to identify or propose areas for improvement and to act on these findings or recommendations. Post-mortem analysis of the handling of an incident often reveals a missing step or an inaccuracy in a procedure, providing impetus for change.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1332, 1, N'Develop a testing program and test standards to apply universally in testing all aspects of incident handling and response plans. These exercises:
- should look at the adequacy of processes and procedures through incident scenario exercises (for example, perform triage, respond to events and incidents in a timely manner, notify correct people, protect data during response activities, or meet SLAs)
- may involve simulated incidents
- can be performed throughout the whole organization or for specific organizational business units
- may be internal to the organization or part of a broader, multi-organization exercise
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1334, 1, N'Establish a schedule for ongoing testing and review of plans and processes. The proposed schedule for testing should be coordinated among stakeholders for situational awareness and for gathering their input on objectives and secure participation. Ensure that the testing schedule does not conflict with major system or organizational changes that a simultaneous test or exercise could impact negatively, or vice versa. Similarly, ensure that testing aligns with major system or organizational changes as appropriate, to confirm that incident detection, handling, and response activities are not impacted negatively by the change(s). Because testing can require significant planning to be conducted effectively, periodically review the schedule to ensure that resources are not expended on planning activities that risk being canceled due to external activities or dependencies.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1335, 1, N'Conduct tests of the incident detection, handling, and response processes on a regular basis. The test should establish the viability, accuracy, and completeness of the incident detection, incident handling, and incident response processes and activities. Test results should be recorded and documented for resolution of gaps and overall improvement.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1336, 1, N'The incident response test plan should identify all internal and external stakeholders involved in the testing exercise, and their roles and expected participation. The organization should ensure that all relevant stakeholders are involved in the planned testing.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1337, 1, N'Compare actual test results with expected test results and test objectives. Areas where objectives could not be met should be recorded, and strategies developed to review and revise incident detection, handling, and response processes. Improvements to the testing process and test plans should be identified, documented, and incorporated into future tests.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1339, 1, N'The intent of this capability is to ensure that incident management personnel are updated on all constituents'' infrastructure changes, such as configuration changes, scheduled power outages, and maintenance on critical network assets. An agreement should stipulate exactly the changes that require notification. Without this information, incident management personnel may not be able to adequately assess the validity of a given event or incident report. Such notifications help incident management personnel determine when reported behavior may have been caused by normal maintenance or configuration updates, rather than by malicious intruder activity that disables part of the constituent network. These notifications also facilitate an accurate inventory of system and network components.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1340, 1, N'A vulnerability repository is the central source of vulnerability information. As vulnerabilities are discovered, they are submitted to the organization''s vulnerability repository. Basic information that should be collected about vulnerabilities includes, but is not limited to:
- a unique organizational identifier for internal reference
- a description of the vulnerability
- the date entered to the repository
- references to the source of the vulnerability
- the importance of the vulnerability to the organization (critical, moderate, etc.)
- individuals or teams assigned to analyze and remediate the vulnerability
- a log of remediation actions taken to reduce or eliminate the vulnerability
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1341, 1, N'The vulnerability management repository or information should be available to the Incident Management Function, as needed, to assist incident management personnel in responding to an incident.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1342, 1, N'Provide notification of unmitigated vulnerabilities to the event and incident handling personnel. Accurate, complete, and timely information about vulnerabilities can assist in the examination of incidents and events, and form the basis of root-cause analysis and trending for overall improvement to the incident handling and responses process.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1343, 1, N'The incident management function should be appropriately integrated with other related organizational plans, services, and functions, including the organization''s service continuity plans. Computer security incidents undermine the business resilience of an organization. Business continuity planning professionals should be made aware of incidents and their impacts so they can fine-tune business impact assessments, risk assessments, and continuity of operations plans. Further, because business continuity planners have extensive expertise in minimizing operational disruption during severe circumstances, they may be valuable in planning responses to certain situations, such as denial of service (DoS) conditions.
Service continuity plans must be consistent with the standards and guidelines established by the organization to ensure plan consistency, accuracy, and ability to implement. The incident management function should be appropriately integrated with the organization''s service continuity plans.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1344, 1, N'To ensure plan consistency, accuracy, completeness, and effectiveness, service continuity plans are examined against the organization''s standards and guidelines for plan development. This ensures consistent levels of documentation, the inclusion of required elements (such as the integration of the Incident Management Function), and the ability of the plans to meet stated objectives.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1345, 1, N'Monitoring is an activity that the organization uses to `take the pulse'' of its day-to-day operations. The proactive discovery and analysis of data related to operational activities ensure that stakeholders have the information needed to make decisions before, during, or after a disruption occurs. Monitoring provides information that the organization needs to determine whether it is being subjected to threats that require action to prevent organizational impact. The organization should implement standards that ensure enterprise-wide quality assurance for the threat-monitoring process.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1346, 1, N'Communicate threat information to stakeholders, including the Incident Management Function.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1347, 1, N'Identify and inventory the assets that support the incident management function. An organization must be able to identify the people, information, technology, and facility assets that support the incident management function; document them; and establish their value in order to develop strategies for protecting and sustaining assets commensurate with their value to the function.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1348, 1, N'All information relevant to the asset should be contained with the asset entry in the asset database. Strategies to protect and sustain an asset may be documented as part of the asset description.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1349, 1, N'Control objectives are guided by strategies for protecting and sustaining service-related assets to ensure that their exposure to vulnerabilities and threats is managed. Assuring mission success is the focus for defining service level controls that meet their corresponding control objectives. Based on the control objectives and the larger protection and sustainment strategies, specific controls are selected, analyzed, and managed to ensure that control objectives are satisfied.
The incident management function supports all organizational services and collects information that is sensitive to the organization while performing its duties. The incident response team should safeguard incident data and restrict access to it. At a minimum, the controls that protect and sustain the Incident Management Function should be commensurate with those that protect the organization''s most critical services.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1350, 1, N'Change management is a continuous process and, therefore, requires the organization to assign responsibility and accountability. The organization must independently monitor the change management process to ensure that it is operational, and that asset-level resilience requirements have been updated on a regular basis so that they remain in direct alignment with organizational drivers.
Create baseline configuration items. Establish a technology asset baseline (often called a configuration item) to provide a foundation for managing the integrity of the asset as it changes during its life.
Develop a strategy to meet the demand for capacity based on the resilience requirements for the technology asset and the services it supports. In this instance, the strategy may need to consider the organization''s strategic objectives and how their accomplishment affects the capacity of current technology assets and future capacity needs.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1351, 1, N'To ensure that the organization has the appropriate tools for incident management, a process for identifying needed tools and determining their requirements for implementation should be in place. This process could follow the normal system/software acquisition life cycle or another organization specific process. The life cycle for acquiring and developing tools to support an incident management function comprises the following core actions:
- Establish requirements for tools.
- Acquire or develop tools that meet these requirements.
- Test tools within the incident management environment.
- Deploy tools for operational use.
- Operate and sustain tools over time
Developing or acquiring resilient technical solutions, such as software and systems, requires a dedicated process that encompasses the asset''s life cycle.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1352, 1, N'Document the service continuity plans using available templates, as appropriate. The continuity of the incident management function must be specifically addressed. A service continuity plan typically includes the following information:
- Identification of authority for initiating and executing the plan (plan ownership)
- Identification of the communication mechanism to initiate execution of the plan
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1353, 1, N'Implement physical access control for the Incident Management Function. Similar to other components of the organization, the Incident Management Function''s assets (including infrastructure, data, and personnel) should be subject to physical access control, including the following provisions:
- Enforcement of physical access authorizations at entry and exit points, including the following:
- Verification of appropriate authorizations as a requirement to grant access to the facility.
- Control of all ingress to and egress from the facility.
- Maintenance of audit logs of all physical access through all entry and exit points.
- Escort of visitors and monitoring of their activity throughout their visit.
- Securing of keys, key combinations, and other physical access devices, and changing them when lost, stolen, or after personnel changes.
- Regular review of all logs and procedures to ensure access control is effective.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1354, 1, N'The monitoring, identification, and reporting of events are the foundation of incident identification, and commence the incident life cycle. Events can affect the productivity of organizational assets and, in turn, of associated services. At a minimum, the organization should identify the most effective methods for event detection, and provide a process for reporting events so that they can be triaged, analyzed, and addressed.
Implement network monitoring related to the Incident Management Function, similar to the control of other organizational components. Continuous monitoring programs provide ongoing awareness of threats, vulnerabilities, and information security.
Use continuous monitoring to support appropriate responses to risks. Providing organizational officials with continuous access to security-related information (in the form of reports and/or dashboards) enables them to make more effective and timely risk management decisions. Use automation to provide more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1355, 1, N'The intent of this capability is to ensure that incident management personnel are watching their own networks. Information collected by incident management personnel and stored on incident management systems and applications can contain sensitive information. It is critical that such information be protected with the same rigor applied to other key organizational assets.
A documented and implemented plan to protect information assets should exist for monitoring Incident Management Function systems. This monitoring plan should include methods for detecting events, incidents, anomalous activity, intrusion attempts, and other potential threats. The plan also requires identification of critical Incident Management Function assets so that appropriate monitoring activities can be implemented.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1356, 1, N'The organization may have a vulnerability management practice or capability in place. Vulnerabilities in the systems that support the Incident Management Function must be remediated. If these systems are not included in the scope of the organization''s larger vulnerability management processes, there must be a similar process established specifically for the Incident Management Function. The process should consider the following:
- Scan for vulnerabilities in information systems and hosted applications. Conduct scanning according to an organization-defined schedule, and when new relevant vulnerabilities are identified and reported.
- Use vulnerability scanning tools and techniques that facilitate their interoperability.
- Automate parts of the vulnerability management process by using standards for the following:
- enumerating platforms, software flaws, and improper configurations
- formatting checklists and test procedures
- measuring vulnerability impact
- Analyze vulnerability scan reports and results from security control assessments.
- Remediate legitimate vulnerabilities according to an assessment of the risk to the organization.
- Share information from vulnerability scanning and security control assessments with entities identified by organizational leadership to help eliminate similar vulnerabilities in other information systems.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1357, 1, N'Develop and implement guidelines for the secure collection, handling, transmission, storage, and the appropriate disposition of event and incident information assets. Communicate these guidelines to all staff responsible for the resilience of information assets.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1358, 1, N'Develop information asset backup and retention procedures. Information asset backup and retention procedures should include:
- standards for the frequency of backup and storage (which may be established and connected to the organization''s configuration management of information assets) and the retention period for each information asset
- the types and forms of information asset retention (paper, CDs, tapes, etc.)
- the identification of organization-authorized storage locations and methods, and of guidelines for appropriate proximity of these storage locations
- procedures for accessing stored copies of information assets
- standards for the protection and environmental control of information assets in storage (particularly if the assets are stored in locations not owned by the organization)
- standards for the testing of the validity of the information assets to be used in restorative activities
- periodic revision of the guidelines as operational conditions change
The application of these guidelines should be based on the value of the asset and its availability requirements during an emergency, which may be indicated by a service continuity plan.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1360, 1, N'Identify and document staff who are authorized to modify information assets, relative to the asset''s integrity requirements. This information may be specifically included as part of the information asset''s resilience requirements.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1361, 1, N'Establish the incident management plan. At a minimum, the incident management plan should address:
- the organization''s philosophy for incident management
- the structure of the incident management process
- the requirements and objectives of the incident management process
- a description of how the organization will identify incidents, analyze them, and respond to them
- the roles and responsibilities necessary to carry out the plan
- internal and external stakeholders to the plan and capability
- applicable training needs and requirements
- resources, both internal and external, required to meet the objectives of the plan
- relevant costs and budgets associated with the incident management activities
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1362, 1, N'The incident management plan should be reviewed and updated periodically, as defined by the organization. Review the plan to ensure that the organization is following the roadmap for maturing the capability and for fulfilling its incident response goals. Ensure that lessons learned from responding to incidents are also incorporated in the plan to improve the incident management process and life cycle. Organizational changes should be assessed, and the plan updated as necessary. Revise and update documented commitments from those responsible for implementing and supporting the plan, particularly the commitment of higher-level managers.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1363, 1, N'Assign staff to incident management roles and responsibilities. The organization must identify the staff necessary to achieve the plan''s objectives. Ensure that staff are assigned and aware of their roles and responsibilities with respect to satisfying these objectives.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1364, 1, N'Develop detailed job descriptions for each role and responsibility detailed in the incident management plan. The job description should clearly state the duties, expectations, and requirements of each role defined in the plan.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1365, 1, N'The incident management plan provides the organization with a standard operating procedure for handling incidents that may impact critical business operations and information. The plan should identify the roles and responsibilities of everyone involved in the process, including senior leadership. Senior leadership needs to be made aware of their roles to support incident response.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1366, 1, N'All relevant groups and individuals that have a significant role in the incident management plan should be involved in the creation of the plan. Obtaining the perspectives of all plan stakeholders, and getting their support and buy-in, will increase their awareness, engagement, and responsibility to abide by the guidance provided in that plan.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1367, 1, N'Establish a foundational structure for event detection, reporting, logging, and tracking, and for collecting and storing event evidence. This structure enables incident management processes to function properly.
Foundational processes related to event detection and reporting also support incident reporting, logging, and tracking. One approach to establishing this foundational structure is to implement an event and incident knowledge base.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1368, 1, N'The organization should have a documented communication plan for its incident management activities. During an incident, it is critical that the designated people receive the appropriate information in a timely manner. The plan should include management notification, and incident response and coordination. The communication plan should also include guidance on internal and external communication requirements. This communication plan may be part of a larger organizational plan or crisis management plan.
Plan and prepare several communication channels, including out-of-band methods (e.g., in person, paper), and select the appropriate methods for each incident. Regularly review and update the communication plan for incident management, and include at a minimum the following information:
- the roles with authority to initiate incident-related communications or data
- the internal and external resources that support the communications process
- the individuals, groups, and designated POCs to be contacted
- thresholds for when to contact someone
- the contact processes and mechanisms, including security requirements
- the respective timeframes for contacting the appropriate individuals, groups, and designated POCs
- the frequency and timing of communications
- a description of the action an individual should take after receiving the communicated information
- special communications requirements (e.g., brevity codes, encryption, or secured communications)
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1369, 1, N'Disseminate the communication plan to both internal and external stakeholders. It is expected that the stakeholders are committed to supporting the communications plan. The communications plan should be disseminated each time it is modified. Organizational changes that have occurred since the last revision could necessitate a redistribution of the plan.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1370, 1, N'Ensure that information exchange interfaces among the groups involved in incident management functions are described and understood by all participants. Identify the appropriate communications protocols and channels (media and message) for each type of stakeholder. Various message types and levels of communications may be appropriate for various stakeholders.
Establish an incident management function that ensures an interface is available that identifies and facilitates the flow of incident management data among all groups that have a stake in the incident management process.
The interface should identify member groups and define the incident management information that is exchanged (e.g., process, authority, mechanism).
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1371, 1, NULL)
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1372, 1, N'Identify external dependencies. It is important for the Incident Management Function to identify and characterize all external dependencies so that they can be understood, formalized, monitored, and managed.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1373, 1, N'Formal agreements should be established with external entities that support the Incident Management Function. Types of agreements may include contracts, memorandum of agreement, purchase orders, and licensing agreements. The agreements should be enforceable, include detailed and complete specifications, specify required performance standards, and be periodically updated to reflect necessary changes. All agreements should establish procedures for monitoring the performance of external entities and inspecting the services or products they deliver to the organization.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1374, 1, N'Properly document the agreement terms, conditions, specifications, and other provisions. All agreement provisions should be documented clearly in the agreement in easy-to-understand language. The agreement should not contain any general exceptions for achieving the resilience specifications unless they are considered and negotiated carefully. It may, however, contain scenarios of types of unforeseen events for which the external entity is not expected to prepare. Exceptions granted to resilience specifications, or scenarios for which the external entity is not required to prepare, should be treated as risks. All agreements should establish procedures for monitoring the performance of external entities and for inspecting the services or products they deliver to the organization.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1375, 1, N'Establish procedures and responsibility for monitoring external entity performance and for inspecting external entity deliverables. Periodically meet with representatives of the external dependencies to review the result of monitoring activities, the specifications of each agreement, and any changes that might impact performance.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1376, 1, N'To ensure that members of the incident response team respond effectively to incidents, it is important that the organization develops KSA requirements for candidates.
Establish and document baseline competencies necessary to meet the needs of the Incident Management Function. Baseline competencies may be as detailed as the organization needs to describe its required skill sets. This may involve many layers of information, including
- role (security administrator, network administrator, CIO, etc.)
- position (CIO, senior security analyst, network engineer, etc.)
- skills (Java programming, Oracle DBA, etc.)
- certifications (CISSP, MSCE, etc.)
- aptitudes and job requirements (able to work long hours, travel, or be on call)
For each incident handling and response position, develop a list of attributes required to perform the role in the form of KSAs.
”Knowledge” is a body of information applied directly to the performance of a function, such as incident handling and response.
”Skill” is an observable competence to perform a function using various tools, frameworks and processes. For each role, identify the technologies or systems that the organization uses to perform the tasks assigned to that role.
”Ability” is the proficiency to perform an observable behavior or a behavior that results in an observable product. For example, some roles may require abilities to effectively communicate or analyze a problem; others, to develop technical documentation; and managers may have to organize work or tasks and lead others effectively.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1377, 1, N'Document the training needs of the incident handling and response personnel. The training needs should focus on the skills and knowledge needed to perform particular roles and address the associated KSAs. The training needs should also adequately cover the capabilities represented by the Incident Management Function. Training needs are established by first, identifying people in the organization with incident handling and response roles and responsibilities, then analyzing gaps in their knowledge and skills that have to be addressed to enable them to succeed in their roles.
')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (1378, 1, N'Conduct training for the personnel assigned to the Incident Management Function. Experienced instructors should conduct the training. When possible, the training is conducted in settings that closely resemble actual performance conditions, and includes activities that simulate actual work situations. This approach includes integration of tools, methods, and procedures for competency development. Training is tied to work responsibilities so that on-the-job activities or other outside experiences reinforce the training within a reasonable time after its conclusion.
')
+PRINT(N'Operation applied to 64 rows out of 64')
+
+PRINT(N'Add rows to [dbo].[MATURITY_REFERENCES]')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1291, 2208, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1291, 3866, N'ID.BE', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1291, 5031, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1292, 2208, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1292, 3866, N'ID.AM-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1292, 3866, N'ID.BE', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1292, 5031, N'3.2.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.AM', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.AM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.AM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.AM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.AM-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.BE-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 3866, N'ID.BE-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5014, N'CA-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5014, N'CM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5014, N'CM-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5014, N'CP-2(8)', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5014, N'PM-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5017, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1293, 5031, N'3.1.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 3866, N'ID.AM', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 3866, N'ID.AM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 3866, N'ID.AM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 3866, N'ID.AM-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 3866, N'ID.BE-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 3866, N'ID.BE-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 5014, N'CM-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1294, 5031, N'3.1.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 3866, N'DE.CM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 3866, N'DE.CM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 3866, N'DE.CM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 5014, N'CA-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 5014, N'SI-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1295, 5031, N'3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 3866, N'DE.CM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 3866, N'DE.CM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 3866, N'DE.CM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 5014, N'CA-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 5014, N'SI-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 5031, N'3.2.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1296, 5031, N'3.2.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1297, 2602, N'IR-6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1297, 3866, N'DE.DP-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1297, 3866, N'RS.CO-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1297, 5031, N'3.1.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1297, 5031, N'3.2.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1299, 3866, N'DE.AE-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1299, 5031, N'2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1299, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1300, 3866, N'RS.CO-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1300, 5014, N'IR-6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1300, 5031, N'2.3.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1300, 5031, N'2.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1300, 5031, N'3.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1300, 5031, N'3.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1301, 3866, N'RS.AN-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1301, 5031, N'3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1301, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1302, 3866, N'DE.AE-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1302, 3866, N'DE.AE-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1302, 5031, N'3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1302, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1303, 670, N'3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1303, 3866, N'DE.AE-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1303, 3866, N'DE.AE-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1303, 5031, N'3.2.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1303, 5031, N'3.2.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1304, 3866, N'DE.EA-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1304, 5031, N'3.2.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1305, 3866, N'DE.AE.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1305, 5031, N'3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1306, 3866, N'DE.AE-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1306, 3866, N'RS.AN-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1306, 5031, N'3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1307, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1307, 3866, N'DE.DP-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1307, 3866, N'PR.IP-11', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1307, 3866, N'RS.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1307, 4988, N'4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1307, 5031, N'2.4.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1308, 3866, N'RS.CO-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1308, 5031, N'3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1308, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1309, 3866, N'DE.AE-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1309, 5031, N'3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1310, 3866, N'RS.CO-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1310, 5031, N'3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1310, 5031, N'3.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1311, 3866, N'RS.AN-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1311, 3866, N'RS.AN-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1311, 5031, N'3.2.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1311, 6078, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1312, 3866, N'RS.AN-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1312, 3866, N'RS.AN-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1312, 5031, N'3.2.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1312, 6078, N'3.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1312, 6078, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1313, 3866, N'RS.AN-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1313, 3866, N'RS.AN-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1313, 5031, N'3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1313, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1314, 2533, N'2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1314, 2533, N'3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1314, 2533, N'H', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1314, 3866, N'RS.AN-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1315, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1315, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1315, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1315, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1315, 6078, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1316, 3866, N'RS.CO-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1316, 5031, N'3.2.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1316, 6078, N'3.8.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 3866, N'RS.CO-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 5014, N'IR-6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 5031, N'2.3.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 5031, N'2.3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 5031, N'3.1.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 5031, N'3.2.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1317, 6078, N'3.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1318, 3866, N'RS.CO-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1318, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1318, 5031, N'3.2.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1319, 3866, N'RS.MI-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1319, 3866, N'RS.RP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1319, 5031, N'3.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1319, 5031, N'3.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 3866, N'RC.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 3866, N'RS.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 5031, N'2.3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 5031, N'3.2.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 5031, N'4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1320, 6078, N'3.8.8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 3866, N'RC.CO.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 3866, N'RC.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 5014, N'SI-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 5031, N'2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 5031, N'3.2.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 6078, N'3.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1321, 6078, N'3.8.8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1322, 3866, N'RS.MI-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1322, 3866, N'RS.MI-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1322, 5031, N'3.2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1322, 6078, N'3.3.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1322, 6078, N'3.4.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1322, 6078, N'3.4.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1323, 3866, N'DE.DP-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1323, 3866, N'ID.GV-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1323, 5031, N'2.4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1323, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 3866, N'DE.DP-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 3866, N'ID.GV-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 3894, N'2.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 3894, N'2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 3894, N'2.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 5031, N'2.4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1324, 5031, N'3.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1325, 3866, N'ID-GV.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1325, 3866, N'RS.AN-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1325, 3894, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1325, 5031, N'3.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1325, 6078, N'2.3.2.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1326, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1326, 3894, N'3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'RC.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'RC.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'RS.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'RS.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 3866, N'RS.RP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 5031, N'3.4.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1327, 5031, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'RC.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'RC.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'RS.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'RS.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 3866, N'RS.RP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 5014, N'IR-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1328, 5031, N'3.4.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1329, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1329, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1329, 3866, N'RC.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1329, 3866, N'RC.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1329, 3866, N'RS.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1329, 3866, N'RS.RP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 3866, N'RC.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 3866, N'RC.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 3866, N'RS.RP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 5031, N'3.4.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1330, 5031, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'RC.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'RC.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'RS.IM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'RS.IM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 3866, N'RS.RP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 5031, N'3.4.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 5031, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1331, 6078, N'3.4.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1332, 673, N'6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1332, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1332, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1332, 5014, N'IR-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1333, 673, N'6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1333, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1333, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1333, 5014, N'IR-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1334, 673, N'6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1334, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1334, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1334, 5014, N'IR-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1335, 673, N'6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1335, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1335, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1335, 5014, N'IR-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1337, 673, N'6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1337, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1337, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1337, 5014, N'IR-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1338, 3866, N'PR.IP-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1338, 5014, N'CM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1339, 3866, N'PR.IP-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1339, 5014, N'CM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1340, 3866, N'ID.RA-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1340, 3866, N'RS.AN-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1341, 3866, N'ID.RA-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1341, 3866, N'RS.AN-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1343, 2208, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1343, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1343, 5014, N'IR-4 (3)', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1345, 3866, N'ID.RA-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1345, 3866, N'ID.RA-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1345, 5015, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1345, 5031, N'2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1346, 2533, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1346, 3866, N'PR.IP-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1346, 5031, N'2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1347, 3866, N'ID.AM', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1347, 3866, N'ID.AM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1347, 3866, N'ID.AM-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1347, 3866, N'ID.AM-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1347, 5017, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1348, 3866, N'ID.BE-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'ID.GV-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'ID.GV-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'PR.AC', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'PR.DS', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'PR.IP', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'PR.MA', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 3866, N'PR.PT', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 5031, N'3.2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 5031, N'3.6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1349, 5031, N'4.2.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1350, 3866, N'PR.IP-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1350, 5014, N'CM-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1350, 5018, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1352, 3866, N'PR.AC-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1352, 5014, N'PE', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1353, 3866, N'PR.AC-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1353, 5014, N'PE', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1354, 3866, N'DE.CM-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1354, 5014, N'CA-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1354, 5014, N'SI-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1354, 5031, N'2.1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1354, 5031, N'3.2.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1355, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1355, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1355, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1355, 5031, N'2.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1356, 3866, N'DE.CM-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1356, 3866, N'ID.RA-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1356, 3866, N'RS.AN-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1356, 3896, N'4.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1356, 5014, N'RA-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1356, 5031, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 3866, N'PR.DS-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 3866, N'PR.IP-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 3866, N'PR.IP-6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5014, N'CP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5014, N'MP-6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5031, N'2.3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5031, N'3.2.5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5031, N'3.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5031, N'3.4.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1357, 5031, N'3.4.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1359, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1359, 3866, N'PR.IP-11', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1359, 3866, N'PR.IP-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1359, 5014, N'AC-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1360, 3866, N'PR.AC-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1360, 3866, N'PR.IP-11', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1360, 3866, N'PR.IP-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1360, 5014, N'AC-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 3866, N'RS.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 3866, N'RS.CO-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 5031, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1361, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1362, 3866, N'DE.DP-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1362, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1362, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1362, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1363, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1363, 3866, N'RS.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1363, 5031, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1363, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1364, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1364, 3866, N'PR.IP-11', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1365, 3866, N'ID.AM-6', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1365, 3866, N'ID.GV-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1365, 3866, N'PR.AT-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1365, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1365, 5031, N'2.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 3866, N'RS.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 3866, N'RS.CO-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 5031, N'2.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1366, 5031, N'2.4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1367, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1367, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1367, 6078, N'', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 3866, N'DE.DP-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 3866, N'RS.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 3866, N'RS.CO-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 5014, N'IR-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 5031, N'2.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 5031, N'2.3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 6078, N'3.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 6078, N'3.8.8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 6078, N'4.2.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1368, 6078, N'4.2.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 3866, N'PR.IP-9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 5014, N'IR-8', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 5031, N'2.3.2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 5031, N'2.3.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1369, 5031, N'3.2.7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1370, 3866, N'RC.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1370, 3866, N'RC.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1370, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1370, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1370, 5031, N'2.4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1371, 3866, N'RC.CO-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1371, 3866, N'RC.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1371, 3866, N'RS.CO-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1371, 5014, N'2.4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1371, 5014, N'IR-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1371, 5031, N'2.4.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1372, 3866, N'ID.BE-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1372, 3866, N'ID.SC-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1372, 5015, N'E-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1373, 3866, N'ID.BE-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1373, 3866, N'ID.SC-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1373, 3866, N'PR.AT-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1373, 5014, N'SA-12', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1374, 3866, N'ID.BE-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1374, 3866, N'ID.SC-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1374, 3866, N'PR.AT-3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1374, 5014, N'SA-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1375, 3866, N'ID.SC-4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1375, 5014, N'SA-12 9', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1376, 3866, N'PR.AT-1', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1376, 3866, N'PR.IP-7', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1376, 5010, N'2.1.4', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1376, 5014, N'IR-2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1376, 5031, N'2.4.3', NULL, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1377, 3866, N'PR.AT-1', NULL, N'')
+PRINT(N'Operation applied to 390 rows out of 390')
+
+PRINT(N'Add rows to [dbo].[MATURITY_SOURCE_FILES]')
+INSERT INTO [dbo].[MATURITY_SOURCE_FILES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1336, 673, N'2', NULL, N'')
+INSERT INTO [dbo].[MATURITY_SOURCE_FILES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1336, 3866, N'ID.SC-5', NULL, N'')
+INSERT INTO [dbo].[MATURITY_SOURCE_FILES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1336, 3866, N'PR.IP-10', NULL, N'')
+INSERT INTO [dbo].[MATURITY_SOURCE_FILES] ([Mat_Question_Id], [Gen_File_Id], [Section_Ref], [Page_Number], [Destination_String]) VALUES (1336, 5031, N'2.3.3', NULL, N'')
+PRINT(N'Operation applied to 4 rows out of 4')
+
+PRINT(N'Add constraints to [dbo].[MATURITY_SOURCE_FILES]')
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] CHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] CHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS]
+
+PRINT(N'Add constraints to [dbo].[MATURITY_REFERENCES]')
+ALTER TABLE [dbo].[MATURITY_REFERENCES] CHECK CONSTRAINT [FK_MATURITY_REFERENCES_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_REFERENCES] CHECK CONSTRAINT [FK_MATURITY_REFERENCES_MATURITY_QUESTIONS]
+
+PRINT(N'Add constraints to [dbo].[MATURITY_REFERENCE_TEXT]')
+ALTER TABLE [dbo].[MATURITY_REFERENCE_TEXT] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_REFERENCE_TEXT_MATURITY_QUESTIONS]
+
+PRINT(N'Add constraints to [dbo].[MATURITY_QUESTIONS]')
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] CHECK CONSTRAINT [FK__MATURITY___Matur__5B638405]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_GROUPINGS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_LEVELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_MODELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_OPTIONS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTION_TYPES]
+ALTER TABLE [dbo].[HYDRO_DATA] WITH CHECK CHECK CONSTRAINT [FK__HYDRO_DAT__Mat_Q__38652BE2]
+ALTER TABLE [dbo].[ISE_ACTIONS] WITH CHECK CHECK CONSTRAINT [FK__ISE_ACTIO__Mat_Q__7F2CAE86]
+ALTER TABLE [dbo].[ISE_ACTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MAT_QUESTION_ID]
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1]
+ALTER TABLE [dbo].[MATURITY_QUESTION_PROPS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS]
+ALTER TABLE [dbo].[TTP_MAT_QUESTION] WITH CHECK CHECK CONSTRAINT [FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS]
+
+PRINT(N'Add constraints to [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_GROUPING_TYPES]
+ALTER TABLE [dbo].[MATURITY_DOMAIN_REMARKS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS]
+
+PRINT(N'Add DML triggers to [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] ENABLE TRIGGER [trg_update_maturity_groupings]
+COMMIT TRANSACTION
+GO
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12026_to_12027_data.sql b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12026_to_12027_data.sql
new file mode 100644
index 0000000000..8b6b648006
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12026_to_12027_data.sql
@@ -0,0 +1,2051 @@
+/*
+Run this script on:
+
+(localdb)\INLLocalDb2022.CSETWeb12026 - This database will be modified
+
+to synchronize it with:
+
+(localdb)\INLLocalDb2022.TSAWeb12027
+
+You are recommended to back up your database before running this script
+
+Script created by SQL Data Compare version 14.10.9.22680 from Red Gate Software Ltd at 8/16/2023 9:08:03 AM
+
+*/
+
+SET NUMERIC_ROUNDABORT OFF
+GO
+SET ANSI_PADDING, ANSI_WARNINGS, CONCAT_NULL_YIELDS_NULL, ARITHABORT, QUOTED_IDENTIFIER, ANSI_NULLS, NOCOUNT ON
+GO
+SET DATEFORMAT YMD
+GO
+SET XACT_ABORT ON
+GO
+SET TRANSACTION ISOLATION LEVEL Serializable
+GO
+BEGIN TRANSACTION
+
+PRINT(N'Disable DML triggers on [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] DISABLE TRIGGER [trg_update_maturity_groupings]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_REFERENCES]')
+ALTER TABLE [dbo].[MATURITY_REFERENCES] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCES_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_REFERENCES] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCES_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_REFERENCE_TEXT]')
+ALTER TABLE [dbo].[MATURITY_REFERENCE_TEXT] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCE_TEXT_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_QUESTIONS]')
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK__MATURITY___Matur__5B638405]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_GROUPINGS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_LEVELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_MODELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_OPTIONS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTION_TYPES]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK__HYDRO_DAT__Mat_Q__38652BE2 from [dbo].[HYDRO_DATA]')
+ALTER TABLE [dbo].[HYDRO_DATA] NOCHECK CONSTRAINT [FK__HYDRO_DAT__Mat_Q__38652BE2]
+
+PRINT(N'Drop constraint FK__ISE_ACTIO__Mat_Q__7F2CAE86 from [dbo].[ISE_ACTIONS]')
+ALTER TABLE [dbo].[ISE_ACTIONS] NOCHECK CONSTRAINT [FK__ISE_ACTIO__Mat_Q__7F2CAE86]
+
+PRINT(N'Drop constraint FK_MATURITY_QUESTIONS_MAT_QUESTION_ID from [dbo].[ISE_ACTIONS]')
+ALTER TABLE [dbo].[ISE_ACTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MAT_QUESTION_ID]
+
+PRINT(N'Drop constraint FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS from [dbo].[MATURITY_QUESTION_PROPS]')
+ALTER TABLE [dbo].[MATURITY_QUESTION_PROPS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS from [dbo].[MATURITY_SOURCE_FILES]')
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] NOCHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS from [dbo].[TTP_MAT_QUESTION]')
+ALTER TABLE [dbo].[TTP_MAT_QUESTION] NOCHECK CONSTRAINT [FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_ANSWER_OPTIONS]')
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS] NOCHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1]
+
+PRINT(N'Drop constraint FK_ANSWER_MATURITY_ANSWER_OPTIONS1 from [dbo].[ANSWER]')
+ALTER TABLE [dbo].[ANSWER] NOCHECK CONSTRAINT [FK_ANSWER_MATURITY_ANSWER_OPTIONS1]
+
+PRINT(N'Drop constraint FK__HYDRO_DAT__Mat_O__377107A9 from [dbo].[HYDRO_DATA]')
+ALTER TABLE [dbo].[HYDRO_DATA] NOCHECK CONSTRAINT [FK__HYDRO_DAT__Mat_O__377107A9]
+
+PRINT(N'Drop constraint FK_MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK_MATURITY_ANSWER_OPTIONS from [dbo].[MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK]')
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK] NOCHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK_MATURITY_ANSWER_OPTIONS]
+
+PRINT(N'Drop constraint FK_MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK_MATURITY_ANSWER_OPTIONS2 from [dbo].[MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK]')
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK] NOCHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_INTEGRITY_CHECK_MATURITY_ANSWER_OPTIONS2]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_GROUPING_TYPES]
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_MODELS]
+
+PRINT(N'Drop constraint FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS from [dbo].[MATURITY_DOMAIN_REMARKS]')
+ALTER TABLE [dbo].[MATURITY_DOMAIN_REMARKS] NOCHECK CONSTRAINT [FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS]
+
+PRINT(N'Update rows in [dbo].[MATURITY_QUESTIONS]')
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the CIP adequately identify all Critical Cyber Systems within the O/O''s environment, as defined in Section VII of Security Directive SD02D?', [Supplemental_Info]=N'In addition to the terms defined in 49 CFR 1500.3, the following terms apply to SD02D:
+
+Critical Cyber System means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.
+
+The O/O should be able to provide a detailed list of all systems/devices, software and data that are subject to the requirements of the CIP.
+
+The inspection team should validate a sampling of items identified by visual inspection of hardware devices and associated software/firmware on those devices.
+
+Data flow diagrams should be evaluated and described by the O/O for CCS data flows and validate that no CCS data traverses or resides on devices not designated CCS.' WHERE [Mat_Question_Id] = 6801
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.Q1', [Question_Text]=N'Evaluate network segmentation policies and controls by reviewing network diagrams/data flow diagrams.', [Supplemental_Info]=N'Review network diagrams/data flow diagrams and interview operational personnel. When connections and data are exchanged between the IT and OT systems and establishes an interdependency, the inspection team will need to determine through interviews if the connections are severed what is the impact on the operation of the pipeline if any.', [Sequence]=1, [Grouping_Id]=2602, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6802
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.Q2', [Question_Text]=N'Evaluate network segmentation policies and controls by interviewing operational personnel.', [Supplemental_Info]=N'Review network diagrams/data flow diagrams and interview operational personnel. When connections and data are exchanged between the IT and OT systems and establishes an interdependency, the inspection team will need to determine through interviews if the connections are severed what is the impact on the operation of the pipeline if any. If interdependencies are critical, are there redundant systems in place to ensure continued operations? What, if any, contingency plans are in place to ensure the O/O can maintain operations? This area of evaluation is where the inspection team would determine if a PCAP should be collected. If the network diagrams/data flow diagrams do not clearly reflect what is asserted in the CIP or the O/O cannot adequately explain and describe any IT/OT connections and whether or not severing these connections would disrupt operations, then a PCAP should be done to evaluate actual traffic.', [Sequence]=2, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6803
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.Q3', [Question_Text]=N'Does the O/O implement network segmentation policies and controls designed to prevent operational disruption to the Operational Technology system if the Information Technology system is compromised or vice versa?', [Supplemental_Info]=N'Network segmentation policies and controls refer to the strategies, guidelines, and technical measures that an organization establishes to divide its computer network into smaller, isolated segments or zones. The primary purpose of network segmentation is to improve security by containing threats, limiting lateral movement, and reducing the impact of potential security incidents:
+
+Network Segmentation Policies:
+
+Network segmentation policies are high-level guidelines that define how an organization plans and implements the division of its network into distinct segments or zones. These policies outline the goals, objectives, and principles of segmentation. They also address considerations like the types of data or services hosted in each segment, the access controls required, and the communication rules between segments.
+
+Key aspects of network segmentation policies include:
+
+Segmentation Strategy: This outlines the reasons for segmentation, such as security, regulatory compliance, or operational requirements.
+Segment Identification: Defining which parts of the network will be segmented and identifying the criteria for segmenting (e.g., by department, function, sensitivity).
+Access Controls: Specifying who has access to each segment and what level of access they have.
+Communication Rules: Defining the rules for communication between segments, including which types of traffic are allowed or blocked.
+Security Controls: Determining the security technologies and measures that will be employed within each segment.
+Monitoring and Maintenance: Outlining how the segmented network will be monitored for security events and maintained over time.
+
+Network Segmentation Controls:
+
+Network segmentation controls encompass the technical measures and mechanisms used to enforce the policies and achieve the goals of network segmentation. These controls include:
+
+Firewalls: Firewalls are devices or software applications that monitor and filter network traffic between segments based on predefined rules. They can block unauthorized communication and provide an additional layer of protection.
+
+Intrusion Detection and Prevention Systems (IDPS): IDPS solutions monitor network traffic for signs of malicious activity. They can alert administrators or take automated actions to prevent attacks.
+
+Virtual LANs (VLANs): VLANs create logical network segments within a physical network, allowing devices to be grouped based on criteria such as department or function.
+
+Subnetting: Subnetting involves dividing IP address ranges into smaller subnets, effectively separating network traffic based on IP addresses.
+
+Access Control Lists (ACLs): ACLs are rules that determine what traffic is allowed or denied at specific network points, such as routers or switches.
+
+Network Isolation: Network isolation involves physically or logically separating segments to prevent unauthorized access.
+
+Microsegmentation: Microsegmentation takes network segmentation to a granular level, even within a single segment. It allows for finely tuned access controls for specific devices or applications.', [Sequence]=3, [Grouping_Id]=2602, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6804
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.C1', [Question_Text]=N'As applied to Critical Cyber Systems, do these policies and controls include:
+
+A list and description of Information and Operational Technology system interdependencies?', [Supplemental_Info]=N'IT/OT interdependencies should be validated with a detailed operational data flow analysis and identification that corresponds with the definition of section VII of SD02C; “Critical Cyber System means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption."
+
+Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.” Operational disruption, for purposes of the SD, means a deviation from or interruption of necessary capacity that results from a compromise or loss of data, system availability, system reliability, or control of a TSA-designated critical pipeline system or facility.
+
+Necessary capacity means Owner/Operator’s determination of a capacity to support its business-critical functions required for pipeline operations and market expectations.', [Sequence]=1, [Parent_Option_Id]=1004 WHERE [Mat_Question_Id] = 6805
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.Q4', [Supplemental_Info]=N'While the integration of IT and OT can bring numerous benefits, such as improved efficiency and automation, it also introduces potential issues and risks. The interdependency between IT and OT systems can become problematic in the following ways:
+
+1. Cybersecurity Risks: Connecting IT and OT systems increases the attack surface for potential cyber threats. A vulnerability in the IT environment can be exploited to gain unauthorized access to the OT systems, potentially disrupting critical operations, causing safety hazards, or compromising data integrity. Similarly, a compromise in the OT systems can provide a pathway for attackers to infiltrate the IT infrastructure.
+
+2. Compatibility and Interoperability Challenges: IT and OT systems often have different technologies, protocols, and standards. Ensuring seamless communication and data exchange between these systems can be challenging. Incompatibilities may arise, requiring custom interfaces or middleware solutions to bridge the gap. If not properly managed, these compatibility issues can lead to communication failures, data inconsistencies, and operational disruptions.
+
+3. Maintenance and Patching: Regular maintenance, updates, and patching are essential for both IT and OT systems to address vulnerabilities and ensure optimal performance. However, in an interconnected environment, applying changes to one system can inadvertently impact the other. A software update intended for an IT system, for example, might inadvertently disrupt or introduce issues in the underlying OT processes.
+
+4. Operational Disruptions: A failure or disruption in either the IT or OT systems can have cascading effects on the other. For instance, an IT system failure could prevent critical data from reaching the OT systems, leading to operational inefficiencies or even safety hazards. Conversely, a failure in the OT systems might impact data availability or real-time monitoring, affecting decision-making and overall system performance.
+
+5. Organizational Silos and Communication Gaps: IT and OT teams traditionally have different skill sets, priorities, and objectives. In organizations where there are silos or limited communication between these teams, coordination and collaboration become challenging. This lack of alignment can impede the sharing of knowledge, timely issue resolution, and effective decision-making, exacerbating interdependency issues.', [Sequence]=4 WHERE [Mat_Question_Id] = 6806
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'If interdependent connections are severed, is there an impact on the operation of the pipeline?', [Supplemental_Info]=N'When external connections between Operational Technology (OT) and Information Technology (IT) systems in a pipeline are severed, it is critical to assess the impact on the operation of the pipeline by taking the following steps:
+
+1. Establish Communication Protocols: In advance, define communication protocols and processes between OT and IT teams to ensure effective coordination during incidents. This includes establishing communication channels, points of contact, and escalation procedures.
+
+2. Engage OT and IT Teams: Bring together the OT and IT teams responsible for the pipeline''s operation. Promptly inform them about the severed external connections and initiate a collaborative response.
+
+3. Conduct Initial Assessment: Assess the nature and extent of the severed connections. Determine which specific systems, devices, or components are affected and the level of dependency on the external connections.
+
+4. Review Network Diagrams and System Architecture: Refer to network diagrams, system architecture documentation, and any available asset inventory to gain a comprehensive understanding of the pipeline infrastructure. This will help identify critical points of connectivity and potential impacts.
+
+5. Analyze Dependency on External Connections: Identify the functions, data flows, or services that rely on the external connections between OT and IT systems. Determine how the severed connections affect critical operations, such as data exchange, control signals, monitoring, or supervisory control.
+
+6. Assess Control and Monitoring Capabilities: Evaluate the impact on control and monitoring capabilities within the pipeline. Identify any loss of real-time visibility, command execution, or system status updates caused by the severed connections.
+
+7. Evaluate Safety Systems: Assess the impact on safety systems, such as emergency shutdown systems or alarm management. Determine if the severed connections compromise the ability to detect and respond to critical safety events.
+
+8. Consider Redundancy and Contingency Measures: Review existing redundancy and contingency measures in place to mitigate such incidents. Identify alternate communication paths, backup systems, or failover mechanisms that can be leveraged to maintain essential operations.
+
+9. Perform Risk Assessment: Conduct a risk assessment to determine the potential consequences of the severed connections. Consider the severity of impact, potential safety risks, environmental concerns, and the impact on regulatory compliance.
+
+10. Develop Mitigation and Recovery Plan: Based on the assessment, develop a mitigation and recovery plan. This should outline the necessary steps to restore connectivity, prioritize system recovery, and reestablish critical operations.
+
+11. Implement Mitigation and Recovery Actions: Execute the mitigation and recovery plan according to the prioritized actions. Ensure close coordination between OT and IT teams to minimize downtime, restore connectivity, and resume normal pipeline operations.
+
+12. Test and Validate: After implementing the mitigation and recovery measures, test and validate the restored functionality to confirm the successful restoration of essential operations. Monitor the system closely to ensure stability and ongoing resilience.', [Parent_Option_Id]=1008 WHERE [Mat_Question_Id] = 6807
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.C4', [Supplemental_Info]=N'When dealing with critical interdependencies, it is important to have redundant systems in place to ensure continued operations. Best practices to consider include:
+
+1. Identify Critical Interdependencies: Conduct a thorough assessment to identify and understand the critical interdependencies within the organization’s systems and infrastructure. Determine the dependencies between different components, applications, networks, and services that are vital for maintaining operations.
+
+2. Redundant Systems: Implement redundant systems for critical interdependencies. This involves duplicating critical components, applications, or infrastructure elements, ensuring that there is a backup system or alternative solution available in case of failure or disruption. Redundancy can be achieved through various techniques, such as clustering, load balancing, or hot standby systems.
+
+3. Failover and High Availability: Implement failover mechanisms and high availability configurations to enable seamless transitions to redundant systems in the event of a failure. This ensures that operations can continue without significant disruption or downtime. Failover mechanisms can include automated failover, where the backup system takes over automatically, or manual failover, where administrators initiate the transition.
+
+4. Regular Testing and Failover Drills: Perform regular testing and failover drills to validate the effectiveness of redundant systems and interdependencies. Test the failover mechanisms and ensure that the backup systems can seamlessly take over in case of a failure. Regular testing helps identify any issues or gaps in the redundancy setup and allows for necessary improvements or adjustments.
+
+5. Geographic Redundancy: Consider geographic redundancy by having redundant systems located in different geographical locations or data centers. This provides an added layer of protection against localized incidents or disasters, such as natural disasters or regional outages. Geographic redundancy ensures that operations can continue even if one location is impacted.
+
+6. Load Balancing: Implement load balancing mechanisms to distribute the workload across redundant systems. This helps prevent single points of failure and ensures that the load is evenly distributed, optimizing performance and availability.
+
+7. Monitoring and Alerting: Implement robust monitoring and alerting systems to continuously monitor the status and performance of both primary and redundant systems. This allows for proactive identification of issues, early detection of potential failures, and prompt response to ensure continued operations.
+
+8. Regular Maintenance and Updates: Perform regular maintenance, updates, and patches on both primary and redundant systems. Ensure that the redundant systems are kept in sync with the primary systems, including software versions, configurations, and security updates. Regular maintenance helps maintain the integrity and effectiveness of the redundant systems.
+
+9. Documentation and Communication: Maintain detailed documentation of the interdependencies, redundant systems, failover procedures, and contact information for key stakeholders. Regularly communicate and share this information with relevant personnel, including IT teams, system administrators, and stakeholders involved in incident response and business continuity planning.
+
+10. Business Continuity and Disaster Recovery Planning: Develop comprehensive business continuity and disaster recovery plans that include strategies for handling critical interdependencies and the use of redundant systems. Regularly review and update these plans to ensure they align with evolving business needs and technology advancements.', [Parent_Option_Id]=1008 WHERE [Mat_Question_Id] = 6808
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.C5', [Question_Text]=N'Are there contingency plans are in place to ensure the O/O can maintain operations?', [Supplemental_Info]=N'This area of evaluation is where the inspection team would determine if a PCAP should be collected.', [Parent_Option_Id]=1008 WHERE [Mat_Question_Id] = 6809
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'NS-3B1.Q3', [Supplemental_Info]=N'IT/OT connections facilitate the exchange of data and information between the IT and OT domains, enabling organizations to monitor and control physical processes and devices.
+
+Severing IT/OT connections can have varying impacts on operations, depending on the specific context and the extent of interdependencies between IT and OT systems:
+
+1. Operational Dependency: Assess the level of operational dependency on IT systems for OT operations. In some cases, OT systems may rely heavily on IT systems for functions such as data analysis, reporting, or integration with enterprise-level applications. Severing IT/OT connections in such cases could impact the availability or efficiency of these functions.
+
+2. Control and Monitoring: Evaluate the impact on real-time control and monitoring of OT processes. IT systems often provide interfaces and software applications for monitoring and controlling OT systems. Disrupting IT/OT connections may impede the ability to monitor, control, or respond to changes in OT processes effectively.
+
+3. Data Synchronization: Consider the synchronization of data between IT and OT systems. IT systems often gather and analyze data from OT systems to provide insights, make informed decisions, or trigger automated actions. Severing IT/OT connections may disrupt the flow of data, potentially affecting decision-making or automated processes reliant on synchronized data.
+
+4. Cybersecurity Considerations: Evaluate the cybersecurity implications of severing IT/OT connections. IT systems often provide security controls, such as firewalls, intrusion detection systems, or antivirus solutions, to protect OT systems from cyber threats. Disconnecting IT/OT connections may impact the effectiveness of these security measures and increase the vulnerability of OT systems.
+
+5. Business Continuity: Consider the impact on overall business continuity. If certain OT processes rely heavily on IT systems, severing the IT/OT connections may disrupt critical business operations or compromise safety measures. It is important to assess the potential consequences and ensure appropriate backup mechanisms or redundancy measures are in place.
+
+6. Risk Assessment: Conduct a comprehensive risk assessment to identify potential vulnerabilities, impacts, and mitigation strategies associated with severing IT/OT connections. Consider factors such as system criticality, regulatory compliance, operational requirements, and safety implications.', [Parent_Option_Id]=1008 WHERE [Mat_Question_Id] = 6810
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Supplemental_Info]=N'Planning for Verification and Validation Inspection Process
+In order to verify and validate the controls and procedures are operating and capable of satisfying the measures as required by the O/O’s CIP, the inspection team should leverage the tools already present on the O/O’s system whenever possible. The O/O’s CIP may identify some of these tools and the inspection team should attempt to familiarize themselves with these tools. The inspection team should discuss with the O/O the availability and use of these tools. If the O/O does not have applicable tools or the tools are unavailable for review by the inspection team, the inspection team should discuss with O/O the use of basic commands and scripts in Appendix B. If neither of these options can be utilized or the inspection team believes they would not be capable to establish compliance of the measures the O/O’s CIP, then a network Packet Capture (PCAP) should be captured.
+Should the inspection team determine that a PCAP is required to validate network traffic control assertions contained in the CIP, the inspection team will work with the O/O and the Surface Cyber Assurance Division to determine network span locations and length of time required for the PCAP. This PCAP will consist of header information only often referred to as a 5-tuple Packet Capture; this would include a set of five different values that comprise a connection. The five values are: a source IP address and port number, destination IP address and port number and the protocol in use.
+Before requesting a PCAP from the O/O the inspection team must verify that there are enough resources to review a PCAP. The PCAP will need to be received a minimum of 2 weeks prior to the on-site inspection. This is to allow enough time for the current limited resources to process and analyze the PCAP. Future inspections should include as a standard practice a PCAP of 24 hours, once this capability is fully developed.' WHERE [Mat_Question_Id] = 6811
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Evaluate external connections with a detailed network diagram showing the connections/lack of connections.', [Supplemental_Info]=N'External connections should be validated with a detailed network diagram showing the connections/lack of connections. If connections exist, how are the connections managed? Are they managed using firewalls, router ACLs, Virtual Private Networks (VPN), Multiprotocol Label Switching (MPLS) VPN/Point-To-Point (PTP) circuits, LTE, satellite, etc.? The inspection team should validate the operational impact due to a loss of any external connections and what the O/O’s contingency plan is to maintain operations. If the external connection is critical to continued operation is there built in redundancy?', [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6812
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Supplemental_Info]=N'External network connections can pose various dangers and security risks to an organization''s network and infrastructure. Examples of external network connections include:
+
+1. Internet Connection: The primary external network connection for most organizations is their connection to the internet. This connection allows users within the organization to access websites, cloud services, and communicate with external parties over the internet.
+
+2. Virtual Private Network (VPN): A VPN is a secure tunnel that allows remote users or branch offices to securely connect to an organization''s internal network over the internet. VPNs provide encrypted connections to protect sensitive data transmitted between the remote location and the organization''s network.
+
+3. Remote Access Services: Organizations often provide remote access services that allow authorized individuals to connect to the internal network from external locations. This can be achieved through technologies such as remote desktop protocols (RDP), virtual desktop infrastructure (VDI), or secure shell (SSH) connections.
+
+4. Partner Networks: Many organizations establish external network connections with partner networks, suppliers, or vendors. These connections enable secure communication, data exchange, and collaborative activities between organizations, such as sharing resources, accessing shared databases, or conducting joint projects.
+
+5. Cloud Services: Organizations increasingly utilize external network connections to connect to cloud service providers. These connections enable access to cloud-based applications, storage, and infrastructure hosted by external providers, allowing organizations to leverage scalable resources and offload certain IT functions.
+
+6. Extranets: Extranets are private networks that connect an organization with specific external entities, such as business partners, clients, or customers. Extranets allow secure access to shared resources, collaboration platforms, or customized applications for authorized external users.
+
+7. Point-to-Point Connections: In some cases, organizations establish direct point-to-point connections with external entities. This can include dedicated leased lines, private circuits, or secure interconnections for specific purposes like data replication, disaster recovery, or interconnecting branch offices.' WHERE [Mat_Question_Id] = 6813
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Where external connections exist, are the connections managed using:', [Supplemental_Info]=N'Industry best practices for managing external connections include:
+
+1. Secure Authentication: Implement strong authentication mechanisms, such as multifactor authentication (MFA), for all external connections. This ensures that only authorized users can establish connections and access sensitive resources.
+
+2. Encryption: Employ encryption protocols (such as SSL/TLS) to secure data transmitted over external connections. Encryption protects data confidentiality and integrity, preventing unauthorized interception or tampering.
+
+3. Network Segmentation: Segment the network to isolate external-facing systems and connections from the internal network. This limits the potential impact of a breach or compromise, reducing the lateral movement of attackers within the network.
+
+4. Strong Access Controls: Apply strict access controls to external connections, including the principle of least privilege. Only grant the necessary permissions to users or systems for the specific resources they require. Regularly review and revoke access rights when they are no longer needed.
+
+5. Intrusion Detection and Prevention: Deploy intrusion detection and prevention systems (IDS/IPS) to monitor external connections for suspicious or malicious activities. These systems can detect and block potential threats in real-time, reducing the risk of successful attacks.
+
+6. Patch Management: Maintain a robust patch management process for all systems and devices involved in external connections. Promptly apply security patches and updates to mitigate known vulnerabilities and reduce the risk of exploitation.
+
+7. Logging and Monitoring: Implement comprehensive logging and monitoring mechanisms for external connections. Monitor network traffic, access logs, and security events to detect and investigate any anomalies, unauthorized access attempts, or suspicious activities.
+
+8. Regular Vulnerability Assessments: Conduct regular vulnerability assessments and penetration testing on external-facing systems to identify and address any vulnerabilities or weaknesses. This helps ensure that systems are hardened against potential attacks.
+
+9. Incident Response Planning: Develop a robust incident response plan specific to managing incidents related to external connections. This plan should outline the steps to be taken in the event of a security incident, including containment, investigation, mitigation, and recovery.
+
+10. Employee Education and Awareness: Provide regular training and awareness programs to employees regarding the best practices for securely managing external connections. Educate them about the risks, common attack vectors, and security protocols to follow when accessing external resources.' WHERE [Mat_Question_Id] = 6814
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EC-3B1.C3', [Supplemental_Info]=N'The concept of built-in redundancy refers to the design and implementation of systems or components with duplicated or backup elements to ensure reliability, fault tolerance, and continuity of operations. It involves creating a system or infrastructure that can continue to function even if one or more components or subsystems fail.
+
+Built-in redundancy aims to mitigate the impact of failures or disruptions by providing alternative pathways or redundant resources that can take over in the event of a failure. This redundancy can be achieved in various ways:
+
+• Component Redundancy: This involves duplicating critical components within a system. If one component fails, the redundant component takes over, ensuring uninterrupted operation. For example, redundant power supplies in a server, redundant storage drives in a RAID array, or redundant network switches in a network infrastructure.
+
+• Path Redundancy: This involves creating multiple paths or routes for data or communication flow. If one path becomes unavailable or congested, traffic can be automatically rerouted through an alternate path. This approach improves reliability and fault tolerance. For example, redundant network links, alternate power distribution paths, or redundant internet service providers (ISPs).
+
+• System Redundancy: This entails replicating entire systems or subsystems to provide backup capabilities. If one system fails, another identical or synchronized system can take over seamlessly. This approach is often used in high-availability clusters or failover systems, where multiple servers or systems operate in parallel to provide redundancy and failover capabilities.
+
+• Geographic Redundancy: In some cases, redundancy is achieved by having geographically dispersed infrastructure or data centers. This helps protect against localized disasters or disruptions, such as natural disasters, power outages, or network failures. Geographic redundancy ensures that critical services or systems can be seamlessly shifted to alternate locations if needed.
+
+The primary goal of built-in redundancy is to enhance system availability, minimize downtime, and ensure business continuity. By incorporating redundancy into the design and implementation of systems, organizations can reduce the impact of failures, increase reliability, and maintain uninterrupted operations even when individual components or subsystems fail.' WHERE [Mat_Question_Id] = 6815
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EC-3B1.C4', [Question_Text]=N'Is there operational impact due to a loss of any external connections? Please evaluate in comments.', [Supplemental_Info]=N'A loss of external connections can have significant operational impacts on critical cyber systems. Some examples of potential operational impacts include:
+
+1. Disruption of Communication: External connections are vital for communication with external entities, such as customers, partners, or service providers. A loss of external connections can result in the inability to send or receive critical communications, leading to delays in business operations, decreased customer satisfaction, and potential financial losses.
+
+2. Service Disruption: Many critical cyber systems rely on external services or cloud-based platforms for their functionality. A loss of external connections can disrupt access to these services, rendering the systems partially or completely non-functional. This can impact core business processes, service delivery, or the ability to serve customers effectively.
+
+3. Data Synchronization Issues: External connections are often used for data synchronization, backups, or replication across different locations or systems. A loss of external connections can hinder data synchronization processes, leading to data inconsistencies, outdated information, or the inability to access critical data required for operations.
+
+4. Limited Access to External Resources: External connections are often used to access external resources, such as software updates, patches, or security feeds. A loss of external connections can restrict the organization''s ability to obtain critical updates, leaving systems vulnerable to emerging threats and lacking the latest security measures.
+
+5. Reduced Monitoring and Reporting Capabilities: External connections are essential for transmitting monitoring data, security logs, or reporting information to external entities, such as security operations centers or regulatory bodies. A loss of external connections can hinder the organization''s ability to monitor systems, report incidents, or comply with regulatory requirements, potentially exposing the organization to increased security risks and compliance issues.
+
+6. Limited Incident Response Capabilities: External connections play a crucial role in incident response activities, such as accessing external threat intelligence, coordinating with external incident response teams, or sharing incident-related information. A loss of external connections can hamper the organization''s ability to respond effectively to security incidents, resulting in extended response times and potentially exacerbating the impact of the incident.
+
+7. Dependencies on External Services: Critical cyber systems may rely on external services for functions such as authentication, payment processing, or content delivery. A loss of external connections can disrupt these dependencies, leading to service degradation or complete unavailability of key features or functionalities.
+
+8. Impact on Remote Access: Loss of external connections can affect remote access capabilities, such as remote employees connecting to the organization''s network or accessing critical systems. This can impact workforce productivity, hinder remote collaboration, and disrupt business operations that rely on remote access.', [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6816
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EC-3B1.C5', [Question_Text]=N'Does the O/O have a contingency plan to maintain operations? Please evaluate in comments.', [Supplemental_Info]=N'Maintaining operations for critical cyber systems during disruptions requires a well-defined contingency plan. Best practices for developing and implementing a contingency plan include:
+
+1. Business Impact Analysis (BIA): Conduct a thorough business impact analysis to identify critical cyber systems and their dependencies. Assess the potential impacts of disruptions on business operations, financials, reputation, and compliance. This analysis forms the foundation for developing a comprehensive contingency plan.
+
+2. Risk Assessment: Perform a risk assessment to identify potential threats and vulnerabilities that could disrupt critical cyber systems. Understand the likelihood and potential impact of each threat scenario. This assessment helps prioritize resources and focus on areas with the highest risk.
+
+3. Redundancy and Backup: Establish redundancy and backup mechanisms for critical cyber systems. This may involve redundant hardware, failover systems, or backup data centers. Ensure that critical data, configurations, and system images are regularly backed up and stored in secure off-site locations.
+
+4. Emergency Response Team: Establish an emergency response team responsible for executing the contingency plan. Define roles, responsibilities, and communication channels within the team. Conduct regular training, drills, and simulations to ensure readiness and familiarity with response procedures.
+
+5. Communication and Notification: Develop a communication plan to promptly notify stakeholders, employees, customers, and partners in the event of a disruption. Clearly define the communication channels, contact information, and escalation procedures. Maintain up-to-date contact lists and establish communication protocols.
+
+6. Alternative Infrastructure and Services: Identify alternative infrastructure, systems, or services that can be utilized during disruptions. This may involve leveraging cloud services, alternate data centers, or backup systems. Ensure that these alternatives are regularly tested and maintained to ensure their readiness.
+
+7. Incident Response and Recovery: Define incident response and recovery procedures specific to critical cyber systems. Establish steps for containment, investigation, recovery, and restoration of systems. Determine recovery time objectives (RTOs) and recovery point objectives (RPOs) to guide the recovery process.
+
+8. Regular Testing and Drills: Conduct regular testing and drills of the contingency plan to ensure its effectiveness. Simulate various disruption scenarios and evaluate the response and recovery processes. Identify areas for improvement and update the plan accordingly based on lessons learned.
+
+9. Vendor and Supplier Management: Assess the reliance on third-party vendors and suppliers for critical cyber systems. Establish communication channels and coordination mechanisms with vendors to address disruptions and ensure their adherence to service-level agreements (SLAs) during contingencies.
+
+10. Continuous Improvement: Continuously review and update the contingency plan based on changing business requirements, emerging threats, and lessons learned from previous incidents. Regularly revisit the plan to ensure its alignment with the evolving technology landscape and business environment.
+
+11. Compliance Considerations: Take into account relevant regulatory requirements and compliance obligations when developing the contingency plan. Ensure that the plan aligns with applicable laws and industry standards.
+
+12. Documentation and Accessibility: Document the contingency plan in detail, including procedures, contact information, and recovery steps. Ensure that the plan is easily accessible to authorized personnel and regularly reviewed and updated as needed.', [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6817
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.Q1', [Question_Text]=N'Zone boundaries should be validated using the detailed network diagram and the architectural design document that describes the criticality, consequences and necessity. (This may also be defined and controlled with firewalls which could also manage network traffic as described in the next section).
+
+Is a detailed network diagram available?', [Supplemental_Info]=N'Guidance:
+
+Validating zone boundaries with a detailed network diagram and an architectural design document is important to ensure the security of the network. Zone boundaries separate network segments based on their level of trust and sensitivity, and it''s essential to ensure that they are properly defined and enforced to prevent unauthorized access and data breaches.
+
+A network diagram provides a visual representation of the network topology, including its components, connections, and traffic flow. This diagram should clearly show the location of zone boundaries and the devices that enforce them, such as firewalls or routers. This will help to identify any potential vulnerabilities or misconfigurations that could compromise the security of the network.
+
+An architectural design document should describe the criticality, consequences, and necessity of the zone boundaries in detail. It should outline the security requirements for each zone, including the level of access control, data encryption, and monitoring needed. This document should also define the procedures for managing and monitoring the zone boundaries to ensure that they are working as intended.
+
+Validating zone boundaries with a detailed network diagram and an architectural design document is an essential step in ensuring the security of the network. This process will help to identify any potential security risks and ensure that the network is properly configured to protect against unauthorized access and data breaches.
+
+Zones can be created using VLANs, and it is important to validate the VLAN configuration files and associated documentation to ensure that each VLAN/Zone is properly defined and the devices that reside in each zone are clearly identified. This validation process should involve reviewing the switch/router configuration files, which will show how the VLANs are configured and associated with specific ports or interfaces.
+In addition to VLANs, firewalls can also be used to manage network traffic between zones. Firewall rules should be defined to control traffic between zones and enforce security policies. It is important to ensure that these rules are properly configured and enforced to prevent unauthorized access and data breaches.
+
+Validating the VLAN configuration and firewall rules can be a complex process, and it may require collaboration between different teams, such as network engineering and security. However, this validation is critical to ensuring that the network is properly segmented and secured, which will help to protect against cyber threats and data breaches.' WHERE [Mat_Question_Id] = 6818
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.C1', [Question_Text]=N'Does the detailed network diagram describe criticality, consequences and necessity?', [Supplemental_Info]=N'A detailed network diagram that describes criticality, consequences, and necessity is important for several reasons:
+
+1. Understanding the network infrastructure: A network diagram provides a visual representation of the network infrastructure, including devices, connections, and their interrelationships. It helps in understanding the overall architecture and how different components are connected.
+
+2. Identifying critical components: By mapping out the network, you can identify critical components such as servers, routers, switches, and important services that are crucial for the network''s operation. These critical components can be marked on the diagram, highlighting their significance.
+
+3. Assessing criticality: By assigning criticality levels to different components or services in the network diagram, you can prioritize their importance based on their impact on business operations. For example, a server hosting a critical database may be assigned a higher criticality level than a non-essential workstation.
+
+4. Evaluating consequences: The network diagram can include information about the potential consequences of a failure or disruption in different components. For instance, if a particular router goes down, it may result in a loss of connectivity for an entire department, impacting their productivity. Understanding these consequences helps in assessing the potential impact of failures and planning appropriate mitigation strategies.
+
+5. Determining necessity: The network diagram allows you to evaluate the necessity of each component or connection. It helps in identifying redundant or unnecessary elements that may be removed to simplify the network or reduce costs. By analyzing the diagram, you can optimize the network infrastructure and ensure that only essential components are retained.
+
+6. Supporting troubleshooting and incident response: When an issue or incident occurs in the network, a detailed network diagram becomes an invaluable tool for troubleshooting. It helps network administrators and technicians quickly identify affected areas, pinpoint potential causes, and expedite the resolution process.
+
+7. Facilitating communication and documentation: A well-documented network diagram with criticality, consequences, and necessity information becomes a valuable resource for communication within the IT team and with stakeholders. It provides a common visual reference point that aids in discussions, planning, and decision-making related to the network infrastructure.
+
+A detailed network diagram with criticality, consequences, and necessity information enhances the understanding, management, and resilience of the network. It assists in identifying critical components, assessing their importance, planning for contingencies, and improving overall network efficiency and reliability.', [Sequence]=1, [Grouping_Id]=NULL, [Parent_Option_Id]=1030 WHERE [Mat_Question_Id] = 6819
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.Q2', [Question_Text]=N'Is an architectural design document available?', [Supplemental_Info]=N'A network architectural design document (NADD) is a comprehensive document that outlines the planned architecture and design of a computer network. It serves as a blueprint for building, expanding, or modifying a network infrastructure. The NADD provides detailed information about the network''s structure, components, protocols, connectivity, security measures, and other relevant aspects. Some key elements typically included in a network architectural design document are:
+
+1. Executive Summary: This section provides a high-level overview of the network design, including its objectives, scope, and key considerations. It summarizes the main points of the document for management and stakeholders.
+
+2. Introduction: The introduction section provides background information about the project, including its purpose, goals, and any specific requirements or constraints that influenced the network design.
+
+3. Network Overview: This section describes the overall network architecture and topology. It includes details about the different network layers (e.g., core, distribution, access), network segmentation, and connectivity between various network devices such as routers, switches, firewalls, and load balancers.
+
+4. Physical Infrastructure: This section covers the physical aspects of the network, including the location of network equipment, cabling infrastructure, power requirements, cooling considerations, and any other physical requirements necessary for the network''s operation.
+
+5. Logical Design: The logical design section focuses on the logical components of the network, such as IP addressing schemes, network protocols, routing protocols, VLANs (Virtual Local Area Networks), subnetting, and any other logical considerations that ensure efficient and secure data flow.
+
+6. Network Services: This section outlines the network services and applications that will be deployed in the network, such as DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name System), VPN (Virtual Private Network), and others. It includes details about their implementation, configuration, and integration with the network infrastructure.
+
+7. Security Considerations: Network security is a crucial aspect of the design document. This section describes the security measures and mechanisms that will be implemented, such as firewalls, intrusion detection and prevention systems, access control policies, authentication methods, encryption protocols, and any other security-related considerations.
+
+8. Performance and Scalability: This section addresses the network''s performance requirements, including bandwidth considerations, Quality of Service (QoS) policies, load balancing strategies, and plans for future scalability to accommodate growth and increased network traffic.
+
+9. Monitoring and Management: The document describes the proposed network monitoring and management tools and techniques that will be employed. It includes details about network monitoring systems, performance monitoring, fault detection, configuration management, and any other tools or processes for maintaining and optimizing the network''s performance.
+
+10. Implementation Plan: This section outlines the step-by-step plan for implementing the network design. It includes tasks, timelines, resource requirements, and dependencies, ensuring a structured approach to deploying the network architecture.
+
+11. Risk Assessment and Mitigation: The network design document should identify potential risks and vulnerabilities associated with the proposed architecture. It outlines strategies and countermeasures to mitigate those risks, such as redundancy, disaster recovery plans, and backup solutions.
+
+12. Appendices: Additional supporting information, such as diagrams, charts, technical specifications, and references, may be included in the appendices to provide further clarity and detail.
+
+A network architectural design document serves as a comprehensive reference for network administrators, engineers, and other stakeholders involved in the network''s implementation and maintenance. It ensures that the network is designed with careful consideration of requirements, scalability, security, and performance, ultimately resulting in a reliable and efficient network infrastructure.', [Sequence]=2, [Grouping_Id]=2604, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6820
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.C2', [Question_Text]=N'Does the architectural design document describe criticality, consequences and necessity?', [Supplemental_Info]=N'An architectural design document provides a detailed description of the overall architecture, design decisions, components, and modules of a system or application. It goes beyond network layout to encompass the entire structure, functionality, and behavior of the system. This document is often created during the design phase of a project and serves as a blueprint for developers, engineers, and stakeholders.
+Key features of an architectural design document include:
+
+1. Description of system components, modules, and their interactions.
+2. Explanation of system architecture, including high-level design patterns and principles.
+3. Outline of data flow, data storage, and data processing mechanisms.
+4. Specification of APIs, interfaces, and integration points between components.
+5. Diagrams illustrating system components, their relationships, and how they fit into the overall structure.
+6. Discussion of security measures, access controls, and data protection mechanisms.
+7.Consideration of scalability, performance, reliability, and maintainability aspects.', [Parent_Option_Id]=1034 WHERE [Mat_Question_Id] = 6821
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.Q3', [Question_Text]=N'Are zone boundaries created using VLANs?', [Supplemental_Info]=N'A VLAN (Virtual Local Area Network) is a logical network that allows devices to be grouped together based on functional or departmental boundaries rather than physical location. A VLAN is created by configuring network switches to segment the physical network into different virtual sub-networks, which can communicate with each other as if they were connected to the same physical network, even though they may be physically separated.
+
+VLANs are used to improve network performance, manageability, and security. By separating traffic into logical groups, network administrators can improve network performance by reducing broadcast traffic and congestion. VLANs also allow for easier management of the network since devices can be grouped together based on function or department, rather than physical location.
+
+VLANs are also a key component of network security since they can be used to separate sensitive data or applications from other less secure parts of the network. For example, a VLAN can be created to isolate a company''s financial data from other departments or functions, preventing unauthorized access or data breaches.
+Overall, VLANs provide a flexible and scalable way to partition a physical network into logical sub-networks, which can help improve network performance, management, and security.
+
+This may also be defined and controlled with firewalls which could also manage network traffic as described in the next section.', [Sequence]=3, [Grouping_Id]=2604, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6822
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.C3', [Question_Text]=N'Validate switch/router configuration files that define each VLAN/Zone.', [Supplemental_Info]=N'To validate the VLAN/Zone configuration in a switch/router configuration file, you can follow these general steps:
+
+Obtain the configuration file: Retrieve the switch/router configuration file from the device or the network administrator.
+
+Open the configuration file: Use a text editor or a network management tool to open the configuration file.
+
+Locate VLAN/Zone configuration section: Search for the section of the configuration file that defines VLANs or Zones. This section is usually labeled with keywords like "VLANs," "interface VLAN," "Zones," or "security zones."
+
+Identify VLAN/Zone definitions: Within the VLAN/Zone configuration section, look for specific entries that define each VLAN/Zone. These entries typically include a VLAN/Zone identifier (ID) and a name.
+
+Verify VLAN/Zone membership: Check the interfaces or ports associated with each VLAN/Zone. The configuration file may use commands such as "switchport access VLAN " or "interface zone " to assign interfaces/ports to VLANs/Zones.
+
+Review IP addresses or subnets: If applicable, examine IP address assignments or subnet configurations associated with each VLAN/Zone. Look for commands like "ip address" or "subnet" within the VLAN/Zone configuration section.
+
+Cross-reference with network documentation: Consult any network documentation or diagrams available to compare the VLAN/Zone definitions and their associated devices. Ensure that the configuration aligns with the intended design or requirements.
+
+Validate device assignments: Verify that the devices listed in the configuration match the actual devices connected to the corresponding VLANs/Zones. Compare MAC addresses, device names, or IP addresses, depending on how devices are identified in the configuration file.
+
+Ensure consistency: Confirm that there are no conflicting VLAN/Zone assignments or overlapping IP addresses/subnets across different VLANs/Zones.
+
+Save and apply changes (if necessary): If any corrections or adjustments are needed, make the necessary modifications in the configuration file and save the changes. Apply the revised configuration to the switch/router using the appropriate command or tool.
+
+It''s important to note that the specific commands and syntax for VLAN/Zone configuration may vary depending on the switch/router model and the operating system it runs.', [Sequence]=1, [Parent_Option_Id]=1038 WHERE [Mat_Question_Id] = 6823
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B1.C4', [Question_Text]=N'Validate any associated documentation that defines each VLAN/Zone and what resides in each zone.', [Supplemental_Info]=N'Documentation for each VLAN/Zone should provide clear and comprehensive information about its purpose, configuration, and associated security controls. While the specific details may vary depending on the organization''s network architecture, some examples of the type of documentation that may be included are:
+
+1. VLAN/Zone Name and Identifier: Clearly specify the name and identifier of the VLAN or zone for easy identification and reference.
+
+2. Purpose and Function: Describe the purpose and function of the VLAN/Zone, explaining its intended use and the services or applications it supports. This helps provide context and understanding for network administrators and other stakeholders.
+
+3. Network Segmentation: Explain how the VLAN/Zone fits into the overall network segmentation strategy. Describe any logical or physical boundaries, including associated subnets or IP ranges.
+
+4. Configuration Details: Provide detailed configuration information for the VLAN/Zone, including the assigned IP addresses, subnet masks, default gateway, and DNS settings. Include any specific routing or switching configurations that apply.
+
+5. Access Control Policies: Document the access control policies and rules that govern traffic flow in and out of the VLAN/Zone. Specify any firewall rules, access lists, or security groups that define the allowed communication paths and restrictions.
+
+6. VLAN/Zone Dependencies: Identify any dependencies or relationships with other VLANs/Zones or network components. Document how the VLAN/Zone interacts with adjacent or upstream/downstream networks.
+
+7. Security Controls: Describe the security controls in place to protect the VLAN/Zone. This may include intrusion detection/prevention systems (IDS/IPS), network segmentation measures, encryption mechanisms, or any additional security technologies or practices implemented.
+
+8. Responsible Parties: Specify the individuals or teams responsible for managing and maintaining the VLAN/Zone. Include their contact information and escalation procedures for network-related issues.
+
+9. Change Management Procedures: Document the procedures for making changes to the VLAN/Zone configuration. Specify the approval process, change windows, and any testing or validation requirements to ensure changes are implemented safely.
+
+10. Diagrams and Visual Representation: Include network diagrams or visual representations that illustrate the VLAN/Zone and its connections to other network components. This provides a visual reference for understanding the VLAN/Zone''s placement within the network infrastructure.
+
+11. Compliance Considerations: Document any compliance requirements or regulations that the VLAN/Zone must adhere to. Specify any specific security controls or monitoring requirements necessary to maintain compliance.
+
+12. Revision History: Maintain a revision history for the VLAN/Zone documentation, noting any updates, changes, or modifications made over time. This helps track the evolution of the VLAN/Zone and provides an audit trail of configuration changes.
+
+The documentation should be kept up to date and readily accessible to network administrators, security teams, and other relevant stakeholders. It serves as a valuable reference for troubleshooting, auditing, and ensuring proper management and security of the VLAN/Zone.', [Sequence]=2, [Mat_Question_Type]=NULL, [Parent_Option_Id]=1038 WHERE [Mat_Question_Id] = 6824
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'ZB-3B2.Q2', [Question_Text]=N'Are tools employed to inspect traffic such as:', [Supplemental_Info]=N'Network traffic tools play a crucial role in monitoring and securing computer networks. Some common network traffic tools include:
+
+1. NIDS (Network Intrusion Detection System): NIDS is designed to monitor network traffic and identify suspicious or malicious activities. It analyzes network packets, looking for patterns that match known attack signatures or anomalies that indicate potential threats. NIDS can provide real-time alerts or log events for further investigation by security administrators.
+
+2. NIPS (Network Intrusion Prevention System): NIPS is an advanced version of NIDS that not only detects network intrusions but also takes proactive measures to prevent them. In addition to the detection capabilities of NIDS, NIPS has the ability to actively block or mitigate detected threats by dropping malicious packets, resetting connections, or implementing other defensive actions.
+
+3. HIDS (Host-based Intrusion Detection System): HIDS operates at the individual host level rather than monitoring network traffic. It monitors events occurring on a specific system, such as file modifications, logins, or system calls, to detect potential intrusions or unauthorized activities. HIDS can compare these events against known attack patterns or baseline behavior to identify anomalies that may indicate an intrusion attempt.
+
+4. HIPS (Host-based Intrusion Prevention System): Similar to NIPS, HIPS combines the capabilities of HIDS with proactive prevention measures. It not only detects potential intrusions or malicious activities on a host but also takes actions to prevent or mitigate them. HIPS can employ techniques like blocking specific processes, enforcing access controls, or alerting administrators to potential threats.
+
+These network traffic tools are often used in combination to create a layered security approach. NIDS and NIPS focus on monitoring and securing network traffic, while HIDS and HIPS provide visibility and protection at the individual host level.', [Grouping_Id]=2604, [Mat_Question_Type]=NULL, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6825
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'List of other network traffic tools used.', [Supplemental_Info]=N'', [Sequence]=1, [Parent_Option_Id]=1045 WHERE [Mat_Question_Id] = 6826
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EN-3B2.Q1', [Question_Text]=N'Is all traffic from OT Services traversing the IT network encrypted appropriately?', [Supplemental_Info]=N'It is crucial that all traffic from the OT (Operational Technology) services traversing the IT (Information Technology) network is appropriately encrypted to ensure:
+
+1. Confidentiality: Encryption ensures the confidentiality of data transmitted between OT services and IT systems. By encrypting the traffic, sensitive information remains secure and protected from unauthorized access or interception. This is particularly important when transmitting critical data related to industrial processes, infrastructure control, or proprietary information.
+
+2. Data Integrity: Encryption helps maintain data integrity by detecting any unauthorized modifications or tampering during transit. By employing encryption protocols, organizations can ensure that the data received by IT systems from OT services is genuine and unaltered. This is crucial for maintaining the accuracy and reliability of information used for decision-making or system control.
+
+3. Protection against Data Breaches: Encrypting OT traffic within the IT network provides an additional layer of protection against data breaches. If an attacker gains unauthorized access to the IT network, encrypted traffic makes it significantly harder for them to extract meaningful information from the intercepted data. This reduces the risk of sensitive OT data being exposed or exploited in the event of a network breach.
+
+4. Compliance and Regulatory Requirements: Many industries, such as healthcare, finance, and critical infrastructure, are subject to stringent regulatory frameworks that mandate the protection of sensitive data. Encrypting OT traffic in accordance with industry-specific regulations helps organizations meet compliance requirements and avoid potential penalties or legal consequences.
+
+5. Mitigating Insider Threats: Encrypting OT traffic also helps mitigate insider threats within an organization. By implementing strong encryption measures, even if an authorized user with access to the IT network attempts to intercept or misuse OT data, the encrypted nature of the traffic makes it significantly more difficult for them to exploit or manipulate the information for malicious purposes.
+
+6. Trust and Confidence: Encryption establishes trust and confidence in the security of the overall network infrastructure. Customers, partners, and stakeholders gain assurance that sensitive OT data is adequately protected during transmission across the IT network. This can enhance business relationships, reputation, and demonstrate a commitment to cybersecurity best practices.' WHERE [Mat_Question_Id] = 6827
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EN-3B2.C1', [Question_Text]=N'Indicate which traffic requires encryption using network diagrams/data flow diagrams.', [Supplemental_Info]=N'Identifying which traffic requires encryption using network diagrams or data flow diagrams involves analyzing the flow of data within the network and considering factors such as data sensitivity, compliance requirements, and security best practices. To help identify traffic that should be encrypted, consider the following:
+
+1. Understand the Data Flows: Review the network diagram or data flow diagram to gain an understanding of how data moves within the network. Identify the different data flows, including the sources, destinations, and intermediaries through which the data passes.
+
+2. Determine Data Sensitivity: Assess the sensitivity of the data being transmitted. Consider the potential impact if the data were to be intercepted or accessed by unauthorized individuals. Data containing personally identifiable information (PII), financial information, or sensitive corporate information typically require encryption.
+
+3. Compliance Requirements: Consider any regulatory or compliance requirements that mandate the encryption of specific types of data. Industries such as healthcare (HIPAA), finance (PCI DSS), or government sectors often have specific encryption requirements that must be followed.
+
+4. Identify Network Segments: Identify specific network segments or zones where sensitive data flows. These could be areas where data is collected, stored, processed, or transmitted. Pay attention to areas such as database servers, web servers, or communication channels where sensitive information is involved.
+
+5. Analyze Data Interactions: Examine the interactions between different systems or components within the network. Identify the points where data is exchanged or transmitted. Determine whether the data flowing between these points should be encrypted to maintain confidentiality and integrity.
+
+6. Evaluate Security Controls: Assess the existing security controls in place. Identify if encryption mechanisms are already implemented or if additional measures are required. Consider factors such as secure protocols, secure communication channels, or encryption technologies that can be employed.
+
+7. Consult Encryption Best Practices: Refer to encryption best practices and industry standards to identify common encryption requirements. These practices may include encrypting data in transit, encrypting data at rest, or encrypting data exchanged between specific components or systems.
+
+8. Analyze External Connections: Consider external connections that involve transmitting data over public networks or untrusted networks. These connections may include connections to external partners, remote offices, or cloud service providers. Encryption is typically recommended for data transmitted over such connections to protect it from interception or tampering.
+
+9. Documentation and Policy: Document the identified traffic that requires encryption based on the analysis conducted. Create policies or guidelines specifying the encryption requirements for each identified traffic flow. Ensure that the policies align with industry best practices and any applicable regulatory requirements.
+
+10. Implementation and Monitoring: Once the traffic requiring encryption is identified, implement the necessary encryption measures accordingly. Deploy appropriate encryption protocols, configure secure communication channels, and utilize encryption technologies that meet the identified requirements. Continuously monitor the encrypted traffic to ensure compliance and detect any anomalies or security incidents.', [Sequence]=1, [Grouping_Id]=NULL, [Mat_Question_Type]=N'memo', [Parent_Option_Id]=1047 WHERE [Mat_Question_Id] = 6828
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EN-3B2.C2', [Question_Text]=N'What method of encryption is in place? (e.g., symmetrical or asymmetrical)', [Supplemental_Info]=N'There are two main types of encryption algorithms: symmetric encryption and asymmetric encryption (also known as public-key encryption):
+
+• Symmetric Encryption: Symmetric encryption uses a single shared key to both encrypt and decrypt the data. The same key is used for both the encryption and decryption processes. This means that the sender and the receiver of the encrypted data must have a pre-shared secret key. Symmetric encryption algorithms, such as AES (Advanced Encryption Standard), are generally faster and more efficient than asymmetric encryption algorithms. However, the challenge with symmetric encryption is securely distributing the shared key to all parties involved.
+
+• Asymmetric Encryption: Asymmetric encryption involves the use of a pair of keys: a public key and a private key. The public key is widely distributed and used for encryption, while the private key is kept secret and used for decryption. Data encrypted with the public key can only be decrypted with the corresponding private key and vice versa. Asymmetric encryption algorithms, such as RSA (Rivest-Shamir-Adleman), provide a secure method for encryption and decryption without requiring a pre-shared key. This makes asymmetric encryption suitable for scenarios where secure key distribution is a challenge or when secure communication channels are not established.
+
+In practice, a combination of symmetric and asymmetric encryption is often used to achieve both efficiency and security. In secure communication protocols like TLS (Transport Layer Security), asymmetric encryption is used initially to establish a secure channel and exchange a shared secret key. Once the shared key is established, symmetric encryption is used for the bulk of the data transmission due to its speed and efficiency.
+
+Symmetric encryption uses a shared secret key for both encryption and decryption, while asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. The choice between symmetric and asymmetric encryption depends on factors such as security requirements, key management considerations, and the need for efficient data transmission.', [Parent_Question_Id]=6828, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6829
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EN-3B2.C3', [Question_Text]=N'Which encryption algorithm(s) are in place?', [Supplemental_Info]=N'An encryption algorithm is a set of mathematical instructions or rules that determine how data is transformed into an encrypted form and subsequently decrypted back into its original form. Encryption algorithms ensure that data remains secure and confidential during transmission or storage by converting it into an unreadable format that can only be deciphered with the appropriate decryption key or algorithm.
+
+Encryption algorithms operate on blocks of data, typically a fixed number of bits, and use cryptographic techniques to scramble the data into ciphertext. The level of security provided by an encryption algorithm depends on factors such as the complexity of the algorithm, the key size used, and the strength of the underlying cryptographic principles.
+
+There are several well-known encryption algorithms:
+
+• Advanced Encryption Standard (AES): AES is widely used and considered one of the most secure symmetric encryption algorithms. It supports key sizes of 128, 192, and 256 bits and operates on 128-bit blocks. AES has been adopted as a standard by the U.S. government for encrypting sensitive information.
+
+• RSA: RSA is an asymmetric encryption algorithm that uses a pair of keys—a public key for encryption and a private key for decryption. It is widely used for secure communication, key exchange, and digital signatures.
+
+• Triple Data Encryption Standard (3DES): 3DES is a symmetric encryption algorithm that applies the older Data Encryption Standard (DES) algorithm three times in a row. While it is not as secure as AES, it is still used in legacy systems and certain applications.
+
+• Rivest Cipher (RC) Algorithms: The RC algorithms, including RC4, RC5, and RC6, are symmetric encryption algorithms developed by Ronald Rivest. RC4, for example, is commonly used in wireless networks and secure sockets layer (SSL) protocols.
+
+• Blowfish and Twofish: Blowfish and Twofish are symmetric block ciphers known for their flexibility and speed. They are often used in various applications, including disk encryption and virtual private networks (VPNs).
+
+These are just a few examples of encryption algorithms. There are many others available, each with its own strengths, weaknesses, and specific use cases. The choice of encryption algorithm depends on factors such as the desired level of security, computational efficiency, compatibility, and industry standards.', [Sequence]=2, [Parent_Question_Id]=6828, [Grouping_Id]=NULL WHERE [Mat_Question_Id] = 6830
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EN-3B2.Q2', [Question_Text]=N'Observe an attempt to send unencrypted traffic between OT/IT.', [Supplemental_Info]=N'All traffic from the OT Services traffic traversing the IT network must be encrypted appropriately. The inspector should ascertain what traffic requires encryption using network diagrams/data flow diagrams. The O/O will need to provide the inspector with what method of encryption is being used, e.g., symmetrical or asymmetrical, and what encryption algorithm they are using. Observe an attempt to send unencrypted traffic between OT/IT.', [Sequence]=2, [Parent_Question_Id]=NULL, [Grouping_Id]=2605 WHERE [Mat_Question_Id] = 6831
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'EN-3B2.C4', [Question_Text]=N'Upon observation, are OT services traffic traversing the IT network encrypted appropriately?', [Supplemental_Info]=N'All traffic from the OT Services traffic traversing the IT network must be encrypted appropriately. The inspector should ascertain what traffic requires encryption using network diagrams/data flow diagrams. The O/O will need to provide the inspector with what method of encryption is being used, e.g., symmetrical or asymmetrical, and what encryption algorithm they are using. Observe an attempt to send unencrypted traffic between OT/IT.', [Sequence]=3, [Parent_Question_Id]=NULL, [Grouping_Id]=2605 WHERE [Mat_Question_Id] = 6832
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'AC-3C.Q1', [Question_Text]=N'Does the O/O implement access control measures, including for local and remote access, to secure and prevent unauthorized access to Critical Cyber Systems?', [Supplemental_Info]=N'Best practices for implementing access control measures, both for local and remote access, include:
+1. Principle of Least Privilege (PoLP): Follow the principle of least privilege, granting users and systems only the minimum privileges necessary to perform their tasks. Avoid assigning excessive permissions or administrative privileges that could be abused or exploited.
+2. Strong Authentication: Require strong authentication for all access to Critical Cyber Systems. Implement multifactor authentication (MFA) that combines something the user knows (password), something the user has (smart card or token), and something the user is (biometrics) for added security.
+3. User Account Management: Maintain strict user account management practices. This includes promptly disabling or removing accounts for employees who leave the organization, implementing strong password policies, and regularly reviewing and updating user permissions and access rights.
+4. Network Segmentation: Segment the network to isolate Critical Cyber Systems from other non-critical systems or networks. Use firewalls or network access controls to control traffic flow and restrict access to Critical Cyber Systems only from authorized sources.
+5. Role-Based Access Control (RBAC): Implement RBAC to manage access to Critical Cyber Systems. Assign permissions based on job roles and responsibilities, allowing users to access only the resources necessary to perform their tasks. Regularly review and update role assignments as personnel changes occur.
+6. Secure Remote Access: When enabling remote access to Critical Cyber Systems, use secure methods such as virtual private networks (VPNs) or secure remote desktop protocols. Ensure strong encryption, secure authentication, and regular monitoring of remote access connections.
+7. Privileged Access Management (PAM): Implement PAM solutions to manage and control privileged accounts with elevated access. Use techniques like just-in-time access, session monitoring, and automated password rotation to minimize the risk of unauthorized access or privilege misuse.
+8. Monitoring and Auditing: Implement comprehensive logging and monitoring of access events to Critical Cyber Systems. Regularly review access logs and perform audits to detect and investigate any suspicious activities, unauthorized access attempts, or policy violations.
+9. Regular Access Reviews: Conduct periodic access reviews to ensure that user permissions and access rights are appropriate and aligned with business requirements. Remove or modify unnecessary or outdated access privileges promptly.
+10. Employee Awareness and Training: Provide regular training and awareness programs to educate employees about access control best practices, the importance of protecting credentials, and recognizing and reporting suspicious activities.', [Sequence]=1, [Parent_Question_Id]=NULL, [Grouping_Id]=2606 WHERE [Mat_Question_Id] = 6833
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'AC-3C.Q2', [Question_Text]=N'Does the O/O have policies and procedures to prevent unauthorized access to Critical Cyber Systems?', [Supplemental_Info]=N'Access control policies and procedures are critical components of an organization''s overall security framework. They define the rules, guidelines, and processes for managing and controlling access to resources, systems, and sensitive information within the organization. Access control policies and procedures are important for several reasons:
+
+1. Security of Sensitive Information: Access control policies and procedures help protect sensitive information from unauthorized access, disclosure, or misuse. By defining who can access specific resources and under what conditions, organizations can prevent unauthorized individuals from viewing or altering sensitive data.
+
+2. Prevention of Unauthorized Access: Access control measures ensure that only authorized individuals or entities can access systems, networks, and resources. By implementing strong authentication mechanisms, enforcing proper authorization, and employing security controls, organizations can prevent unauthorized access attempts and reduce the risk of security breaches.
+
+3. Compliance with Regulations and Standards: Access control policies and procedures play a crucial role in meeting regulatory compliance requirements. Many industries have specific regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), which mandate the implementation of appropriate access controls to protect sensitive data. Having robust access control policies and procedures in place helps organizations demonstrate compliance with these requirements.
+
+4. Mitigation of Insider Threats: Insider threats, whether malicious or unintentional, pose a significant risk to organizations. Access control policies and procedures help mitigate these risks by ensuring that employees, contractors, or other insiders only have access to the resources necessary to perform their job responsibilities. By implementing the principle of least privilege and regularly reviewing access permissions, organizations can minimize the potential impact of insider threats.
+
+5. Protection against Data Loss or Data Leakage: Effective access control measures help prevent unauthorized data loss or leakage. By restricting access to sensitive data based on a need-to-know basis and implementing mechanisms like data encryption, organizations can reduce the risk of data being inadvertently or intentionally exposed to unauthorized parties.
+
+6. Accountability and Auditing: Access control policies and procedures provide a framework for establishing accountability within the organization. By maintaining detailed logs and audit trails of access events, organizations can track and monitor user activities, identify anomalies or policy violations, and conduct effective incident investigations or forensic analysis if necessary.
+
+7. Operational Efficiency: Well-defined access control policies and procedures contribute to operational efficiency. By clearly defining roles, responsibilities, and access rights, organizations can streamline access provisioning processes, minimize administrative overhead, and ensure that employees have the appropriate access to perform their tasks effectively.' WHERE [Mat_Question_Id] = 6834
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'AC-3C.Q3', [Question_Text]=N'Verify the O/O complies with their defined schedule for memorized secret authenticators. This can be accomplished by reviewing Identity Provider (IDP) logs or requesting a password age report. If change is only required due to a known/suspected compromise, determine if this has occurred and if so, review last password change date.', [Supplemental_Info]=N'IDP (Intrusion Detection and Prevention) logs and requesting a password age report are both security-related activities aimed at monitoring and managing access control within an organization. Examples include:
+1. IDP Logs: IDP systems monitor network traffic and detect potential security threats or intrusions. These systems generate logs that capture information about detected events, including details such as the source and destination IP addresses, timestamps, attack signatures, and actions taken by the IDP system (such as blocking or alerting). Analyzing IDP logs helps security teams identify and respond to potential security incidents, investigate suspicious activities, and make informed decisions to improve network security.
+2. Password Age Report: A password age report provides information about the age of user passwords within an organization''s systems or applications. It typically includes details such as user account names, password creation dates, and the number of days since the last password change. Requesting a password age report allows organizations to assess the password hygiene of their users and identify accounts with passwords that are overdue for a change. This helps enforce password management policies, identify weak or compromised passwords, and ensure that users regularly update their passwords for improved security.
+3. By utilizing IDP logs and requesting password age reports, organizations can strengthen their access control measures and proactively address potential security risks. IDP logs aid in monitoring and detecting network intrusions, while password age reports contribute to enforcing password policies and promoting stronger authentication practices.', [Sequence]=3, [Grouping_Id]=2606, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6835
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'AC-3C.Q4', [Question_Text]=N'Are there mitigation measures in place for accounts that do not comply with the above requirement (AC-3C.Q3)?
+
+Mitigation measures may include:
+-Physical security measures
+-Increased monitoring of accounts
+
+The above measures should be clearly defined in the CIP.', [Supplemental_Info]=N'Physical Security Measures: Physical security measures refer to the implementation of controls and safeguards to protect physical assets, facilities, and resources from unauthorized access, damage, theft, or disruption. These measures aim to create a secure physical environment for an organization. Here are some key aspects of physical security measures:
+
+• Perimeter Security: Establish physical barriers and access controls to secure the perimeter of the facility. This may include fencing, gates, access control systems, security guards, or surveillance cameras to monitor and control entry points.
+
+• Access Control Systems: Implement access control systems to manage and restrict access to sensitive areas within the facility. This can involve key cards, biometric authentication, PIN codes, or other authentication mechanisms to ensure that only authorized individuals can enter designated areas.
+
+• Surveillance and Monitoring: Deploy video surveillance cameras strategically throughout the facility to monitor activities, deter potential threats, and provide evidence in case of security incidents. Combine surveillance cameras with recording systems for real-time monitoring and retrospective review.
+
+• Intrusion Detection Systems: Install intrusion detection systems (IDS) to detect and alert security personnel of unauthorized access attempts or breaches. These systems can use various technologies such as motion sensors, door/window sensors, or vibration detectors to identify potential security threats.
+
+• Security Lighting: Ensure that the facility is well-lit, both indoors and outdoors, to deter criminal activities and provide clear visibility for surveillance. Use motion-activated lighting in critical areas to enhance security and alertness.
+
+• Security Staff and Guards: Employ trained security personnel or contract security services to monitor the facility, control access, and respond to security incidents. Security staff should be vigilant, trained in emergency response procedures, and capable of handling security-related situations.
+
+• Visitor Management Systems: Implement visitor management systems to track and control visitor access. These systems can include registration processes, visitor badges, or escort requirements to ensure that visitors are authorized and supervised during their time in the facility.
+
+• Secure Storage and Equipment: Securely store sensitive assets, equipment, and data within the facility. This may involve secure cabinets, safes, or data vaults with restricted access to protect valuable or confidential items from theft or unauthorized disclosure.
+
+Increased Monitoring of Accounts: Increased monitoring of accounts refers to the practice of actively observing and analyzing user accounts, activities, and behaviors within an organization''s systems and networks. The purpose of increased monitoring is to detect and respond to suspicious or unauthorized activities that may indicate security threats or insider threats. Here are some aspects of increased monitoring of accounts:
+
+• Log Monitoring: Regularly review logs and audit trails generated by various systems, applications, and network devices. Monitor login activities, account usage, privilege escalations, and access attempts to identify any abnormal or suspicious behavior.
+
+• User Behavior Analytics (UBA): Utilize user behavior analytics tools or techniques to establish baselines of normal user behavior and detect anomalies or deviations. UBA can identify unusual patterns, excessive privileges, unauthorized access attempts, or unusual data transfers that may indicate compromised accounts or malicious activities.
+
+• Account Activity Tracking: Track user account activities, such as login times, duration, locations, and the resources accessed. Monitor account activity across different systems and applications to identify any unauthorized account usage or account sharing.
+
+• Account Provisioning and Deactivation: Implement robust procedures for account provisioning and deactivation to ensure that user accounts are created only for authorized personnel and promptly deactivated when no longer needed. Regularly review and validate active accounts to prevent orphaned accounts or accounts with unnecessary privileges.
+
+• Privileged Account Monitoring: Give special attention to monitoring and auditing privileged accounts, such as administrator or root-level accounts. Monitor activities performed by privileged users, review access logs, and implement segregation of duties to minimize the risk of unauthorized access or misuse of privileges.
+
+• Security Information and Event Management (SIEM): Security Information and Event Management (SIEM) is a comprehensive approach to managing security events and information within an organization''s IT infrastructure. SIEM systems collect and analyze log data and security event information from various sources, such as network devices, servers, applications, and security tools. The primary goal of SIEM is to provide centralized visibility into security events, facilitate real-time monitoring, and enable effective incident response and threat detection.', [Sequence]=4, [Grouping_Id]=2606 WHERE [Mat_Question_Id] = 6836
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'MF-3C.Q1', [Question_Text]=N'Does the O/O utilize MFA solutions such as smartcards, RSA tokens, or other known MFA solutions?', [Supplemental_Info]=N'Multi-factor authentication (MFA) solutions provide an additional layer of security by requiring users to provide multiple forms of authentication to access systems or resources. Some commonly used MFA solutions include:
+
+• Smartcards: Smartcards are physical devices that store authentication credentials and generate one-time passwords (OTPs) or digital signatures. Users insert the smartcard into a card reader, enter a PIN or biometric authentication, and then use the generated OTP or digital signature for authentication. Smartcards provide strong authentication and are resistant to physical theft or duplication.
+
+• RSA Tokens: RSA tokens are small devices that generate time-based or event-based OTPs. These tokens are typically synchronized with a central authentication server. Users enter the OTP displayed on the token, along with their username and password, for authentication. RSA tokens are widely used in various industries and offer portable and secure authentication.
+
+• Mobile Authenticator Apps: Mobile authenticator apps leverage smartphones to provide MFA. These apps generate OTPs or receive push notifications for users to approve or deny authentication requests. Popular examples include Google Authenticator, Microsoft Authenticator, and Authy. Mobile authenticator apps provide convenience and are widely adopted due to the ubiquity of smartphones.
+
+• Biometric Authentication: Biometric authentication uses unique physical or behavioral characteristics of individuals for identity verification. This can include fingerprint scanning, facial recognition, iris scanning, or voice recognition. Biometric MFA solutions offer a high level of security and user convenience.
+
+• Hardware Security Keys: Hardware security keys are physical devices that connect to a computer or mobile device via USB, NFC, or Bluetooth. These keys store cryptographic keys and generate digital signatures for authentication. Popular examples include YubiKey and Titan Security Key. Hardware security keys offer strong authentication and protection against phishing attacks.
+
+• SMS or Email One-Time Passwords (OTPs): In this method, a one-time password is sent to the user''s mobile device via SMS or email. The user enters the OTP along with their username and password for authentication. While convenient, this method is considered less secure than other MFA solutions due to the potential risks associated with SMS interception or email compromise.
+
+It''s important to note that MFA solutions can be combined to create a layered approach, requiring users to provide multiple forms of authentication from different categories (e.g., something they know, something they have, or something they are). This enhances security and makes it more difficult for attackers to gain unauthorized access.', [Grouping_Id]=2607, [Mat_Question_Type]=NULL, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6837
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'', [Question_Text]=N'Check all that apply:', [Supplemental_Info]=N'', [Mat_Question_Type]=NULL, [Parent_Option_Id]=1057 WHERE [Mat_Question_Id] = 6838
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q1', [Question_Text]=N'Do access control measures incorporate policies and procedures to manage access rights based on the principles of least privilege and separation of duties?', [Supplemental_Info]=N'The principle of least privilege (PoLP) is a security concept that advocates granting users or processes only the minimum privileges necessary to perform their authorized tasks. This concept applies to both account management and access controls within an organization:
+
+Account Management:
+
+• User Accounts: When creating user accounts, the principle of least privilege suggests assigning the minimum necessary permissions required for users to carry out their job responsibilities effectively. This means avoiding granting excessive privileges or administrative rights that are not directly related to their roles. By adhering to the principle of least privilege during account creation, organizations reduce the risk of misuse, accidental data breaches, or intentional abuse of privileges.
+
+• User Provisioning: During the provisioning process, organizations should follow the principle of least privilege by providing users with only the specific access rights and permissions required for their job functions. This ensures that users have access only to the systems, applications, and data that they need to perform their duties. Regular access reviews and recertifications should be conducted to ensure that user privileges remain appropriate and are adjusted as job roles change.
+
+Access Controls:
+
+• Authorization and Access Levels: Access controls should align with the principle of least privilege by granting access rights based on the principle of need-to-know. Users should only be granted access to the resources and data necessary to perform their tasks effectively. This minimizes the potential for accidental or intentional unauthorized access to sensitive information and reduces the impact of a security breach.
+
+• Segmentation and Network Access: The principle of least privilege can be applied to network segmentation and access controls by implementing restrictions based on job roles or security classifications. By segmenting networks and restricting access to critical systems or sensitive data, organizations can limit exposure to potential attackers and reduce the impact of a compromised account or system.
+
+• Privileged Access: Privileged accounts, such as administrative or system-level accounts, are particularly susceptible to misuse or compromise. Applying the principle of least privilege to privileged access management (PAM) ensures that only authorized individuals have elevated privileges and that those privileges are granted for specific tasks and limited periods. Just-in-time access and session monitoring are examples of techniques that align with least privilege to minimize the risk associated with privileged accounts.' WHERE [Mat_Question_Id] = 6839
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q2', [Question_Text]=N'Determine how the O/O defines privileged versus non-privileged accounts or normal user accounts.', [Supplemental_Info]=N'', [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6840
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q3', [Question_Text]=N'Do the compensating controls asserted in the CIP mitigate the risk when least privilege cannot be applied?', [Supplemental_Info]=N'Compensating controls, in the context of least privilege, refer to additional security measures implemented to mitigate the risks or address the limitations that may arise when applying the principle of least privilege. While least privilege aims to restrict user access to the minimum necessary privileges, there may be situations where certain users or processes require elevated permissions to perform their tasks effectively. In such cases, compensating controls are implemented to provide an additional layer of security and oversight:
+
+1. Monitoring and Auditing: Compensating controls can include robust monitoring and auditing mechanisms that track and log the activities of privileged users or processes. This allows organizations to closely monitor the actions performed under elevated privileges, detect any suspicious or unauthorized activities, and respond promptly to potential security incidents.
+
+2. Just-in-Time (JIT) Privilege Elevation: Rather than granting permanent elevated privileges to certain users or processes, compensating controls may involve implementing just-in-time privilege elevation. JIT privilege elevation allows temporary, time-limited access to elevated permissions when necessary. This ensures that users operate with the minimum necessary privileges most of the time and only obtain additional privileges for authorized tasks or a specific duration.
+
+3. Two-Person Integrity (TPI): In some cases, compensating controls can involve requiring two or more authorized individuals to work together when performing critical or sensitive tasks that require elevated privileges. This introduces an additional layer of oversight, reducing the risk of unauthorized or malicious actions. TPI can include processes such as dual control or separation of duties.
+
+4. Strict Change Control and Approval Processes: Compensating controls may include implementing stringent change control and approval processes for granting or modifying access privileges. This involves thorough documentation, review, and approval of any changes to user permissions, ensuring that elevated privileges are granted only after proper authorization and validation.
+
+5. Enhanced Authentication and Authorization Mechanisms: To compensate for the limitations of least privilege, organizations may implement enhanced authentication and authorization mechanisms. This can include multifactor authentication (MFA), strong password policies, session timeouts, or conditional access controls. These measures strengthen the overall security posture, even if certain users require elevated privileges for their roles.' WHERE [Mat_Question_Id] = 6841
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q4', [Question_Text]=N'Are accounts with administrative or privileged access separate from standard user type accounts?', [Supplemental_Info]=N'Best practices for ensuring that accounts with administrative or privileged access are separate from standard user type accounts involve implementing a clear segregation of duties and strict access control measures:
+
+• Separate Accounts: Maintain separate accounts for administrative or privileged access and standard user access. Each user should have distinct credentials and accounts for their administrative activities and regular tasks. This segregation helps prevent accidental misuse of privileged access rights and enhances accountability.
+
+• Principle of Least Privilege (PoLP): Apply the principle of least privilege to administrative accounts. Grant administrative privileges only to users who require them for specific tasks or responsibilities. Avoid granting full administrative privileges by default, and ensure that privileges are limited to what is necessary to perform authorized duties effectively.
+
+• Two-Factor Authentication (2FA): Implement two-factor authentication for administrative accounts. Adding an additional layer of authentication, such as a one-time password (OTP) generated by a physical device or a mobile authenticator app, strengthens the security of privileged accounts and mitigates the risk of unauthorized access.
+
+• Strong Password Policies: Enforce strong password policies for administrative accounts, including requirements for complex passwords, regular password changes, and prohibitions against password reuse. Implementing password management practices helps protect privileged accounts from unauthorized access due to weak or compromised credentials.
+
+• Limited Account Use: Discourage the use of administrative accounts for non-administrative tasks. Encourage administrators to switch to standard user accounts when performing routine activities or accessing non-privileged resources. This minimizes the risk of accidental misuse or the inadvertent exposure of privileged account credentials.
+
+• Privileged Access Management (PAM): Implement a Privileged Access Management solution to centralize and control access to administrative accounts. PAM solutions provide a secure and audited method for granting temporary, controlled, and monitored privileged access. They help enforce the principle of least privilege and reduce the risk associated with permanent administrative privileges.
+
+• Monitoring and Auditing: Implement comprehensive monitoring and auditing mechanisms for administrative accounts. Regularly review and analyze logs and access events associated with privileged accounts to detect any suspicious activities, policy violations, or potential security breaches. Proactive monitoring helps identify and respond to unauthorized access attempts or insider threats.
+
+• Regular Account Reviews: Conduct regular reviews of administrative accounts to ensure that privileges are still necessary and appropriate. Remove or modify privileges for inactive or unnecessary accounts promptly. Regularly validate the need for elevated access and adjust privileges accordingly based on job roles and responsibilities.', [Sequence]=4, [Grouping_Id]=2608 WHERE [Mat_Question_Id] = 6842
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q5', [Question_Text]=N'Are highly privileged accounts like Microsoft Active Directory domain admins restricted from interactive logons to only the domain controllers?', [Supplemental_Info]=N'Interactive logons and domain controllers are two distinct concepts in the realm of computer networks and authentication:
+
+• Interactive Logons: An interactive logon refers to the process by which a user establishes a direct session with a computer or network resource. It typically involves the user providing their credentials (such as username and password) to gain access to the system. During an interactive logon, the user can directly interact with the system''s user interface, launch applications, and perform tasks as an authenticated user. Interactive logons commonly occur when users log in to their personal computers, workstations, or other devices to perform their day-to-day activities.
+
+• Domain Controllers: Domain controllers are servers within a Windows Active Directory (AD) domain network. They are responsible for authenticating users, managing security policies, and providing centralized administration for network resources. Domain controllers store and manage user accounts, group policies, and other information related to the domain. When a user attempts to log in to a domain-joined computer or access network resources, the authentication request is typically processed by a domain controller, which verifies the user''s credentials, grants or denies access, and enforces security policies defined within the domain.', [Sequence]=5, [Grouping_Id]=2608, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6843
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q6', [Question_Text]=N'Are other OS highly privileged accounts restricted as above, in LP-3C.Q4?', [Supplemental_Info]=N'Interactive logons and domain controllers are two distinct concepts in the realm of computer networks and authentication:
+
+• Interactive Logons: An interactive logon refers to the process by which a user establishes a direct session with a computer or network resource. It typically involves the user providing their credentials (such as username and password) to gain access to the system. During an interactive logon, the user can directly interact with the system''s user interface, launch applications, and perform tasks as an authenticated user. Interactive logons commonly occur when users log in to their personal computers, workstations, or other devices to perform their day-to-day activities.
+
+• Domain Controllers: Domain controllers are servers within a Windows Active Directory (AD) domain network. They are responsible for authenticating users, managing security policies, and providing centralized administration for network resources. Domain controllers store and manage user accounts, group policies, and other information related to the domain. When a user attempts to log in to a domain-joined computer or access network resources, the authentication request is typically processed by a domain controller, which verifies the user''s credentials, grants or denies access, and enforces security policies defined within the domain.', [Sequence]=6, [Grouping_Id]=2608, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6844
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q6', [Question_Text]=N'Does the O/O have monitoring in place for highly privileged accounts?', [Supplemental_Info]=N'Monitoring highly privileged accounts is a critical aspect of maintaining a secure environment and mitigating the risks associated with privileged access. Best practices for effectively monitoring highly privileged accounts include:
+
+Implement Robust Logging and Auditing: Enable comprehensive logging for privileged account activities, including login attempts, command execution, privilege escalations, and changes to access permissions. Implement auditing mechanisms to capture detailed information about each activity performed by privileged accounts.
+
+Define Clear Monitoring Objectives: Clearly define the monitoring objectives for privileged accounts. Identify the specific activities, events, or behaviors that should be monitored to detect potential security incidents or policy violations. Tailor monitoring efforts to align with these objectives.
+
+Establish Baseline Behavior: Establish a baseline for normal behavior of privileged accounts. Analyze historical data to understand typical usage patterns, access frequencies, and expected behaviors. Deviations from the baseline can be indicators of suspicious activities and should be investigated promptly.
+
+Employ User Behavior Analytics (UBA): Leverage user behavior analytics tools to identify anomalies and potential threats associated with privileged account activities. UBA can detect unusual patterns, deviations from normal behavior, and signs of compromise, providing insights for proactive threat detection.
+
+Real-Time Alerting: Set up real-time alerts based on predefined thresholds or suspicious activity patterns. When unusual activities are detected, system administrators or security teams should receive immediate alerts to take appropriate action promptly.
+
+Privileged Session Monitoring: Implement session monitoring for privileged accounts, which captures session activity in real time. This allows for real-time visibility into the actions performed by privileged users and enables swift response to any suspicious activities or policy violations.
+
+Regular Log Analysis and Review: Perform regular analysis and review of logs generated by privileged account activities. This includes reviewing access logs, command histories, and audit trails. By analyzing these logs, organizations can identify anomalies, security gaps, or potential misuse of privileges.
+
+Segregation of Duties: Ensure there is proper segregation of duties between administrators and privileged users. Establish checks and balances to prevent a single individual from having excessive privileges or the ability to bypass monitoring controls. This helps prevent unauthorized activities and facilitates effective monitoring.
+
+Incident Response and Forensic Readiness: Develop an incident response plan specifically for handling security incidents involving privileged accounts. Establish procedures for investigating incidents, preserving evidence, and conducting forensic analysis to determine the root cause and take appropriate remedial actions.
+
+Regular Training and Awareness: Provide regular training and awareness programs to privileged account users to promote responsible use of their privileges, highlight security best practices, and reinforce the importance of monitoring and compliance.
+
+By implementing these best practices, organizations can enhance their ability to detect and respond to potential security threats or policy violations associated with highly privileged accounts. Effective monitoring ensures proactive threat detection, timely incident response, and helps maintain a secure and controlled environment.', [Sequence]=7, [Grouping_Id]=2608 WHERE [Mat_Question_Id] = 6845
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q7', [Question_Text]=N'Are log files protected from unauthorized manipulation/deletion?', [Supplemental_Info]=N'Protecting log files from unauthorized manipulation or deletion is crucial to ensure the integrity and availability of critical system and security event data:
+
+1. File System Permissions: Apply appropriate file system permissions to log files, restricting write and delete access to authorized personnel or system accounts. Ensure that only authorized users have the necessary permissions to modify or delete log files.
+
+2. Centralized Log Management: Implement a centralized log management solution that securely collects and stores log data from various sources. This centralization helps prevent unauthorized access to individual log files and provides better control and oversight of log data.
+
+3. Separate Storage and Backups: Store log files separately from other system files to minimize the risk of accidental or malicious deletion. Regularly back up log files to offsite or protected storage locations to ensure their availability and resilience in the event of system failures or security incidents.
+
+4. Write-Once, Read-Many (WORM) Storage: Consider using Write-Once, Read-Many storage systems or technologies that prevent modification or deletion of log files once they are written. This ensures the integrity and immutability of log data and prevents unauthorized manipulation.
+
+5. Audit Log Integrity: Implement mechanisms to ensure the integrity of log files, such as cryptographic hashing or digital signatures. Regularly verify the integrity of log files by comparing hashes or signatures with known values. Any discrepancies should trigger investigation and appropriate action.
+
+6. Access Controls and Monitoring: Implement strict access controls to log files, allowing only authorized personnel or system accounts to access and modify them. Regularly review access logs and monitor for any suspicious activities or unauthorized attempts to modify or delete log files.
+
+7. Secure Logging Infrastructure: Ensure that the infrastructure supporting log collection, storage, and management is itself secured. Implement security controls such as firewalls, intrusion detection systems, and access controls to protect the logging infrastructure from unauthorized access or attacks.
+
+8. Regular Log File Review: Regularly review log files to identify any signs of unauthorized manipulation or deletion. Implement log analysis and alerting mechanisms to detect anomalies or suspicious activities related to log file access or modifications.
+
+9. Redundancy and Data Replication: Implement redundancy and data replication mechanisms for log files to ensure high availability and fault tolerance. This helps protect log data from accidental deletion or loss due to hardware failures or system disruptions.
+
+10. Employee Training and Awareness: Conduct regular training sessions to educate employees about the importance of log file integrity and the potential risks associated with unauthorized manipulation or deletion. Raise awareness about security best practices and reporting procedures for any suspicious activities observed.', [Sequence]=8, [Grouping_Id]=2608 WHERE [Mat_Question_Id] = 6846
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'LP-3C.Q8', [Question_Text]=N'How are privileged functions on OT devices controlled?', [Supplemental_Info]=N'Validate with the O/O the least privileged concept as it applies to account management and access controls. Determine how the O/O defines privileged versus non-privileged accounts or normal user accounts. Observe or walk-through how this is applied to account provisioning. Verify the compensating controls asserted in the CIP to mitigate the risk when least privilege cannot be applied. Verify accounts with administrative or privileged access are separate from standard user type accounts. Are highly privileged accounts like Microsoft Active Directory domain admins restricted from interactive logons to only the domain controllers? Are other OS highly privileged accounts restricted in the same fashion? Does the O/O have monitoring in place for highly privileged accounts? Are log files protected from unauthorized manipulation/deletion? How are privileged functions on OT devices controlled?', [Sequence]=9, [Grouping_Id]=2608, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6847
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'SA-3C.Q1', [Question_Text]=N'Evaluate the process the O/O uses to determine the need for shared accounts that are critical to operations and verify this is following the measures outlined in their CIP. Review and verify the following:', [Supplemental_Info]=N'Shared accounts, such as administrator or privileged accounts, are often required in organizations to perform various administrative or operational tasks. It is critical to enforce the principle of least privilege for shared accounts. The principle of least privilege dictates that users, including shared accounts, should only have the minimum privileges necessary to perform their intended tasks:
+
+• Minimize Attack Surface: By applying the least privilege principle to shared accounts, the potential attack surface for adversaries is reduced. If shared accounts have excessive privileges, they become attractive targets for attackers. Limiting their privileges helps mitigate the risk of compromise and limits the potential impact of an attack.
+
+• Prevent Unauthorized Access: Shared accounts typically have multiple users who require access to the account for specific purposes. Granting excessive privileges to shared accounts increases the likelihood of unauthorized access. By implementing least privilege, it ensures that each user only has the necessary permissions required for their specific role or task, reducing the risk of unauthorized access or misuse.
+
+• Accountability and Auditing: When multiple users have access to a shared account, it becomes difficult to attribute specific actions to individual users. This can hinder accountability and make it challenging to identify the source of any malicious or unintended activities. By enforcing least privilege, unique user accounts are assigned to individuals, enabling better accountability and auditing capabilities.
+
+• Limit Damage in Case of Compromise: If a shared account is compromised, an attacker can potentially leverage its high privileges to cause significant damage to the system or data. By applying the principle of least privilege, even if a shared account is compromised, the attacker''s ability to move laterally or escalate privileges within the system is limited, reducing the potential impact of a breach.
+
+• Compliance Requirements: Many regulatory frameworks and industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR), emphasize the principle of least privilege. Implementing least privilege for shared accounts helps organizations meet these compliance requirements and demonstrate their commitment to security and data protection.', [Sequence]=1, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6848
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q1', [Question_Text]=N'Does the O/O implement continuous monitoring and detection policies and procedures that are designed to prevent, detect, and respond to cybersecurity threats and anomalies affecting Critical Cyber Systems?', [Supplemental_Info]=N'Continuous monitoring and detection policies and procedures are essential for maintaining a proactive security posture and promptly identifying and responding to security incidents. The critical elements of such policies and procedures include:
+
+1. Defined Monitoring Objectives: Clearly articulate the objectives and goals of continuous monitoring and detection activities. Identify the specific areas, systems, and data that need to be monitored and the types of threats or incidents that should be detected. Align monitoring efforts with organizational priorities and risk profiles.
+
+2. Asset Inventory and Risk Assessment: Maintain an up-to-date inventory of all assets, systems, and networks within the organization. Conduct regular risk assessments to identify vulnerabilities, potential threats, and their impact on critical assets. This information informs the scope and focus of monitoring activities.
+
+3. Real-Time Monitoring: Implement real-time monitoring mechanisms to actively and continuously monitor systems, networks, and critical assets for signs of security incidents or anomalies. Utilize intrusion detection and prevention systems, security information and event management (SIEM) solutions, and log analysis tools to capture and analyze security-related events in real-time.
+
+4. Log Management and Analysis: Establish centralized log management capabilities to collect, store, and analyze logs from various systems and devices. Implement log analysis tools and techniques to identify patterns, trends, and potential security events or policy violations. Regularly review log data to detect signs of unauthorized access, malicious activities, or other security incidents.
+
+5. Threat Intelligence Integration: Incorporate threat intelligence feeds and information sharing platforms into the monitoring framework. Integrate threat intelligence to identify emerging threats, known malicious actors, or indicators of compromise. This helps enhance the ability to detect and respond to advanced and targeted attacks.
+
+6. Incident Response Plan: Develop and maintain a well-defined incident response plan that outlines the procedures, roles, and responsibilities for handling security incidents. Clearly define escalation paths, communication channels, and actions to be taken during different types of incidents. Ensure that the plan is regularly tested, updated, and understood by all relevant stakeholders.
+
+7. Vulnerability Management: Integrate vulnerability management processes into the continuous monitoring framework. Regularly scan systems and applications for vulnerabilities, prioritize them based on risk, and remediate identified weaknesses promptly. Continuous monitoring should include detection and response to vulnerabilities that could be exploited by attackers.
+
+8. User Behavior Analytics (UBA): Implement UBA solutions to monitor user activities and behavior within the network. Analyze user behavior patterns to detect anomalies, such as unusual access attempts, privileged account misuse, or suspicious activities. UBA helps identify insider threats, compromised accounts, or unauthorized activities.
+
+9. Regular Security Assessments and Audits: Conduct periodic security assessments and audits to evaluate the effectiveness of continuous monitoring and detection activities. Assess the adequacy of controls, evaluate the timeliness and accuracy of incident detection and response, and identify areas for improvement.
+
+10. Ongoing Training and Awareness: Provide regular training and awareness programs to employees regarding the importance of continuous monitoring and detection. Educate them on recognizing and reporting security incidents or suspicious activities. Foster a culture of security awareness and vigilance across the organization.', [Sequence]=1, [Grouping_Id]=2610, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6849
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q2', [Question_Text]=N'Are tools are in place to detect and prevent malicious email? Please list tools in use.', [Supplemental_Info]=N'Several tools and technologies can help prevent malicious emails from reaching users'' inboxes. Some recommended tools for mitigating the risks associated with malicious email include:
+
+1. Email Filtering and Anti-Spam Solutions: Implement robust email filtering and anti-spam solutions that use various techniques such as content filtering, reputation analysis, and machine learning algorithms to identify and block spam, phishing attempts, and known malicious email sources. These solutions help reduce the volume of malicious emails reaching users.
+
+2. Email Authentication Protocols: Deploy email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). These protocols help verify the authenticity and integrity of incoming emails, preventing domain spoofing and impersonation attacks.
+
+3. Anti-Malware and Antivirus Software: Use up-to-date anti-malware and antivirus software on email servers and client devices. These tools scan email attachments and links for known malware signatures, helping detect and block malicious payloads.
+
+4. URL and Link Analysis: Implement URL and link analysis solutions that inspect and analyze the URLs embedded in emails. These tools assess the reputation and safety of links to identify and block malicious URLs, preventing users from inadvertently visiting malicious websites.
+
+5. Email Encryption: Utilize email encryption solutions to secure sensitive or confidential information shared via email. Encryption protects the content of emails from unauthorized access or interception, reducing the risk of data breaches resulting from compromised email communication.
+
+6. Security Awareness Training: Conduct regular security awareness training for employees to educate them about common email-based threats, such as phishing, spear phishing, and social engineering attacks. Training helps users recognize and avoid clicking on suspicious links or downloading malicious attachments.
+
+7. Email Security Gateways: Deploy email security gateways that act as an additional layer of protection between external email sources and the organization''s email infrastructure. These gateways inspect incoming and outgoing email traffic, filtering out malicious or suspicious content.
+
+8. Threat Intelligence Feeds: Integrate threat intelligence feeds into email security solutions to stay updated on the latest email-based threats, emerging attack techniques, and indicators of compromise. This helps improve the accuracy and effectiveness of email security measures.
+
+9. Email Content Analysis: Employ email content analysis solutions that use advanced algorithms and machine learning techniques to analyze the content, structure, and language used in emails. These tools can identify email patterns, detect social engineering tactics, and identify potential threats based on the email content.
+
+10. Incident Response and Reporting: Establish incident response procedures for handling suspected or confirmed malicious emails. Encourage users to report suspicious emails and ensure there is a clear process for investigating and responding to reported incidents.', [Sequence]=2 WHERE [Mat_Question_Id] = 6850
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C1', [Question_Text]=N'Are these tools capable of evaluating incoming email for possible:
+
+-Spam,
+-Phishing,
+-Malicious code,
+-Other malware?', [Supplemental_Info]=N'Several tools and technologies can help prevent malicious emails from reaching users'' inboxes. Some recommended tools for mitigating the risks associated with malicious email include:
+
+1. Email Filtering and Anti-Spam Solutions: Implement robust email filtering and anti-spam solutions that use various techniques such as content filtering, reputation analysis, and machine learning algorithms to identify and block spam, phishing attempts, and known malicious email sources. These solutions help reduce the volume of malicious emails reaching users.
+
+2. Email Authentication Protocols: Deploy email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). These protocols help verify the authenticity and integrity of incoming emails, preventing domain spoofing and impersonation attacks.
+
+3. Anti-Malware and Antivirus Software: Use up-to-date anti-malware and antivirus software on email servers and client devices. These tools scan email attachments and links for known malware signatures, helping detect and block malicious payloads.
+
+4. URL and Link Analysis: Implement URL and link analysis solutions that inspect and analyze the URLs embedded in emails. These tools assess the reputation and safety of links to identify and block malicious URLs, preventing users from inadvertently visiting malicious websites.
+
+5. Email Encryption: Utilize email encryption solutions to secure sensitive or confidential information shared via email. Encryption protects the content of emails from unauthorized access or interception, reducing the risk of data breaches resulting from compromised email communication.
+
+6. Security Awareness Training: Conduct regular security awareness training for employees to educate them about common email-based threats, such as phishing, spear phishing, and social engineering attacks. Training helps users recognize and avoid clicking on suspicious links or downloading malicious attachments.
+
+7. Email Security Gateways: Deploy email security gateways that act as an additional layer of protection between external email sources and the organization''s email infrastructure. These gateways inspect incoming and outgoing email traffic, filtering out malicious or suspicious content.
+
+8. Threat Intelligence Feeds: Integrate threat intelligence feeds into email security solutions to stay updated on the latest email-based threats, emerging attack techniques, and indicators of compromise. This helps improve the accuracy and effectiveness of email security measures.
+
+9. Email Content Analysis: Employ email content analysis solutions that use advanced algorithms and machine learning techniques to analyze the content, structure, and language used in emails. These tools can identify email patterns, detect social engineering tactics, and identify potential threats based on the email content.
+
+10. Incident Response and Reporting: Establish incident response procedures for handling suspected or confirmed malicious emails. Encourage users to report suspicious emails and ensure there is a clear process for investigating and responding to reported incidents.', [Sequence]=1, [Grouping_Id]=NULL, [Parent_Option_Id]=1086 WHERE [Mat_Question_Id] = 6851
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C2', [Question_Text]=N'Does the CIP detail the capabilities of the tools used to detect and prevent malicious email?', [Supplemental_Info]=N'', [Sequence]=2, [Grouping_Id]=NULL, [Parent_Option_Id]=1086 WHERE [Mat_Question_Id] = 6852
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q3', [Question_Text]=N'Are automated capabilities in place to address spam/malicious emails when they are detected?', [Supplemental_Info]=N'When spam or malicious emails are detected, it is important to have automated capabilities in place to handle them effectively. Some best practices for automated response and remediation include:
+
+1. Immediate Quarantine: Automatically quarantine detected spam or malicious emails to prevent them from reaching users'' inboxes. Quarantine mechanisms can be set up to isolate suspicious emails for further analysis and investigation without impacting the end-users.
+
+2. Real-Time Blocking: Configure automated real-time blocking rules to prevent known spam or malicious emails from even entering the organization''s email infrastructure. This can include blacklisting known malicious senders, domains, or IP addresses associated with spam or malware distribution.
+
+3. Email Filtering and Tagging: Automatically apply filtering rules to divert spam or suspicious emails to dedicated spam folders or apply visual tags to mark them as potentially harmful. This helps users identify and handle such emails appropriately while minimizing the risk of accidental exposure.
+
+4. Link and Attachment Blocking: Implement automated mechanisms to block or scan email links and attachments for potential threats. Utilize URL reputation checks, file type analysis, and antivirus scanning to detect and prevent users from accessing malicious URLs or downloading harmful attachments.
+
+5. Alerting and Notifications: Set up automated alerts and notifications to inform security personnel or administrators when a spam or malicious email is detected. Alerts can trigger immediate investigation and response to mitigate the impact and prevent similar threats in the future.
+
+6. Reporting and Logging: Automatically generate reports and logs of detected spam or malicious emails. These reports can provide insights into the nature and volume of threats, identify trends or patterns, and assist in forensic analysis or compliance reporting.
+
+7. Threat Intelligence Integration: Integrate automated threat intelligence feeds into the email security infrastructure. This enables real-time updates on the latest spam and malware campaigns, ensuring timely detection and response to emerging threats.
+
+8. Incident Response Workflow Integration: Incorporate automated incident response workflows into the email security system. When a spam or malicious email is detected, predefined actions can be triggered automatically, such as notifying security teams, initiating malware analysis, or escalating incidents for further investigation.
+
+9. Regular Updates and Patching: Keep the automated capabilities and underlying email security systems up to date with the latest patches and updates. This ensures that the systems remain effective in detecting and responding to evolving threats.
+
+10. Continuous Monitoring and Improvement: Continuously monitor the performance and effectiveness of automated response capabilities. Regularly review and fine-tune filtering rules, adjust thresholds, and adapt to new attack techniques to improve detection rates and reduce false positives.', [Sequence]=3, [Grouping_Id]=2610, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6853
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C3', [Question_Text]=N'To validate automated capabilities, review and evaluate filtering/blocking rules and logs.', [Supplemental_Info]=N'Validating the effectiveness of filtering/blocking rules and reviewing logs is crucial to ensuring that email security measures are performing optimally. Some best practices for validating and reviewing these components include:
+
+1. Regular Rule Review: Conduct regular reviews of filtering/blocking rules to ensure they align with current threats and best practices. Evaluate the rules against the latest known spam, phishing, and malware patterns. Remove outdated rules and add new ones based on emerging threats.
+
+2. Test Scenarios: Perform periodic testing to validate the effectiveness of filtering/blocking rules. Create test scenarios that mimic known spam or malicious emails and send them through the system. Verify that the rules correctly identify and block these test emails. This helps assess the accuracy and coverage of the rules.
+
+3. False Positive Analysis: Monitor and analyze false positive instances where legitimate emails are incorrectly flagged or blocked. Investigate the reasons behind these false positives and fine-tune the rules to reduce false positives while maintaining a high detection rate for actual threats. Strike a balance between security and usability.
+
+4. Incident Investigation: When incidents involving spam or malicious emails occur, thoroughly investigate the logs and associated data. Analyze the logs to identify patterns, sources, and characteristics of the detected threats. This helps identify any gaps in filtering or blocking rules and guides future improvements.
+
+5. Log Analysis Tools: Utilize log analysis tools to extract meaningful insights from email security logs. These tools can identify trends, anomalies, and common attack patterns. Analyze the logs regularly to detect emerging threats, monitor the effectiveness of security measures, and identify potential areas for enhancement.
+
+6. Incident Response Simulation: Conduct periodic incident response simulations or tabletop exercises that involve simulated email-based security incidents. Test the effectiveness of filtering/blocking rules, incident response procedures, and coordination among stakeholders. Use the results to refine rules, update response plans, and improve incident handling capabilities.
+
+7. Collaboration with Security Vendors: Engage in ongoing communication and collaboration with email security vendors or service providers. Stay informed about new threats, updates to filtering/blocking rules, and recommended best practices. Leverage their expertise to validate and optimize the security measures in place.
+
+8. Industry Standards and Benchmarks: Stay informed about industry standards and benchmarks related to email security. Evaluate the effectiveness of filtering/blocking rules and log analysis practices against these standards. This helps ensure that the organization''s email security measures align with industry best practices.
+
+9. Continuous Improvement: Implement a process of continuous improvement for email security. Regularly assess the performance of filtering/blocking rules, log analysis, and incident response procedures. Use the insights gained from validation and review processes to drive enhancements and refine email security capabilities.
+
+10. Employee Feedback and User Experience: Solicit feedback from employees regarding their experiences with email security measures. Encourage them to report any false positives or missed threats. Incorporate their feedback into the validation and review processes to address user concerns and improve the overall user experience.', [Sequence]=1, [Grouping_Id]=NULL, [Mat_Question_Type]=N'memo', [Parent_Option_Id]=1092 WHERE [Mat_Question_Id] = 6854
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q4', [Question_Text]=N'Is there a reporting tool or method in place for end users?', [Supplemental_Info]=N'Best practices for reporting tools or methods for end users involve providing user-friendly and accessible channels for reporting security incidents, suspicious emails, or other security concerns:
+
+1. Clearly Communicate Reporting Channels: Clearly communicate to end users the available channels for reporting security incidents or concerns. This can include email addresses, dedicated reporting forms on the organization''s intranet or website, or a designated IT helpdesk contact. Ensure that users are aware of these channels and understand how to use them.
+
+2. User-Friendly Reporting Mechanisms: Implement user-friendly reporting mechanisms that are easy to use and understand. Consider providing a simple reporting form or template that captures essential information such as the subject, sender, and description of the suspicious email or incident. Avoid complex or time-consuming reporting processes that may discourage users from reporting.
+
+3. Encourage Prompt Reporting: Emphasize the importance of prompt reporting of security incidents or suspicious emails to end users. Communicate that early reporting helps mitigate risks, enables faster incident response, and protects the organization''s overall security. Foster a culture of reporting by highlighting success stories and demonstrating the impact of user reporting.
+
+4. Anonymous Reporting Options: Offer anonymous reporting options to encourage users who may be hesitant to disclose their identity or fear repercussions. Anonymous reporting channels can help uncover security incidents that might otherwise go unreported due to privacy concerns or fear of retaliation.
+
+5. Security Awareness Training: Include reporting procedures as part of security awareness training programs for end users. Educate users about the significance of reporting, the types of incidents or emails to report, and how their vigilance contributes to the overall security of the organization.
+
+6. Response and Feedback: Establish clear processes for acknowledging and responding to user reports. Provide feedback to users regarding the actions taken based on their reports, such as investigation outcomes or incident resolution. This helps build trust, reinforces the value of reporting, and encourages continued participation.
+
+7. Regular Communication and Updates: Keep end users informed about the organization''s security posture, emerging threats, and the importance of reporting. Share periodic updates and communications that highlight the impact of user reports and the organization''s commitment to addressing security concerns.
+
+8. Incident Reporting Metrics: Track and analyze reporting metrics to assess the effectiveness of reporting tools and methods. Monitor the number and types of incidents reported, response times, and resolution rates. These metrics can provide insights into the effectiveness of security measures and help identify areas for improvement.
+
+9. Reporting Awareness Campaigns: Conduct targeted awareness campaigns or initiatives to promote reporting among end users. This can include posters, newsletters, or training sessions that highlight the benefits of reporting, showcase real-life examples, and provide guidance on recognizing and reporting security incidents or suspicious emails.
+
+10. Feedback and Continuous Improvement: Solicit feedback from end users on the reporting process. Periodically assess the usability and effectiveness of reporting tools or methods through user surveys or feedback mechanisms. Incorporate user feedback to improve reporting channels, streamline processes, and enhance the overall user experience.', [Grouping_Id]=2610, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6855
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C4', [Question_Text]=N'Please describe reporting tools or methods in place.', [Supplemental_Info]=N'', [Sequence]=1, [Grouping_Id]=NULL, [Parent_Option_Id]=1094 WHERE [Mat_Question_Id] = 6856
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q5', [Question_Text]=N'Are tools are in place to prevent ingress/egress from known or suspected malicious IP addresses?', [Supplemental_Info]=N'To prevent ingress/egress traffic from known or suspected malicious IP addresses, organizations can utilize various tools and technologies:
+
+1. Firewall: Deploy a firewall with robust filtering capabilities to block traffic to and from known or suspected malicious IP addresses. Firewalls can be configured to create access control rules that deny incoming or outgoing connections to or from specific IP addresses or IP ranges associated with malicious activities.
+
+2. Intrusion Detection/Prevention System (IDS/IPS): Implement an IDS/IPS solution that can detect and block network traffic from known malicious IP addresses. These systems monitor network traffic in real-time, analyze packet contents, and compare it against a database of known threats or malicious IP addresses. When suspicious activity is detected, the IDS/IPS can take automated actions to block the traffic.
+
+3. Proxy Servers: Use proxy servers to control and filter ingress/egress traffic. Proxy servers act as intermediaries between the internal network and external resources. They can be configured to block traffic to or from specific IP addresses, providing an additional layer of protection against known or suspected malicious IP addresses.
+
+4. Threat Intelligence Feeds: Integrate threat intelligence feeds into network security devices to access up-to-date information on known malicious IP addresses. Threat intelligence sources provide curated and verified data on IP addresses associated with malicious activities. By leveraging these feeds, organizations can automatically block traffic to and from these addresses.
+
+5. DNS Filtering: Implement DNS filtering solutions that can block access to known malicious IP addresses at the DNS level. DNS filtering can prevent users from resolving DNS queries for malicious domains or IP addresses, effectively blocking access to potentially harmful resources.
+
+6. IP Reputation Services: Utilize IP reputation services that provide real-time assessments of IP addresses based on their historical behavior and reputation. These services maintain databases of known malicious IP addresses and assign reputation scores to individual addresses. Integration with IP reputation services enables organizations to block traffic to or from IP addresses with poor reputation scores.
+
+7. Security Information and Event Management (SIEM) System: Employ a SIEM system that can collect and analyze network traffic logs and security events. By correlating network traffic data with threat intelligence feeds, SIEM systems can detect and alert on suspicious activities originating from or targeting known malicious IP addresses.
+
+8. Next-Generation Firewall (NGFW): Deploy a next-generation firewall that combines traditional firewall capabilities with advanced threat detection and prevention features. NGFWs can inspect network traffic at the application layer, block traffic to or from malicious IP addresses, and provide additional security features like deep packet inspection and intrusion prevention.
+
+9. Network Behavior Analysis: Implement network behavior analysis tools that detect anomalies and suspicious behavior within network traffic. These tools can identify connections to or from known malicious IP addresses based on deviations from normal traffic patterns, enabling proactive blocking of such connections.
+
+10. Automated Threat Response Platforms: Utilize automated threat response platforms that integrate with various security tools and technologies. These platforms can leverage threat intelligence, analyze network traffic, and automatically respond to detected threats, including blocking traffic to and from known malicious IP addresses.', [Sequence]=5, [Grouping_Id]=2610 WHERE [Mat_Question_Id] = 6857
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C5', [Question_Text]=N'To validate tools in place to prevent ingress/egress from known or suspected malicious IP addresses, review router ACLs and firewall rules and describe your observations.', [Supplemental_Info]=N'Validation of network security measures can be performed by reviewing router Access Control Lists (ACLs) and firewall rules. Some best practices for effectively validating these components include:
+
+1. Regular Review: Conduct periodic reviews of router ACLs and firewall rules to ensure they are up to date and aligned with security policies and best practices. Review the ruleset against the latest known threats, attack vectors, and industry-specific security guidelines.
+
+2. Rule Effectiveness: Assess the effectiveness of router ACLs and firewall rules by examining their ability to block unauthorized traffic and allow only legitimate traffic to pass through. Ensure that the rules are designed to enforce the principle of least privilege, allowing only the necessary network connections and protocols.
+
+3. Rule Optimization: Fine-tune router ACLs and firewall rules to optimize performance and security. Identify any redundant or unnecessary rules and remove them to reduce complexity and improve efficiency. Ensure that rules are prioritized appropriately to handle critical traffic first.
+
+4. Testing Scenarios: Create testing scenarios that simulate various network security threats and attempt to bypass the router ACLs and firewall rules. By conducting controlled tests, you can validate if the rules are effectively blocking unauthorized access and detect any potential weaknesses or vulnerabilities.
+
+5. Log Analysis: Analyze router and firewall logs to identify any anomalous or suspicious traffic patterns. Look for any entries that indicate attempts to bypass or circumvent the ACLs and firewall rules. Reviewing logs can help identify potential security gaps or misconfigurations that need to be addressed.
+
+6. Rule Documentation: Maintain accurate and up-to-date documentation of router ACLs and firewall rules. Document the purpose of each rule, including its source IP, destination IP, port numbers, and associated policies. This documentation ensures transparency, facilitates audits, and simplifies troubleshooting.
+
+7. Compliance and Standards: Evaluate router ACLs and firewall rules against industry-specific compliance frameworks and security standards. Ensure that the rules adhere to regulatory requirements and incorporate recommended practices for network security, such as those outlined by PCI DSS, HIPAA, or ISO 27001.
+
+8. Change Management: Implement a robust change management process to track and review any modifications made to router ACLs and firewall rules. Document all changes, including the reason, date, and responsible individuals. Regularly review change management records to ensure proper oversight and control over rule modifications.
+
+9. Peer Reviews: Conduct peer reviews of router ACLs and firewall rules to gain additional insights and perspectives. Engage network security experts or trusted colleagues to analyze and provide feedback on the ruleset. Peer reviews can help identify potential blind spots and improve the overall quality and effectiveness of the rules.
+
+10. Continuous Monitoring: Implement continuous monitoring mechanisms to track the performance and effectiveness of router ACLs and firewall rules. Monitor network traffic, security events, and logs to identify any deviations from expected behavior. This helps detect potential rule violations or signs of unauthorized access.', [Sequence]=1, [Grouping_Id]=NULL, [Mat_Question_Type]=N'memo', [Parent_Option_Id]=1096 WHERE [Mat_Question_Id] = 6858
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q6', [Question_Text]=N'Observe an attempt to access a known or suspected malicious IP and verify it is blocked and logged.', [Supplemental_Info]=N'', [Sequence]=6, [Grouping_Id]=2610, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6859
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q6', [Question_Text]=N'86-1305352', [Supplemental_Info]=N'Controlling the impact of known or suspected malicious web domains or applications is crucial to mitigate the risks associated with cyber threats. Some best practices for effectively managing and controlling the impact of such domains or applications include:
+
+1. Web Filtering and Content Filtering: Implement web filtering solutions that can block access to known or suspected malicious domains or applications. These solutions analyze web traffic and URLs, comparing them against threat intelligence feeds and reputation databases. By blocking access to malicious web domains or applications, organizations can prevent users from interacting with potentially harmful content.
+
+2. Domain Reputation Services: Integrate domain reputation services that provide real-time assessments of the reputation of web domains. These services maintain databases of known malicious domains and assign reputation scores to individual domains. By leveraging domain reputation services, organizations can block access to domains with poor reputation scores, reducing the risk of exposure to malicious content.
+
+3. URL Filtering and Categorization: Utilize URL filtering and categorization tools that classify web domains and applications into predefined categories. Implement policies that block or restrict access to categories associated with known or suspected malicious content, such as phishing, malware distribution, or illegal activities.
+
+4. Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS systems that can detect and block web traffic to and from known malicious domains or applications. These systems analyze network traffic in real-time, inspect HTTP/HTTPS requests, and compare them against threat intelligence sources. They can take automated actions, such as blocking or alerting on traffic to malicious domains or applications.
+
+5. Sandboxing and Advanced Threat Detection: Utilize sandboxing technologies to isolate and analyze the behavior of suspicious web applications or files. Sandboxing provides a controlled environment to execute potentially malicious code and observe its actions without risking the organization''s network. It helps detect and mitigate the impact of unknown or zero-day threats.
+
+6. Application Whitelisting: Implement application whitelisting measures to allow only authorized and trusted applications to run within the organization''s environment. This helps prevent the execution of known or suspected malicious applications by blocking unauthorized software from running.
+
+7. Web Application Firewalls (WAF): Deploy WAFs to protect web applications from known and emerging threats. WAFs inspect incoming and outgoing web traffic, filter out malicious requests, and enforce security policies specific to web applications. They can help mitigate the impact of attacks targeting web domains or applications.
+
+8. Patch and Vulnerability Management: Regularly patch and update web applications and related components to address known vulnerabilities. Implement a robust vulnerability management program to scan for vulnerabilities, prioritize them based on risk, and apply patches or mitigations promptly. This reduces the likelihood of successful attacks through known vulnerabilities.
+
+9. User Education and Awareness: Conduct security awareness training programs to educate users about the risks associated with interacting with malicious web domains or applications. Train users to recognize indicators of potentially harmful content, such as suspicious URLs, pop-ups, or unexpected file downloads. Encourage users to report any encounters with suspected malicious domains or applications.
+
+10. Continuous Monitoring and Threat Intelligence: Implement continuous monitoring of web traffic and leverage threat intelligence feeds to stay updated on emerging threats. Monitor network logs, conduct regular security assessments, and analyze traffic patterns to identify any signs of malicious activity. Leverage threat intelligence to proactively identify and control the impact of new or evolving threats.', [Sequence]=7, [Parent_Question_Id]=NULL, [Grouping_Id]=2610 WHERE [Mat_Question_Id] = 6860
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C8', [Question_Text]=N'Please describe the tools or methods used to control the impact of known or suspected malicious web domains or applications.', [Supplemental_Info]=N'', [Sequence]=1, [Grouping_Id]=NULL, [Parent_Option_Id]=1099 WHERE [Mat_Question_Id] = 6861
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q7', [Question_Text]=N'Observe an attempt to navigate to a blocked domain or execute a blocked application and record your observations.', [Supplemental_Info]=N'Controlling the impact of known or suspected malicious web domains or applications is crucial to mitigate the risks associated with cyber threats. Some best practices for effectively managing and controlling the impact of such domains or applications include:
+
+1. Web Filtering and Content Filtering: Implement web filtering solutions that can block access to known or suspected malicious domains or applications. These solutions analyze web traffic and URLs, comparing them against threat intelligence feeds and reputation databases. By blocking access to malicious web domains or applications, organizations can prevent users from interacting with potentially harmful content.
+
+2. Domain Reputation Services: Integrate domain reputation services that provide real-time assessments of the reputation of web domains. These services maintain databases of known malicious domains and assign reputation scores to individual domains. By leveraging domain reputation services, organizations can block access to domains with poor reputation scores, reducing the risk of exposure to malicious content.
+
+3. URL Filtering and Categorization: Utilize URL filtering and categorization tools that classify web domains and applications into predefined categories. Implement policies that block or restrict access to categories associated with known or suspected malicious content, such as phishing, malware distribution, or illegal activities.
+
+4. Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS systems that can detect and block web traffic to and from known malicious domains or applications. These systems analyze network traffic in real-time, inspect HTTP/HTTPS requests, and compare them against threat intelligence sources. They can take automated actions, such as blocking or alerting on traffic to malicious domains or applications.
+
+5. Sandboxing and Advanced Threat Detection: Utilize sandboxing technologies to isolate and analyze the behavior of suspicious web applications or files. Sandboxing provides a controlled environment to execute potentially malicious code and observe its actions without risking the organization''s network. It helps detect and mitigate the impact of unknown or zero-day threats.
+
+6. Application Whitelisting: Implement application whitelisting measures to allow only authorized and trusted applications to run within the organization''s environment. This helps prevent the execution of known or suspected malicious applications by blocking unauthorized software from running.
+
+7. Web Application Firewalls (WAF): Deploy WAFs to protect web applications from known and emerging threats. WAFs inspect incoming and outgoing web traffic, filter out malicious requests, and enforce security policies specific to web applications. They can help mitigate the impact of attacks targeting web domains or applications.
+
+8. Patch and Vulnerability Management: Regularly patch and update web applications and related components to address known vulnerabilities. Implement a robust vulnerability management program to scan for vulnerabilities, prioritize them based on risk, and apply patches or mitigations promptly. This reduces the likelihood of successful attacks through known vulnerabilities.
+
+9. User Education and Awareness: Conduct security awareness training programs to educate users about the risks associated with interacting with malicious web domains or applications. Train users to recognize indicators of potentially harmful content, such as suspicious URLs, pop-ups, or unexpected file downloads. Encourage users to report any encounters with suspected malicious domains or applications.
+
+10. Continuous Monitoring and Threat Intelligence: Implement continuous monitoring of web traffic and leverage threat intelligence feeds to stay updated on emerging threats. Monitor network logs, conduct regular security assessments, and analyze traffic patterns to identify any signs of malicious activity. Leverage threat intelligence to proactively identify and control the impact of new or evolving threats.', [Sequence]=8, [Parent_Question_Id]=NULL, [Grouping_Id]=2610, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6862
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q8', [Question_Text]=N'Are tools or methods in place to block unauthorized code, including macro scripts?', [Supplemental_Info]=N'Blocking unauthorized code, including macro scripts, is essential to prevent the execution of malicious or untrusted code within an organization''s environment. Some best practices for effectively blocking unauthorized code include:
+
+1. Application Whitelisting: Implement application whitelisting measures to allow only authorized and trusted applications to run within the organization''s environment. This approach blocks the execution of unauthorized code by allowing only pre-approved applications to be executed. Whitelisting can be applied at the operating system level, application level, or both.
+
+2. Code Signing and Digital Certificates: Require code signing for all scripts, macros, or executables that are allowed to run within the organization''s environment. Digital certificates verify the authenticity and integrity of the code, ensuring that it comes from a trusted source. Unsigned or untrusted code can be blocked from execution.
+
+3. Endpoint Protection Solutions: Deploy endpoint protection solutions that include features like script blocking or macro protection. These solutions can detect and block the execution of malicious or unauthorized scripts, macros, or code snippets that may pose a security risk. They provide an additional layer of defense against unauthorized code execution.
+
+4. Security Updates and Patching: Regularly update and patch software applications, including office productivity suites and macro-enabled applications. Software updates often include security fixes that address vulnerabilities exploited by malicious code. Prompt patching reduces the risk of unauthorized code execution through known vulnerabilities.
+
+5. Secure Configuration Settings: Configure macro-enabled applications with secure settings to minimize the risk of unauthorized code execution. Disable or restrict the execution of macros by default and enable them only for trusted documents or under specific circumstances. This reduces the attack surface and limits the potential for code-based attacks.
+
+6. Email Security Gateways: Utilize email security gateways that can inspect and block email attachments containing potentially malicious or unauthorized code. These gateways can detect macros or script-based threats and prevent them from reaching end-user devices, reducing the risk of code execution through email-borne attacks.
+
+7. User Education and Awareness: Conduct security awareness training programs to educate users about the risks associated with unauthorized code execution, including macros or scripts. Train users on safe computing practices, such as avoiding the execution of macros from untrusted sources or enabling macros only from verified and trustworthy documents.
+
+8. Centralized Policy Management: Implement centralized policy management tools to enforce security policies related to code execution. These tools allow administrators to define and enforce policies that block the execution of unauthorized code or scripts. Policies can be tailored to specific users, groups, or systems based on their security requirements.
+
+9. Behavior Monitoring and Analysis: Employ behavior monitoring and analysis tools that can detect suspicious code execution patterns. These tools can identify and block the execution of unauthorized code based on abnormal behavior or code actions that deviate from expected norms.
+
+10. Continuous Monitoring and Threat Intelligence: Implement continuous monitoring of endpoints and network traffic for any signs of unauthorized code execution. Leverage threat intelligence feeds to stay updated on emerging threats and the latest attack techniques involving code-based attacks. Regular monitoring helps detect and respond to unauthorized code execution incidents promptly.', [Sequence]=9, [Grouping_Id]=2610, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6863
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q9', [Question_Text]=N'Observe an attempt to execute an unauthorized application or macro and record your observations.', [Supplemental_Info]=N'', [Sequence]=10, [Grouping_Id]=2610 WHERE [Mat_Question_Id] = 6864
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.Q10', [Question_Text]=N'Are connections from known or suspected command and control servers blocked?', [Supplemental_Info]=N'Blocking connections from known or suspected command and control (C2) servers, as well as TOR exit nodes or anonymization services, is crucial for preventing malicious activities and unauthorized access. Some best practices for effectively blocking these connections include:
+
+1. Threat Intelligence Integration: Incorporate threat intelligence feeds that provide information on known or suspected C2 servers, TOR exit nodes, and anonymization services. These feeds provide updated lists of IP addresses and domains associated with malicious activities. Regularly update security systems with this intelligence to block connections to these sources.
+
+2. Firewall Rules and Access Control Lists (ACLs): Configure firewall rules and ACLs to block traffic to and from known or suspected C2 servers, TOR exit nodes, and anonymization services. Create specific rules that deny access to the IP addresses, domains, or ranges associated with these entities. Regularly review and update these rules based on updated threat intelligence.
+
+3. Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS systems with signatures or rules specifically designed to detect and block C2 server communications. These systems can analyze network traffic and flag suspicious patterns indicative of C2 activities. Configure the IDS/IPS to take automated actions, such as blocking traffic to or from C2 servers, TOR exit nodes, or anonymization services.
+
+4. DNS Filtering and Sinkholing: Implement DNS filtering mechanisms to prevent systems from resolving connections to known or suspected C2 servers, TOR exit nodes, and anonymization services. DNS filtering can be achieved by leveraging DNS sinkholing techniques, where DNS requests to malicious domains are redirected to a controlled server or blackhole.
+
+5. Proxy Servers and Web Filtering: Utilize proxy servers and web filtering solutions that can block connections to known or suspected C2 servers, TOR exit nodes, and anonymization services. These solutions can inspect and filter web traffic, blocking access to specific IP addresses, domains, or URLs associated with malicious activities.
+
+6. Threat Hunting and Network Monitoring: Conduct proactive threat hunting activities and implement continuous network monitoring to identify connections to C2 servers or TOR networks. Employ network traffic analysis tools, intrusion detection systems, or Security Information and Event Management (SIEM) solutions to detect and investigate anomalous traffic patterns or communication attempts with suspicious entities.
+
+7. User Education and Endpoint Security: Educate users about the risks associated with C2 servers, TOR networks, and anonymization services. Promote awareness of the potential dangers of interacting with or connecting to these entities. Implement strong endpoint security measures, including anti-malware solutions and host-based intrusion prevention systems, to block unauthorized connections.
+
+8. Security Information Sharing: Participate in security information sharing initiatives or collaborate with industry peers to exchange threat intelligence and insights on C2 servers, TOR exit nodes, and anonymization services. Collaborative efforts can help identify and block connections to malicious entities across multiple organizations, strengthening overall defenses.
+
+9. Regular Updates and Patching: Keep security systems, including firewalls, IDS/IPS, and proxy servers, up to date with the latest patches and updates. Regularly review and update threat intelligence feeds to ensure accurate and timely blocking of connections to known or suspected C2 servers, TOR exit nodes, or anonymization services.
+
+10. Continuous Improvement and Monitoring: Continuously assess the effectiveness of blocking mechanisms and refine them based on evolving threats and changing attack patterns. Monitor security logs and analyze network traffic to detect any connections that bypass blocking measures, and take corrective actions accordingly.', [Sequence]=11, [Grouping_Id]=2610 WHERE [Mat_Question_Id] = 6865
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C9', [Question_Text]=N'Observe an attempt to connect to a TOR exit node or an anonymization service and record your observations.', [Supplemental_Info]=N'', [Sequence]=1, [Grouping_Id]=NULL, [Parent_Option_Id]=1103 WHERE [Mat_Question_Id] = 6866
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CC-3D.C10', [Question_Text]=N'How does the O/O monitor the tools described above?', [Supplemental_Info]=N'A Security Operations Center (SOC) is typically a 24/7 operation responsible for monitoring and defending an organization''s information systems and infrastructure against security threats. The SOC is staffed by security personnel who are trained to detect, respond to, and mitigate security incidents.
+
+In a well-functioning SOC, there is a combination of tools and human expertise working together. While security tools play a crucial role in monitoring and detecting security events, they typically generate alerts or notifications that are sent to SOC operators or security personnel for further analysis and response.
+
+The process generally works as follows:
+
+• Security Tools and Technologies: SOC environments utilize a range of security tools and technologies, including security information and event management (SIEM) systems, intrusion detection systems (IDS), endpoint detection and response (EDR) solutions, firewalls, and more. These tools continuously monitor various aspects of the network, systems, and applications, collecting logs, events, and other data.
+• Alert Generation: When security tools detect suspicious activities, anomalies, or potential security incidents, they generate alerts based on predefined rules, signatures, or behavioral patterns. These alerts indicate a potential security threat or breach.
+• Alert Analysis and Triage: SOC operators or security personnel are responsible for analyzing and triaging the alerts received from the security tools. They evaluate the severity, credibility, and potential impact of each alert to determine the appropriate response.
+• Incident Response: Upon validating a security incident, SOC operators initiate incident response procedures. This may involve containment, investigation, mitigation, and recovery efforts to address the security incident effectively. SOC personnel work closely with other teams, such as incident response teams, IT teams, or external vendors, to coordinate the response.
+• Continuous Monitoring and Reporting: SOC operators continuously monitor the evolving threat landscape and the organization''s systems to ensure ongoing protection. They analyze security events, trends, and patterns to identify potential threats, vulnerabilities, or areas of improvement. Regular reports and metrics are generated to provide insights into the security posture, incident trends, and the effectiveness of security controls.', [Sequence]=12, [Grouping_Id]=2610, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6867
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q1', [Question_Text]=N'Does the O/O implement continuous monitoring and detection policies and procedures that are designed to prevent, detect, and respond to cybersecurity threats and anomalies affecting Critical Cyber Systems?', [Supplemental_Info]=N'Implementing robust procedures to prevent, detect, and respond to cybersecurity threats and anomalies is crucial for protecting Critical Cyber Systems. Some best practices for establishing effective procedures include:
+
+1. Risk Assessment: Conduct a comprehensive risk assessment to identify potential vulnerabilities, threats, and the potential impact on Critical Cyber Systems. Understand the specific risks associated with these systems and prioritize them based on their criticality and potential consequences.
+
+2. Security Policies and Standards: Develop and enforce security policies and standards that address the unique requirements of Critical Cyber Systems. These policies should include guidelines for access controls, network security, incident response, and data protection. Ensure that these policies are regularly reviewed, updated, and communicated to relevant stakeholders.
+
+3. Defense-in-Depth Strategy: Implement a defense-in-depth approach to cybersecurity, which involves layering multiple security controls to provide overlapping protection. This includes measures such as firewalls, intrusion detection systems, encryption, access controls, and network segmentation. By having multiple layers of defense, you can mitigate the impact of potential threats.
+
+4. Incident Response Plan: Develop a well-defined incident response plan that outlines the steps to be taken in the event of a cybersecurity incident affecting Critical Cyber Systems. The plan should include predefined roles and responsibilities, communication protocols, incident escalation procedures, and a clear incident mitigation and recovery process.
+
+5. Continuous Monitoring: Implement continuous monitoring capabilities to detect and analyze security events and anomalies in real-time. Use Security Information and Event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), and log analysis tools to monitor network traffic, system logs, and critical system indicators. Regularly review and analyze the collected data to identify potential threats or abnormalities.
+
+6. Threat Intelligence Integration: Integrate threat intelligence feeds into security monitoring systems to stay updated on the latest cyber threats and attack techniques. Leverage external threat intelligence sources, as well as internal indicators of compromise (IoCs), to enhance the detection of known threats and emerging vulnerabilities specific to Critical Cyber Systems.
+
+7. User Awareness and Training: Provide comprehensive cybersecurity awareness and training programs to all personnel with access to Critical Cyber Systems. Educate users about common threats, social engineering techniques, safe browsing practices, and the importance of reporting suspicious activities. Regular training helps create a security-conscious culture and strengthens the human element of cybersecurity.
+
+8. Vulnerability Management: Implement a robust vulnerability management program to regularly assess, prioritize, and remediate vulnerabilities within Critical Cyber Systems. This includes conducting vulnerability scans, patch management, and configuration management practices to ensure systems are up to date and protected against known vulnerabilities.
+
+9. Regular Audits and Assessments: Conduct periodic cybersecurity audits and assessments to evaluate the effectiveness of controls, procedures, and compliance with security policies. Engage third-party auditors or internal security teams to perform assessments against industry standards and best practices. Identify areas of improvement and take corrective actions based on audit findings.
+
+10. Continuous Improvement and Lessons Learned: Foster a culture of continuous improvement by reviewing and learning from cybersecurity incidents and near-miss events. Conduct post-incident reviews and document lessons learned to enhance incident response procedures, update security controls, and implement measures to prevent similar incidents in the future.', [Grouping_Id]=2611, [Parent_Option_Id]=NULL WHERE [Mat_Question_Id] = 6868
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q2', [Question_Text]=N'Do continuous monitoring tools send alerts to operators/security personnel?', [Supplemental_Info]=N'', [Sequence]=2, [Grouping_Id]=2611, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6869
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q3', [Question_Text]=N'Is there a Security Operations Center (SOC) that is a 24/7 operation?', [Supplemental_Info]=N'A Security Operations Center (SOC) is typically a 24/7 operation responsible for monitoring and defending an organization''s information systems and infrastructure against security threats. The SOC is staffed by security personnel who are trained to detect, respond to, and mitigate security incidents.
+
+In a well-functioning SOC, there is a combination of tools and human expertise working together. While security tools play a crucial role in monitoring and detecting security events, they typically generate alerts or notifications that are sent to SOC operators or security personnel for further analysis and response.
+
+The process generally works as follows:
+
+• Security Tools and Technologies: SOC environments utilize a range of security tools and technologies, including security information and event management (SIEM) systems, intrusion detection systems (IDS), endpoint detection and response (EDR) solutions, firewalls, and more. These tools continuously monitor various aspects of the network, systems, and applications, collecting logs, events, and other data.
+• Alert Generation: When security tools detect suspicious activities, anomalies, or potential security incidents, they generate alerts based on predefined rules, signatures, or behavioral patterns. These alerts indicate a potential security threat or breach.
+• Alert Analysis and Triage: SOC operators or security personnel are responsible for analyzing and triaging the alerts received from the security tools. They evaluate the severity, credibility, and potential impact of each alert to determine the appropriate response.
+• Incident Response: Upon validating a security incident, SOC operators initiate incident response procedures. This may involve containment, investigation, mitigation, and recovery efforts to address the security incident effectively. SOC personnel work closely with other teams, such as incident response teams, IT teams, or external vendors, to coordinate the response.
+• Continuous Monitoring and Reporting: SOC operators continuously monitor the evolving threat landscape and the organization''s systems to ensure ongoing protection. They analyze security events, trends, and patterns to identify potential threats, vulnerabilities, or areas of improvement. Regular reports and metrics are generated to provide insights into the security posture, incident trends, and the effectiveness of security controls.', [Sequence]=3, [Grouping_Id]=2611 WHERE [Mat_Question_Id] = 6870
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q4', [Question_Text]=N'If an SOC exists:
+
+1. Observe and interview SOC operations
+
+2. Interview staff to validate how alerts are processed', [Supplemental_Info]=N'A Security Operations Center (SOC) is a centralized facility within an organization that focuses on the monitoring, detection, analysis, and response to cybersecurity incidents. It serves as the nerve center for an organization''s cybersecurity operations, providing a dedicated team and infrastructure to defend against, identify, and mitigate security threats.
+
+Key components and functions of a typical SOC include:
+
+1. People: The SOC is staffed by a team of skilled cybersecurity professionals, including security analysts, incident responders, threat hunters, and SOC managers. These individuals are responsible for monitoring security alerts, analyzing threats, investigating incidents, and coordinating response efforts.
+
+2. Technology and Tools: The SOC utilizes a wide range of cybersecurity technologies and tools to collect, correlate, and analyze security data. This includes Security Information and Event Management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS), log management solutions, threat intelligence platforms, and advanced analytics tools. These technologies provide the necessary visibility and insights into network traffic, system logs, and security events.
+
+3. Monitoring and Detection: The primary function of a SOC is to monitor and detect security incidents and anomalies in real-time. Security analysts continuously monitor security alerts, network traffic, and system logs to identify potential threats or indicators of compromise (IoCs). They leverage automated detection systems, threat intelligence feeds, and manual analysis techniques to identify suspicious activities and potential security breaches.
+
+4. Incident Response: When a security incident is detected, the SOC team initiates an incident response process. This involves investigating the incident, containing the threat, and formulating a response strategy. Incident responders work closely with other teams, such as IT, legal, and communications, to coordinate the response efforts, mitigate the impact, and ensure a timely and effective resolution.
+
+5. Threat Hunting: In addition to monitoring alerts, SOC teams actively engage in threat hunting activities. This proactive approach involves searching for advanced or persistent threats that may have bypassed traditional security controls. Threat hunters use threat intelligence, behavioral analytics, and advanced techniques to uncover hidden threats, identify vulnerabilities, and enhance the organization''s overall security posture.
+
+6. Collaboration and Communication: Effective communication and collaboration are critical in a SOC. SOC teams work closely with other IT teams, such as network administrators, system administrators, and incident response teams, to share information, coordinate incident response activities, and implement security controls. Communication channels, such as incident tracking systems, secure messaging platforms, and regular meetings, facilitate effective collaboration within the SOC and across the organization.
+
+7. Continuous Improvement: A SOC is an evolving entity that continuously improves its capabilities based on lessons learned, emerging threats, and changing business needs. SOC managers regularly assess and update processes, procedures, and technologies to enhance detection and response capabilities. They stay abreast of the latest cybersecurity trends, industry best practices, and regulatory requirements to ensure the SOC remains effective and aligned with the organization''s security goals.', [Sequence]=4, [Grouping_Id]=2611, [Mat_Question_Type]=N'memo' WHERE [Mat_Question_Id] = 6871
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q5', [Question_Text]=N'Does the O/O conduct audits for unauthorized access to internet domains and addresses?', [Supplemental_Info]=N'Determining the appropriate auditing frequency for unauthorized access to internet domains and addresses depends on several factors, including the organization''s risk tolerance, regulatory requirements, and the criticality of the assets being audited:
+
+1. Regular Auditing: Conduct regular audits to detect unauthorized access to internet domains and addresses. The frequency of these audits may vary depending on the organization''s size, complexity, and security posture. Quarterly or semi-annual audits are common, but more frequent audits may be necessary for highly sensitive environments.
+
+2. Risk-Based Approach: Adopt a risk-based approach to determine the auditing frequency. Assess the potential impact of unauthorized access to internet domains and addresses, considering the sensitivity of the data or systems involved. Allocate more frequent audits to high-risk domains or addresses to ensure timely detection and response.
+
+3. Compliance Requirements: Consider any specific regulatory or compliance requirements that dictate the frequency of audits. Some industries or jurisdictions may have specific guidelines that mandate regular auditing for unauthorized access. Ensure compliance with applicable regulations and align auditing frequency accordingly.
+
+4. Security Incident Trends: Monitor security incident trends to identify patterns or indicators that may warrant increased auditing frequency. If there is an uptick in security incidents related to unauthorized access to domains or addresses, it may be necessary to increase the frequency of audits to detect and respond to such incidents promptly.
+
+5. Change Management Triggers: Incorporate auditing triggers into the change management process. Whenever significant changes are made to internet domains or addresses, initiate an audit to verify the integrity and security of the changes. This includes changes related to domain ownership, DNS settings, IP addresses, or access controls.
+
+6. Vulnerability Assessments: Integrate vulnerability assessments into the auditing process. Assess the security posture of internet domains and addresses regularly to identify any weaknesses or vulnerabilities that could lead to unauthorized access. Vulnerability assessments can help prioritize areas for audit focus and ensure continuous security improvement.
+
+7. User Activity Monitoring: Implement user activity monitoring tools to track and analyze user behavior related to accessing internet domains and addresses. User activity logs can provide valuable insights into potential unauthorized access. Regularly review and analyze these logs to detect any suspicious activities or signs of unauthorized access.
+
+8. External Threat Intelligence: Stay updated with external threat intelligence feeds that provide information on emerging threats, hacking campaigns, or indicators of compromise (IoCs). Incorporate this intelligence into audits to proactively detect unauthorized access attempts targeting internet domains and addresses.
+
+9. Incident Response and Forensics: Conduct audits as part of incident response and forensics activities. Whenever unauthorized access incidents occur, perform a thorough audit to determine the extent of the breach, identify any additional compromised domains or addresses, and implement appropriate mitigation measures.
+
+10. Continuous Improvement: Continuously evaluate and improve the auditing process based on lessons learned and emerging risks. Regularly assess the effectiveness of audits in detecting unauthorized access and adjust the frequency or scope as needed to align with changing threats and business requirements.', [Sequence]=5, [Grouping_Id]=2611, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6872
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.C1', [Question_Text]=N'What is the auditing frequency?', [Supplemental_Info]=N'', [Grouping_Id]=NULL, [Mat_Question_Type]=N'memo', [Parent_Option_Id]=1111 WHERE [Mat_Question_Id] = 6873
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q6', [Question_Text]=N'Is there real-time alerting?', [Supplemental_Info]=N'Real-time alerts play a crucial role in incident response by providing immediate notifications of security incidents or suspicious activities. Best practices for leveraging real-time alerts include:
+
+1. Define Clear Alerting Criteria: Clearly define the criteria that trigger real-time alerts based on known indicators of compromise (IoCs), suspicious behaviors, or predefined thresholds. This could include anomalous network traffic patterns, unauthorized access attempts, system resource abuse, or any activity that deviates from normal behavior.
+
+2. Prioritize and Categorize Alerts: Establish a system to prioritize and categorize alerts based on their severity and impact. Use a standardized classification system to ensure consistent understanding and response. This allows incident responders to focus on critical alerts that require immediate attention.
+
+3. Security Information and Event Management (SIEM) Integration: Leverage a SIEM platform or a centralized event management system to aggregate, correlate, and analyze security events and logs from various sources in real time. SIEM solutions provide advanced alerting capabilities, enabling the configuration of automated notifications based on predefined rules and patterns.
+
+4. Automated Alert Triage: Implement automated alert triage mechanisms to filter and validate alerts. Use automated tools or playbooks to analyze and triage alerts based on predefined criteria, reducing the manual effort required by incident responders. This helps prioritize alerts and ensures that critical incidents are addressed promptly.
+
+5. Contextual Information in Alerts: Include relevant contextual information in alerts to provide incident responders with the necessary details for effective analysis and response. This may include the source IP address, affected system, event type, timestamp, and any associated logs or network traffic data. Providing contextual information reduces investigation time and facilitates a more efficient response.
+
+6. Integration with Threat Intelligence: Integrate real-time threat intelligence feeds into the alerting system. By leveraging up-to-date threat intelligence, organizations can correlate alerts with known indicators of compromise or emerging threats. This enhances the accuracy and relevance of real-time alerts, enabling faster detection and response to evolving threats.
+
+7. Automated Response and Orchestration: Integrate automated response and orchestration capabilities into the incident response process. This allows for the execution of automated actions in response to specific alerts, such as blocking malicious IP addresses or isolating affected systems. Automated response helps contain incidents and minimizes the manual effort required for remediation.
+
+8. User-Friendly Alert Notifications: Ensure that real-time alert notifications are user-friendly and easily understandable. Use clear and concise language, avoid jargon, and provide actionable information that enables incident responders to take immediate steps. Well-designed alert notifications enhance the effectiveness of incident response by facilitating quick and accurate decision-making.
+
+9. Continuous Monitoring: Maintain 24/7 monitoring of real-time alerts to ensure timely response to security incidents. Establish a dedicated team or leverage Security Operations Center (SOC) resources to monitor alerts around the clock. Quick response times are critical to minimizing the impact of security incidents and mitigating further damage.
+
+10. Post-Incident Analysis and Feedback: Conduct post-incident analysis on how real-time alerts performed during incident response. Identify areas for improvement, such as fine-tuning alerting criteria, optimizing response playbooks, or refining the triage process. Use the insights gained to enhance the effectiveness of real-time alerts and continually improve the incident response capability.', [Sequence]=6, [Grouping_Id]=2611 WHERE [Mat_Question_Id] = 6874
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.Q7', [Question_Text]=N'Does the O/O document and audit external communications that deviate from their baseline?', [Supplemental_Info]=N'Documenting and auditing external communications that deviate from the baseline is an essential practice to ensure transparency, compliance, and security in an organization. Best practices to effectively document and audit such communications include:
+
+1. Establish a Baseline: Define a baseline for external communications that represents the standard or expected behavior. This baseline can include approved communication channels, authorized personnel, and predefined formats or templates. It serves as a reference point for identifying deviations.
+
+2. Document Policies and Procedures: Develop clear policies and procedures that outline the guidelines for external communications. Document the approved communication channels, authorized personnel, content requirements, and any restrictions or limitations. Ensure that employees are aware of these policies and adhere to them.
+
+3. Logging and Tracking: Implement a system to log and track external communications. This can include email archiving systems, communication management tools, or customer relationship management (CRM) systems. Ensure that relevant details, such as sender, recipient, timestamp, and content, are captured and logged for auditing purposes.
+
+4. Monitoring Tools: Leverage communication monitoring tools to identify deviations from the baseline. These tools can analyze communication patterns, detect anomalies, and trigger alerts when communications deviate from the established norms. Monitor communication channels for unauthorized or suspicious activities.
+
+5. Automated Alerting: Configure automated alerts and notifications to inform relevant stakeholders when external communications deviate from the baseline. Set up alerts for specific triggers, such as unauthorized senders or unusual content. This enables timely detection and response to potential security risks or policy violations.
+
+6. Regular Auditing and Review: Conduct regular audits and reviews of external communications to ensure compliance and identify any deviations. Assign dedicated personnel or teams to periodically review selected communications for quality, accuracy, and adherence to policies. Document the audit findings and take appropriate actions based on the results.
+
+7. Incident Response: Develop an incident response plan specifically for handling deviations in external communications. Define the steps to be taken, including investigation, containment, communication, and remediation. Assign responsibilities and establish communication channels for reporting and responding to incidents promptly.
+
+8. Employee Training and Awareness: Provide training and awareness programs to educate employees about the importance of adhering to external communication policies and procedures. Train them to recognize potential risks, such as phishing attempts or unauthorized communication requests. Regularly reinforce the importance of following established guidelines.
+
+9. Compliance with Regulations and Standards: Ensure that external communications comply with relevant regulations and industry standards.
+
+10. Continuous Improvement: Continuously evaluate and improve the documentation and auditing process for external communications. Seek feedback from stakeholders, conduct internal assessments, and benchmark against industry best practices. Incorporate lessons learned into the process to enhance efficiency, accuracy, and compliance.', [Sequence]=7, [Grouping_Id]=2611, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6875
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'CP-3D.C2', [Question_Text]=N'Review any documentation that exists to support assertions in the policy or procedure documents. Record your observations.', [Supplemental_Info]=N'', [Sequence]=1, [Grouping_Id]=NULL, [Mat_Question_Type]=N'memo', [Parent_Option_Id]=1115 WHERE [Mat_Question_Id] = 6876
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'IR-3F.Q1', [Question_Text]=N'Has the O/O developed and maintained a Cybersecurity Incident Response Plan (CIRP)?', [Supplemental_Info]=N'', [Grouping_Id]=2612, [Mat_Question_Type]=NULL WHERE [Mat_Question_Id] = 6877
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'IR-3F.C1', [Question_Text]=N'Does the CIRP include measures to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, should the pipeline or facility experience a cybersecurity incident?', [Supplemental_Info]=N'', [Sequence]=1, [Grouping_Id]=NULL, [Parent_Option_Id]=1117 WHERE [Mat_Question_Id] = 6878
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'IR-3F.C2', [Question_Text]=N'Does the CIRP provide specific measures sufficient to ensure prompt containment of the infected server or device?', [Supplemental_Info]=N'', [Sequence]=2, [Parent_Question_Id]=NULL, [Parent_Option_Id]=1117 WHERE [Mat_Question_Id] = 6879
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Title]=N'IR-3F.Q2', [Question_Text]=N'Does the CIRP provide specific measures sufficient to ensure segregation of the infected network (or devices) to ensure malicious code does not spread by, as necessary:', [Supplemental_Info]=N'', [Sequence]=3, [Parent_Question_Id]=NULL, [Parent_Option_Id]=1117 WHERE [Mat_Question_Id] = 6880
+PRINT(N'Operation applied to 80 rows out of 80')
+
+PRINT(N'Update rows in [dbo].[MATURITY_ANSWER_OPTIONS]')
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6804, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1003
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6804, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1004
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6805 WHERE [Mat_Option_Id] = 1005
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6805 WHERE [Mat_Option_Id] = 1006
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6806, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1007
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1008
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6807, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1009
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6807, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1010
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1011
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6808, [Answer_Sequence]=2, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1012
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Other (Please define)' WHERE [Mat_Option_Id] = 1026
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6818 WHERE [Mat_Option_Id] = 1029
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6818 WHERE [Mat_Option_Id] = 1030
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6819 WHERE [Mat_Option_Id] = 1031
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6819 WHERE [Mat_Option_Id] = 1032
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6820 WHERE [Mat_Option_Id] = 1033
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6820 WHERE [Mat_Option_Id] = 1034
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6821 WHERE [Mat_Option_Id] = 1035
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6821 WHERE [Mat_Option_Id] = 1036
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6822 WHERE [Mat_Option_Id] = 1037
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Mat_Question_Id]=6822 WHERE [Mat_Option_Id] = 1038
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Examine the identification/description of measures for securing and defending zone
+boundaries that includes security controls.', [Mat_Question_Id]=6824 WHERE [Mat_Option_Id] = 1039
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Network traffic control measures should be evaluated to ensure that only required traffic is permitted between the zones identified above.', [Mat_Question_Id]=6823, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1040
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Examine firewall rules/logs, switch and router ACLs and logs to validate.', [Mat_Question_Id]=6823, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1041
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Observe an attempt to communicate between zones to confirm.', [Mat_Question_Id]=6823, [Answer_Sequence]=3 WHERE [Mat_Option_Id] = 1042
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Network Intrusion Detection/Prevention (NIDS/NIPS)', [Mat_Question_Id]=6825, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1043
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Host based (HIDS/HIPS) sensors.', [Mat_Question_Id]=6825, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1044
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Other tools? Please list.', [Mat_Question_Id]=6825, [Answer_Sequence]=3, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1045
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6827, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1046
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6827, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1047
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6832, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1048
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6832, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1049
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6833, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1050
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6833, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1051
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6834, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1052
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6834, [Answer_Sequence]=2, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1053
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6836, [Answer_Sequence]=1, [Mat_Option_Type]=N'' WHERE [Mat_Option_Id] = 1054
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6836, [Answer_Sequence]=2, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1055
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6837, [Answer_Sequence]=1, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1056
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6837, [Answer_Sequence]=2, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1057
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Review the O/O’s implementation of Multi-Factor Authentication (MFA) e.g., smartcards, RSA tokens, or other known MFA solutions.', [Mat_Question_Id]=6838, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1058
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Observe or walk-through the process for issuing authenticators. Check that the processes that have been completed.', [Mat_Question_Id]=6838, [Answer_Sequence]=2, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1059
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Particular attention should be paid to identity proofing processes to ensure the tokens are possessed by the authorized user.', [Mat_Question_Id]=6838, [Answer_Sequence]=3, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1060
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Validate the use of MFA by observing MFA logon to the devices and systems asserted in the CIP.', [Mat_Question_Id]=6838, [Answer_Sequence]=4, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1061
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Observe an attempt to authenticate to an MFA required device/account with username/password to validate access is not granted.', [Mat_Question_Id]=6838, [Answer_Sequence]=5, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1062
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Verify controls asserted in CIP that mitigate lack of MFA are implemented and are commensurate with MFA.
+Note: These should include things such as physical security, increased monitoring and logging, and analytical anomalous behavior tools.', [Mat_Question_Id]=6838, [Answer_Sequence]=6, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1063
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6839, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1064
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6839, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1065
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Observe or walk-through how this definition is applied to account provisioning.', [Mat_Question_Id]=6840, [Answer_Sequence]=1, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1066
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6841, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1067
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6841, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1068
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6842, [Answer_Sequence]=1, [Mat_Option_Type]=N'radio' WHERE [Mat_Option_Id] = 1069
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6842, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1070
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6843, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1071
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6842, [Answer_Sequence]=3 WHERE [Mat_Option_Id] = 1072
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6843 WHERE [Mat_Option_Id] = 1073
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6843, [Answer_Sequence]=3 WHERE [Mat_Option_Id] = 1074
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6845, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1075
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6845, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1076
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'No', [Mat_Question_Id]=6846, [Answer_Sequence]=1 WHERE [Mat_Option_Id] = 1077
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Yes', [Mat_Question_Id]=6846, [Answer_Sequence]=2 WHERE [Mat_Option_Id] = 1078
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Request the number of shared accounts that exist.', [Mat_Question_Id]=6848, [Answer_Sequence]=1, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1079
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Observe or walk-through how these accounts are provisioned and how users are granted access to these accounts to include the application of least privileged concepts.', [Mat_Question_Id]=6848, [Answer_Sequence]=2, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1080
+UPDATE [dbo].[MATURITY_ANSWER_OPTIONS] SET [Option_Text]=N'Verify that the O/O’s process for removing knowledge of the password complies with the CIP. Review IDP logs to validate last password change date on a shared account that was required to have a password change.', [Mat_Question_Id]=6848, [Answer_Sequence]=3, [Mat_Option_Type]=N'checkbox' WHERE [Mat_Option_Id] = 1081
+PRINT(N'Operation applied to 64 rows out of 64')
+
+PRINT(N'Update rows in [dbo].[MATURITY_GROUPINGS]')
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title_Id]=N'3612' WHERE [Grouping_Id] = 2601
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title_Id]=N'3613' WHERE [Grouping_Id] = 2602
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title_Id]=N'3614' WHERE [Grouping_Id] = 2603
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title_Id]=N'3615' WHERE [Grouping_Id] = 2604
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Encryption (EN)', [Title_Id]=N'3616' WHERE [Grouping_Id] = 2605
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Access Control (AC)', [Description]=NULL, [Title_Id]=N'3617' WHERE [Grouping_Id] = 2606
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'MFA (MF)', [Title_Id]=N'3618' WHERE [Grouping_Id] = 2607
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Least Privilege (LP)', [Title_Id]=N'3619' WHERE [Grouping_Id] = 2608
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Shared Accounts (SA)', [Title_Id]=N'3620' WHERE [Grouping_Id] = 2609
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Continuous Monitoring Capabilities (CC)', [Title_Id]=N'3621' WHERE [Grouping_Id] = 2610
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Continuous Monitoring Procedures (CP)', [Title_Id]=N'3622' WHERE [Grouping_Id] = 2611
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title]=N'Incident Response (IR)', [Title_Id]=N'3623' WHERE [Grouping_Id] = 2612
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Title_Id]=N'3624' WHERE [Grouping_Id] = 2613
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Description]=NULL, [Title_Id]=N'3625' WHERE [Grouping_Id] = 2614
+PRINT(N'Operation applied to 14 rows out of 14')
+
+PRINT(N'Add row to [dbo].[MATURITY_GROUPINGS]')
+SET IDENTITY_INSERT [dbo].[MATURITY_GROUPINGS] ON
+INSERT INTO [dbo].[MATURITY_GROUPINGS] ([Grouping_Id], [Title], [Description], [Maturity_Model_Id], [Sequence], [Parent_Id], [Group_Level], [Type_Id], [Title_Id], [Abbreviation], [Title_Prefix]) VALUES (2615, N'Cybersecurity Assessment Plan (CAP)', NULL, 14, 15, NULL, NULL, 1, N'3626', NULL, NULL)
+SET IDENTITY_INSERT [dbo].[MATURITY_GROUPINGS] OFF
+
+PRINT(N'Add rows to [dbo].[MATURITY_ANSWER_OPTIONS]')
+SET IDENTITY_INSERT [dbo].[MATURITY_ANSWER_OPTIONS] ON
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1082, N'Validate trust relationships asserted in the CIP. If separate domains are implemented, verify domain trusts by observation and using IDP admin tools.', 6848, 4, NULL, NULL, N'checkbox', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1083, N'No', 6849, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1084, N'Yes', 6849, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1085, N'No', 6850, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1086, N'Yes', 6850, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1087, N'No', 6851, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1088, N'Yes', 6851, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1089, N'No', 6852, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1090, N'Yes', 6852, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1091, N'No', 6853, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1092, N'Yes', 6853, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1093, N'No', 6855, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1094, N'Yes', 6855, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1095, N'No', 6857, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1096, N'Yes', 6857, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1097, N'Describe your observations.', 6859, 1, NULL, NULL, N'memo', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1098, N'No', 6860, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1099, N'Yes', 6860, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1100, N'No', 6863, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1101, N'Yes', 6863, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1102, N'No', 6865, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1103, N'Yes', 6865, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1104, N'No', 6868, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1105, N'Yes', 6868, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1106, N'No', 6869, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1107, N'Yes', 6869, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1108, N'No', 6870, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1109, N'Yes', 6870, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1110, N'No', 6872, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1111, N'Yes', 6872, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1112, N'No', 6874, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1113, N'Yes', 6874, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1114, N'No', 6875, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1115, N'Yes', 6875, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1116, N'No', 6877, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1117, N'Yes', 6877, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1118, N'No', 6878, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1119, N'Yes', 6878, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1120, N'no', 6879, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1121, N'Yes', 6879, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1122, N'no', 6880, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1123, N'yes', 6880, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1124, N'no', 6881, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1125, N'yes', 6881, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1126, N'no', 6882, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1127, N'yes', 6882, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1128, N'no', 6883, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1129, N'yes', 6883, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1130, N'no', 6884, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1131, N'yes', 6884, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1132, N'no', 6885, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1133, N'yes', 6885, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1134, N'no', 6886, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1135, N'yes', 6886, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1136, N'no', 6887, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1137, N'yes', 6887, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1138, N'no', 6888, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1139, N'yes', 6888, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1140, N'no', 6889, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1141, N'yes', 6889, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1142, N'no', 6890, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1143, N'yes', 6890, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1144, N'no', 6891, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1145, N'yes', 6891, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1146, N'no', 6892, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1147, N'yes', 6892, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1148, N'no', 6893, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1149, N'yes', 6893, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1150, N'No', 6894, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1151, N'Yes', 6894, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1152, N'No', 6896, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1153, N'Yes', 6896, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1154, N'No', 6900, 1, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1155, N'Yes', 6900, 2, NULL, NULL, N'', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1156, N'No', 6905, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1157, N'Yes', 6905, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1158, N'No', 6906, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1159, N'Yes', 6906, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1160, N'No', 6907, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1161, N'yes', 6907, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1162, N'No', 6908, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1163, N'Yes', 6908, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1164, N'No', 6909, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1165, N'Yes', 6909, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1166, N'No', 6910, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1167, N'Yes', 6910, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1168, N'No', 6911, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1169, N'Yes', 6911, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1170, N'No', 6912, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1171, N'Yes', 6912, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1172, N'No', 6913, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1173, N'yes', 6913, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1174, N'No', 6914, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1175, N'yes', 6914, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1176, N'No', 6915, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1177, N'yes', 6915, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1178, N'No', 6915, 3, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1179, N'yes', 6915, 4, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1180, N'No', 6917, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1181, N'yes', 6917, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1182, N'No', 6918, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1183, N'yes', 6918, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1184, N'No', 6919, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1185, N'yes', 6919, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1186, N'no', 6920, 1, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+INSERT INTO [dbo].[MATURITY_ANSWER_OPTIONS] ([Mat_Option_Id], [Option_Text], [Mat_Question_Id], [Answer_Sequence], [ElementId], [Weight], [Mat_Option_Type], [Parent_Option_Id], [Has_Answer_Text], [Formula], [Threshold], [RiFormula], [ThreatType], [Is_None]) VALUES (1187, N'yes', 6920, 2, NULL, NULL, N'radio', NULL, 0, NULL, NULL, NULL, NULL, 0)
+SET IDENTITY_INSERT [dbo].[MATURITY_ANSWER_OPTIONS] OFF
+PRINT(N'Operation applied to 106 rows out of 106')
+
+PRINT(N'Add rows to [dbo].[MATURITY_QUESTIONS]')
+SET IDENTITY_INSERT [dbo].[MATURITY_QUESTIONS] ON
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6881, N'IR-3F.C3', N'Segregating (removing from the network) the infected device(s)?', N'', NULL, NULL, 1, 1, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1123, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6882, N'IR-3F.C4', N'Segregating any other devices that shared a network with the infected device(s)?', N'', NULL, NULL, 1, 2, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1123, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6883, N'IR-3F.C5', N'Preserving volatile memory by collecting a forensic memory image of affected device(s) before powering off or moving?', N'', NULL, NULL, 1, 3, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1123, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6884, N'IR-3F.C6', N'Isolating and securing all infected and potentially infected devices, making sure to clearly label any equipment that has been affected by malicious code?', N'', NULL, NULL, 1, 4, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1123, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6885, N'IR-3F.C7', N'Does the CIRP provide specific measures sufficient to ensure security and integrity of backed-up data, including measures to secure backups?', N'', NULL, NULL, 1, 4, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6886, N'IR-3F.C8', N'Does the CIRP provide specific measures sufficient to store backup data separate from the system?', N'', NULL, NULL, 1, 5, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6887, N'IR-3F.C9', N'Does the CIRP provide procedures to ensure that the backup data is free of known malicious code when the backup is made and when tested for restoral?', N'', NULL, NULL, 1, 6, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6888, N'IR-3F.C10', N'Does the CIRP establish capability and governance for isolating the Information and Operational Technology systems in the event of a cybersecurity incident that results or could result in operational disruption?', N'', NULL, NULL, 1, 7, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6889, N'IR-3F.C11', N'Does the CIRP establish exercises to test the effectiveness of procedures, no less than annually?', N'', NULL, NULL, 1, 8, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6890, N'IR-3F.C12', N'Does the CIRP establish exercises to test the effectiveness of personnel responsible for implementing measures in this Cybersecurity Incident Response Plan?', N'', NULL, NULL, 1, 9, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6891, N'IR-3F.C13', N'Does the CIRP establish exercises that test at least two objectives from sections IR-02D.C2 through IR-02D.C10 (listed above) no less than annually?', N'', NULL, NULL, 1, 10, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6892, N'IR-3F.C14', N'Does the CIRP establish/identify who (by position) is responsible for implementing the specific measures in the Incident Response Plan and any necessary resources needed to implement the measures?', N'', NULL, NULL, 1, 11, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6893, N'IR-3F.C15', N'Do the exercises required in IR-02D.C13 include the employees identified (by position) in IR-02D.C14 as active participants in the exercises?', N'', NULL, NULL, 1, 12, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1117, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6894, N'IR-3D.Q1', N'Does the O/O have Security, Orchestration, Automation and Response (SOAR) capabilities in place that standardize incident response?', N'Security Orchestration, Automation, and Response (SOAR) capabilities help standardize and streamline incident response processes by integrating security tools, automating tasks, and orchestrating workflows. Some options for SOAR capabilities that facilitate standardized incident response include:
+
+1. Incident Triage and Prioritization: SOAR platforms provide functionalities to automatically triage and prioritize security incidents based on predefined rules and criteria. This helps ensure consistent and efficient handling of incidents, allowing security teams to focus on critical incidents first.
+
+2. Alert Management and Enrichment: SOAR tools can aggregate and consolidate security alerts from various sources, such as SIEMs, IDS/IPS, and endpoint detection and response (EDR) systems. They enrich these alerts with additional contextual information, such as threat intelligence and asset data, to provide a comprehensive view of each incident.
+
+3. Automated Response Actions: SOAR platforms enable the automation of repetitive and manual response actions. They integrate with security tools and systems, allowing for the execution of predefined response actions based on the characteristics of an incident. This automation reduces response time, minimizes human error, and ensures consistent application of response procedures.
+
+4. Playbooks and Workflows: SOAR capabilities include the creation and execution of incident response playbooks and workflows. These playbooks outline step-by-step procedures and actions to be taken during different types of incidents. Workflows ensure that response actions are executed in a standardized and consistent manner, ensuring repeatability and adherence to best practices.
+
+5. Collaboration and Communication: SOAR platforms facilitate collaboration among incident response teams and stakeholders. They provide centralized communication channels, task assignment capabilities, and progress tracking mechanisms to ensure effective coordination during incident response. This helps maintain a shared understanding of the incident and fosters collaboration across teams.
+
+6. Case Management and Reporting: SOAR tools often include case management functionalities that enable the tracking, documentation, and reporting of incidents. They provide a centralized repository for incident data, response actions, and investigation findings. This facilitates incident analysis, regulatory reporting, and post-incident reviews.
+
+7. Metrics and Analytics: SOAR capabilities offer metrics and analytics functionalities to monitor and measure the effectiveness of incident response processes. They provide insights into key performance indicators (KPIs), response times, resolution rates, and other relevant metrics. This data can be used to identify areas for improvement and optimize incident response workflows.
+
+8. Integration with Threat Intelligence: SOAR platforms integrate with external threat intelligence feeds to enhance incident detection and response. They leverage up-to-date threat intelligence data to enrich alerts, identify patterns, and support decision-making during incident response. Integration with threat intelligence ensures that response actions are based on the latest threat landscape.
+
+9. Continuous Improvement and Learning: SOAR capabilities support continuous improvement through post-incident analysis and learning. They capture and document lessons learned from each incident, allowing for the refinement of playbooks, workflows, and response procedures. This iterative process ensures that incident response processes are constantly evolving and adapting to emerging threats.
+
+10. Compliance and Audit Support: SOAR platforms help organizations meet regulatory compliance requirements by providing audit trails, documentation, and reporting capabilities. They facilitate the generation of incident response reports, evidence collection for investigations, and compliance-related documentation, aiding in regulatory audits and assessments.', NULL, NULL, 1, 2, 14, NULL, NULL, 2612, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6895, N'IR-3D.C1', N'Describe the Security, Orchestration, Automation and Response (SOAR) capabilities in place.', N'', NULL, NULL, 1, 1, 14, NULL, NULL, NULL, NULL, NULL, N'memo', 1151, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6896, N'LP-3D.Q1', N'Evaluate logging policies and tools. Do the policies and tools provide for continuous logging and analysis for intrusions and anomalous behavior?', N'Implementing effective logging practices, including continuous logging and analysis, is crucial for detecting intrusions and anomalous behavior in an organization''s systems. Best practices include:
+
+1. Log Everything of Importance: Enable logging for all critical systems, applications, network devices, and security controls. Ensure that relevant log events, including system events, authentication logs, network traffic logs, and application logs, are captured. Logging everything of importance provides comprehensive visibility into the environment and enables thorough analysis.
+
+2. Define Logging Policies: Establish logging policies that outline what events should be logged, the log retention period, and the level of detail to be captured. Ensure compliance with regulatory requirements and industry standards. Regularly review and update logging policies to address emerging threats and evolving compliance needs.
+
+3. Centralized Log Management: Implement a centralized log management solution or Security Information and Event Management (SIEM) system to aggregate, store, and analyze log data from various sources. Centralizing logs allows for easier analysis, correlation, and detection of intrusions or anomalous behavior across the organization''s infrastructure.
+
+4. Real-Time Log Monitoring: Enable real-time log monitoring to detect intrusions and anomalous behavior promptly. Leverage SIEM tools or log monitoring solutions that provide real-time alerts and notifications for critical log events. Monitor logs continuously to identify suspicious activities, such as failed login attempts, privilege escalation, or unusual network traffic patterns.
+
+5. Log Retention and Backup: Establish a log retention policy that defines the duration for which logs should be retained. Ensure compliance with legal, regulatory, and internal requirements. Regularly back up log data to protect against data loss and maintain the availability of logs for future analysis or investigations.
+
+6. Log Analysis and Correlation: Use log analysis and correlation techniques to identify patterns, trends, and anomalies across different log sources. Leverage automated log analysis tools, machine learning algorithms, and threat intelligence feeds to detect indicators of compromise (IoCs) and potential intrusions. Correlate events from multiple log sources to gain a holistic view of security incidents.
+
+7. Threat Hunting: Conduct proactive threat hunting activities by analyzing log data to search for indicators of advanced threats or suspicious behaviors. Use advanced analytics techniques, behavioral analysis, and threat intelligence to uncover hidden threats that may evade traditional security controls. Regularly review logs to identify potential security gaps or emerging attack techniques.
+
+8. Regular Log Review: Establish a process for regular log review and analysis. Assign dedicated personnel or a security team responsible for reviewing logs on a periodic basis. Conduct routine log review sessions to identify anomalies, perform trend analysis, and investigate any potential security incidents or breaches.
+
+9. Automation and Alerting: Automate log analysis and alerting processes to improve efficiency and responsiveness. Configure automated alerts for specific log events or predefined threat scenarios. Set up thresholds or rules that trigger alerts for abnormal or suspicious log activities. This helps ensure that critical log events are promptly detected and acted upon.
+
+10. Training and Expertise: Provide training to security personnel on log analysis techniques, log interpretation, and incident response procedures. Invest in developing the expertise of security analysts to effectively analyze and interpret log data. Regularly update their knowledge to keep pace with emerging log analysis methods and evolving threats.', NULL, NULL, 1, 1, 14, NULL, NULL, 2613, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6897, N'LP-3D.Q2', N'How are events and logs correlated to detect an intrusion or anomalous behavior?', N'Correlating logs to detect intrusions or anomalous behavior is a powerful technique in identifying security incidents. Best practices for effective log correlation include:
+
+1. Define Use Cases: Clearly define the use cases or specific scenarios for log correlation. Identify the types of threats or anomalies you want to detect, such as brute-force attacks, privilege escalation, lateral movement, or data exfiltration. Use cases help focus log correlation efforts and ensure that relevant log data is analyzed.
+
+2. Log Source Integration: Integrate logs from multiple sources, including network devices, servers, applications, endpoints, and security controls. Collect and centralize log data using a centralized log management or SIEM system. Ensure that all relevant log sources are configured to send their logs to the central repository.
+
+3. Normal Behavior Baseline: Establish a baseline of normal behavior by analyzing historical log data. Determine what constitutes normal or expected log patterns and activities. This baseline allows for the identification of deviations or anomalies that may indicate an intrusion or suspicious behavior.
+
+4. Identify Relevant Log Fields: Determine the log fields that provide valuable information for log correlation. Examples include source IP addresses, destination IP addresses, usernames, timestamps, event types, or specific log codes. Identify the key log fields that are essential for detecting specific threats or anomalies.
+
+5. Define Correlation Rules: Develop correlation rules based on known attack patterns, threat intelligence, and behavioral analysis. These rules specify the conditions under which log events should be correlated. Correlation rules may include specific sequences of events, patterns of failed login attempts, or specific combinations of log events that indicate suspicious activities.
+
+6. Contextual Enrichment: Enrich log data with additional contextual information to enhance correlation and analysis. Include information such as user roles, asset information, network topology, or threat intelligence feeds. This contextual data helps in understanding the significance of log events and aids in accurate correlation.
+
+7. Cross-Log Correlation: Correlate events across different log sources to identify relationships or dependencies between activities. Look for patterns or sequences of events that span multiple log sources, indicating coordinated or multi-stage attacks. Cross-log correlation provides a comprehensive view of the attack chain and helps detect sophisticated threats.
+
+8. Time Synchronization: Ensure that log timestamps are accurate and synchronized across different systems and log sources. Inaccurate timestamps can hamper effective log correlation. Implement time synchronization mechanisms, such as Network Time Protocol (NTP), to maintain consistency in log timestamps.
+
+9. Automated Log Analysis: Leverage log analysis tools or machine learning algorithms to automate the correlation process. Use automated log analysis techniques to identify patterns, anomalies, or suspicious activities that may go unnoticed by manual analysis. Automated analysis helps handle large volumes of log data efficiently and speeds up detection and response.
+
+10. Regular Rule Review and Updates: Regularly review and update correlation rules to adapt to emerging threats and changes in the environment. Monitor the effectiveness of existing rules, fine-tune them as needed, and add new correlation rules based on evolving attack vectors or security requirements.
+
+11. Threat Intelligence Integration: Integrate threat intelligence feeds into log correlation processes. Incorporate known indicators of compromise (IoCs) or threat intelligence data to enhance log correlation capabilities. Leverage threat intelligence to identify and correlate log events associated with known attack campaigns or malicious activities.
+
+12. Continuous Improvement and Collaboration: Foster a culture of continuous improvement by continuously analyzing and refining log correlation processes. Encourage collaboration between security analysts, incident responders, and threat intelligence teams to share knowledge, insights, and feedback on log correlation techniques and results.', NULL, NULL, 1, 2, 14, NULL, NULL, 2613, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6898, N'LP-3D.Q3', N'Observe a sampling of logs collected and confirm they adhere to the retention policy defined by the O/O’s CIP.', N'', NULL, NULL, 1, 3, 14, NULL, NULL, 2613, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6899, N'LP-3D.Q4', N'Have the O/O walk-through the procedures to isolate the OT system from the IT system in the event that a cybersecurity event jeopardizes the safety and reliability of the OT system.', N'Isolating the Operational Technology (OT) system from the Information Technology (IT) system is a critical step to prevent the spread of a cybersecurity event and protect the safety and reliability of the OT environment. Best practices and procedures to consider for isolating the OT system in the event of a cybersecurity event include:
+
+• Network Segmentation: Implement strict network segmentation between the OT and IT systems. This involves physically or logically separating the networks to prevent unauthorized access or lateral movement between them. Use firewalls, network segmentation devices, or virtual LANs (VLANs) to enforce network separation.
+
+• Access Control Policies: Define and enforce stringent access control policies for both OT and IT environments. Restrict access to the OT system only to authorized personnel with a genuine need to interact with it. Use strong authentication mechanisms, such as multi-factor authentication (MFA) or smart cards, to ensure only authorized users can access the OT system.
+
+• Air Gapping: Consider implementing air-gapping as an additional layer of isolation. Air-gapping involves physically disconnecting the OT system from external networks, such as the internet or corporate IT networks. This prevents any direct communication between the OT system and external networks, significantly reducing the attack surface.
+
+• Network Monitoring and Intrusion Detection: Deploy network monitoring and intrusion detection systems (IDS) specifically tailored for the OT environment. These systems should monitor network traffic, detect anomalies, and raise alerts in case of suspicious activities. This helps in early detection and response to potential cybersecurity events affecting the OT system.
+
+• Incident Response Plan: Develop a comprehensive incident response plan that specifically addresses cybersecurity incidents impacting the OT system. This plan should outline clear procedures for isolating the affected OT components, including instructions for disconnecting or shutting down affected equipment, and restoring operations safely.
+
+• Communication Protocols: Establish secure communication protocols between the OT and IT systems. Ensure that any information exchange between the two systems is encrypted and authenticated to maintain confidentiality and integrity.
+
+• Backup and Recovery: Implement regular and secure backup mechanisms for OT system data and configurations. This ensures that in the event of a cybersecurity incident, the OT system can be restored to a known good state. Backups should be stored offline or in secure locations to prevent compromise.
+
+• Regular Testing and Training: Conduct regular testing, simulations, and drills to validate the effectiveness of the isolation procedures and the incident response plan. Additionally, provide ongoing training to personnel involved in managing the OT system to ensure they understand their roles and responsibilities in maintaining the separation and responding to cybersecurity events.', NULL, NULL, 1, 4, 14, NULL, NULL, 2613, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6900, N'PA-3E.Q1', N'Do the O/O’s patching policies and procedures ensure that systems are patched to the most current version possible for the environment?', N'Implementing effective patching policies and procedures is crucial for maintaining the security and integrity of systems. Best practices to ensure systems are patched to the most current version possible include:
+
+1. Patch Management Policy: Develop a comprehensive patch management policy that outlines the objectives, roles and responsibilities, and procedures for patching. This policy should align with industry best practices and compliance requirements.
+
+2. Vulnerability Assessment and Prioritization: Conduct regular vulnerability assessments to identify security vulnerabilities in systems and prioritize them based on severity and potential impact. This helps focus patching efforts on the most critical vulnerabilities first.
+
+3. Patch Testing and Staging: Establish a testing and staging environment to evaluate patches before deploying them to production systems. Test patches on representative systems to ensure they don''t introduce compatibility issues or unintended consequences. Staging environments allow for further validation and verification of patching before deployment to production systems.
+
+4. Patch Deployment Schedule: Define a patch deployment schedule that includes regular maintenance windows for applying patches. Consider the criticality and impact of systems and schedule patches accordingly to minimize disruption to business operations.
+
+5. Centralized Patch Management System: Implement a centralized patch management system or tool to streamline the patching process. This system should provide automation capabilities for patch deployment, monitoring, and reporting.
+
+6. Regular Patch Monitoring and Notifications: Continuously monitor vendor advisories, security bulletins, and other reliable sources to stay informed about the latest patches and vulnerabilities. Set up notifications or subscriptions to receive timely updates and alerts regarding new patches.
+
+7. Patch Deployment Testing in a Controlled Environment: Before deploying patches to production systems, test them in a controlled environment that mirrors the production environment as closely as possible. This testing ensures that patches are compatible and won''t disrupt critical operations.
+
+8. Regular System Inventory: Maintain an up-to-date inventory of systems and software within the organization. This inventory should include information about the installed versions and patch levels of operating systems, applications, and other software components. It helps in tracking the patching status of systems and identifying any gaps or discrepancies.
+
+9. Change Management Processes: Incorporate patching into the organization''s change management processes. Follow proper change control procedures to document and track patching activities, ensuring accountability and minimizing risks associated with unauthorized or unplanned changes.
+
+10. User Awareness and Training: Educate system administrators, IT staff, and end-users about the importance of patching and the role they play in maintaining a secure environment. Promote awareness of security risks associated with unpatched systems and provide training on proper patching procedures.
+
+11. Continuous Monitoring and Evaluation: Establish ongoing monitoring and evaluation mechanisms to ensure the effectiveness of patching policies and procedures. Regularly assess the patching process, measure compliance levels, and identify areas for improvement.
+
+12. Vendor Relationships and Support: Foster strong relationships with software vendors and maintain support agreements. Promptly communicate with vendors to report vulnerabilities and request patches when needed. Vendor support can provide timely assistance and access to critical patches.', NULL, NULL, 1, 1, 14, NULL, NULL, 2614, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6901, N'PA-3E.Q2', N'Determine what method or tools the O/O utilizes to ensure patches are current and up to date.', N'Implementing effective patching policies and procedures is crucial for maintaining the security and integrity of systems. Best practices to ensure systems are patched to the most current version possible include:
+
+1. Operating System Update Services: Many operating systems provide built-in update services that deliver patches, updates, and security fixes directly to the systems. These services ensure that the operating system is up to date and protected against known vulnerabilities.
+
+2. Patch Management Systems: Patch management systems help centralize and automate the deployment of patches. They schedule updates, provide reporting capabilities, and ensure timely patching across the organization''s systems.
+
+3. Vulnerability Scanners: Vulnerability scanning tools can identify missing patches or vulnerabilities in systems. They generate reports and recommendations for patching, enabling organizations to prioritize and address vulnerabilities.
+
+4. Patch Deployment Tools: Automation tools like Ansible, Puppet, or Chef can automate the deployment of patches across multiple systems. These tools streamline the patching process and ensure consistent and efficient patch deployment.
+
+5. Software Update Managers: Some software applications include their own update managers that automatically check for updates and install patches. These managers keep the software up to date with the latest patches and security fixes.
+
+6. Vulnerability Management Platforms: Comprehensive vulnerability management platforms incorporate patch management features. They help identify vulnerabilities, prioritize patches, and track the patching progress to maintain a secure environment.
+
+7. Security Information and Event Management (SIEM) Systems: SIEM systems integrate with patch management tools and provide monitoring capabilities. They help track patching activities, generate alerts for outdated systems, and provide insights into patching compliance and vulnerabilities.
+
+8. Software Inventory and Asset Management Tools: Software inventory and asset management tools track installed software and their versions. By monitoring software versions and comparing them against available patches, these tools help identify outdated or unpatched software.
+
+9. Vendor Notifications and Subscriptions: Organizations can subscribe to vendor notifications, security mailing lists, or RSS feeds to stay informed about new patches and updates. Vendors often release security advisories or bulletins that provide information on patches and vulnerabilities.
+
+10. Continuous Monitoring and Threat Intelligence: Implementing continuous monitoring solutions, threat intelligence platforms, or managed security service providers (MSSPs) can provide real-time visibility into emerging threats and vulnerabilities. These solutions help organizations proactively identify required patches and updates to address security risks.', NULL, NULL, 1, 2, 14, NULL, NULL, 2614, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6902, N'PA-3E.Q3', N'Conduct a sampling of systems for verification of current patches to include OS, applications and firmware.', N'Conducting a sampling of systems to verify the current patch status, including the operating system (OS), applications, and firmware, involves a systematic approach to ensure representative coverage:
+
+1. Identify Target Systems: Determine the scope of the sampling process by identifying the target systems for verification. Consider factors such as criticality, system types, network segments, and regulatory requirements. Ensure a representative sample that includes a variety of systems across different areas of the infrastructure.
+2. Determine Patch Sources: Identify the sources of necessary patch information for verification. This may include vendor websites, patch management tools, vulnerability scanners, or asset management systems. Ensure access to accurate and up-to-date patch information for the selected systems.
+3. Define Verification Criteria: Establish criteria for verifying the patch status. This may include specific patch levels, versions, or security updates that should be present on the target systems. Consider relevant security advisories, patch release notes, or industry best practices to define verification criteria.
+4. Inventory and Documentation: Create an inventory of the target systems selected for sampling. Include details such as system names, IP addresses, hardware specifications, installed OS, applications, and firmware versions. Ensure accurate and up-to-date documentation to track the systems and their respective patch levels.
+5. Automated Scanning: Utilize vulnerability scanning or patch management tools to automate the verification process. These tools can scan the selected systems, compare their patch levels against the desired criteria, and provide reports on the current patch status. Configure the tools to scan both the OS and installed applications/firmware.
+6. Manual Verification: While automated scanning is useful, it''s also important to perform manual verification for a subset of systems. Randomly select a portion of the target systems and manually verify their patch status by checking the installed patches, versions, or firmware levels against the defined criteria. This adds an extra layer of validation and helps identify potential gaps or false positives.
+7. Document Findings: Maintain records of the verification results, including systems that meet the patch criteria and those that require further attention. Document any discrepancies, missing patches, or outdated firmware versions that are identified during the process. These records will serve as a reference for remediation and future audits.
+8. Remediation and Patching Plan: Based on the verification findings, develop a remediation plan to address any identified gaps or non-compliant systems. Prioritize systems based on their criticality, risk level, and potential impact. Implement a patching plan to ensure the necessary updates are applied to bring the systems into compliance with the defined patch levels.
+9. Ongoing Monitoring: Establish a process for ongoing monitoring of patch status to maintain a secure and up-to-date environment. Regularly repeat the verification process for new systems, changes to existing systems, or as part of routine patch management practices.', NULL, NULL, 1, 3, 14, NULL, NULL, 2614, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6903, N'PA-3E.Q4', N'Walk through the process the O/O uses to prioritize application of patches to include the CISA Known Exploitable Vulnerabilities catalog.', N'When applying patches, including those addressing CISA Known Exploitable Vulnerabilities, best practices indicate to consider:
+
+1. Severity of the Vulnerability: Assess the severity level of the known exploitable vulnerabilities identified by CISA. CISA Known Exploitable Vulnerabilities, which are publicly known vulnerabilities with available patches, should be given high priority. Vulnerabilities with higher severity ratings, such as critical or high, should be given immediate attention and prioritized for patching. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+
+2. Exploit Availability: Determine if there are known exploits publicly available for the vulnerabilities. If there are active exploits in the wild, it is crucial to prioritize patching those vulnerabilities to minimize the risk of exploitation.
+
+3. System Criticality: Consider the criticality of the systems affected by the vulnerabilities. Focus on patching vulnerabilities in critical infrastructure, sensitive systems, or systems holding sensitive data. These systems often require higher priority to ensure the protection of essential assets.
+
+4. Impact Potential: Evaluate the potential impact that successful exploitation of the vulnerabilities could have on the organization. Consider the potential for data breaches, service disruptions, unauthorized access, or the compromise of sensitive information. Prioritize patching vulnerabilities that pose the greatest potential impact.
+
+5. Patch Availability: Check if patches or mitigations are available from the vendors or developers responsible for the affected software or systems. Prioritize vulnerabilities for which patches are readily available, as they can be applied immediately to remediate the issue.
+
+6. Compliance Requirements: Consider any compliance requirements or regulations specific to the industry. Some industries have specific guidelines for patching critical vulnerabilities promptly. Ensure that the prioritization aligns with these requirements to maintain compliance.
+
+7. Risk Assessment: Conduct a risk assessment that takes into account the vulnerabilities, the organization''s specific environment, and the potential impact on business operations. Evaluate the likelihood and potential consequences of an exploit to determine the appropriate priority for patching.
+
+8. Resource Allocation: Consider the available resources, such as manpower, time, and infrastructure, for patching activities. Prioritize vulnerabilities based on the resources required for patching and the feasibility of implementing the patches within the given constraints.
+
+It is important to note that patching prioritization is a dynamic process that requires continuous monitoring and adjustment. New vulnerabilities may emerge, and their prioritization may change based on evolving threats and circumstances. Regularly review and update the patching prioritization based on the latest information and security landscape.', NULL, NULL, 1, 4, 14, NULL, NULL, 2614, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6904, N'PA-3E.Q5', N'Verify the mitigation strategies in place for systems that cannot be patched or updated to include a timeline to apply those patches.', N'Mitigation strategies are crucial for systems that cannot be patched or updated due to various reasons, such as end-of-life status, vendor limitations, or operational constraints. Best practices for implementing mitigation strategies and establishing a timeline for applying patches include:
+
+1. Risk Assessment: Conduct a thorough risk assessment to understand the potential risks associated with the unpatched systems. Assess the likelihood and potential impact of a successful exploit on the system and the broader environment. This assessment helps prioritize mitigation efforts and allocate resources effectively.
+
+2. Network Segmentation: Implement network segmentation to isolate the unpatched systems from critical or high-risk network segments. This helps contain potential threats and minimizes the impact on the rest of the network. Segmentation reduces the attack surface and limits lateral movement in the event of a compromise.
+
+3. Intrusion Detection and Prevention Systems (IDPS): Deploy IDPS solutions to monitor network traffic and detect and block known attack patterns or exploit attempts targeting the unpatched systems. Configure the IDPS to alert administrators or automatically block suspicious activities, providing an additional layer of defense.
+
+4. Application Firewalls: Utilize application-level firewalls to protect unpatched systems. These firewalls can analyze application-layer traffic and enforce security policies, protecting against known attack vectors and potential vulnerabilities in the applications.
+
+5. User Training and Awareness: Provide comprehensive training and awareness programs to educate users about potential risks and secure practices when using unpatched systems. This includes teaching employees to identify phishing attempts, avoid suspicious links, and practice good security hygiene.
+
+6. Vulnerability Management: Implement robust vulnerability management practices to regularly scan and assess the security posture of the unpatched systems. Continuously monitor for new vulnerabilities and apply compensating controls or mitigation measures as appropriate.
+
+7. System Hardening: Apply strict security configurations and hardening measures to the unpatched systems. This includes disabling unnecessary services, implementing strong access controls, utilizing secure communication protocols, and regularly updating and maintaining security configurations.
+
+8. Vendor Support and Workarounds: Engage with vendors to explore alternatives to patching, such as workarounds, mitigations, or extended support agreements. Some vendors provide specialized support options for end-of-life or legacy systems. Work with vendors to identify the best approach for maintaining security on those systems.
+
+9. Regular Review and Updates: Continuously review the mitigation strategies and reassess the feasibility of applying patches or updates over time. As circumstances change, new solutions or options may become available. Regularly revisit the timeline for patching and update efforts based on evolving risks and operational considerations.
+
+10. Documentation and Monitoring: Maintain detailed documentation of the mitigation strategies implemented for each unpatched system. This documentation should include configuration details, monitoring procedures, and any specific mitigation steps taken. Regularly review and monitor the effectiveness of the implemented mitigations.
+
+While mitigation strategies help reduce risk, it is essential to have a long-term plan to retire or replace unpatched systems whenever feasible. The timeline for applying patches should be continuously reassessed based on the availability of new solutions, changes in the threat landscape, and the organization''s resources and priorities.', NULL, NULL, 1, 5, 14, NULL, NULL, 2614, NULL, NULL, N'memo', NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6905, N'CAP-3G.Q1', N'Has the O/O developed a Cybersecurity Assessment Plan for proactively assessing and auditing cybersecurity measures?', N'', NULL, NULL, 1, 1, 14, NULL, NULL, 2615, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6906, N'CAP-3G.Q2', N'Does the CAP proactively assess the O/O’s Critical Cyber Systems to ascertain the effectiveness of cybersecurity measures?', N'', NULL, NULL, 1, 1, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6907, N'CAP-3G.Q3', N'Does the CAP proactively assess the O/O’s Critical Cyber Systems to identify and resolve device, network, and/or system vulnerabilities?', N'', NULL, NULL, 1, 2, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6908, N'CAP-3G.Q4', N'Does the CAP assess the effectiveness of the Owner/Operator''s TSA-approved Cybersecurity Implementation Plan (CIP)?', N'', NULL, NULL, 1, 3, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6909, N'CAP-3G.Q5', N'Does the CAP include a cybersecurity architecture design review at least once every two years that includes verification and validation of network traffic and system log review?:', N'', NULL, NULL, 1, 4, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6910, N'CAP-3G.Q6', N'Does the CAP include a cybersecurity architecture design review at least once every two years that includes analysis to identify cybersecurity vulnerabilities related to network design, configuration, and inter-connectivity to internal and external systems?', N'', NULL, NULL, 1, 5, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6911, N'CAP-3G.Q7', N'Does the CAP incorporate other assessment capabilities, such as penetration testing of Information Technology systems?', N'', NULL, NULL, 1, 6, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6912, N'CAP-3G.Q8', N'Does the CAP incorporate other assessment capabilities, such as the use of "red" and "purple" team (adversarial perspective) testing?', N'', NULL, NULL, 1, 7, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6913, N'CAP-3G.Q9', N'Does the CAP include a schedule for assessing and auditing specific cybersecurity measures and/or actions required by sections 8.2 through 8.4 above?', N'', NULL, NULL, 1, 8, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6914, N'CAP-3G.Q10', N'Does the schedule ensure at least 30 percent of the policies, procedures, measures, and capabilities in the TSA-approved Cybersecurity Implementation Plan are assessed each year, with 100 percent assessed over any three-year period?', N'', NULL, NULL, 1, 9, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6915, N'CAP-3G.Q11', N'Does the CAP ensure a “Cybersecurity Assessment Plan: Annual Report” containing the results of assessments conducted in accordance with the CAP is submitted to TSA as described in paragraph G.4. of this section?', N'', NULL, NULL, 1, 10, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6916, N'CAP-3G.Q12', N'Does the required CAP Annual Report include the assessment method(s) used to determine whether the policies, procedures, and capabilities described by the O/O in its Cybersecurity Implementation Plan are effective?', N'', NULL, NULL, 1, 11, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6917, N'CAP-3G.Q13', N'Does the required CAP Annual Report include the results of the individual assessments conducted?', N'', NULL, NULL, 1, 12, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6918, N'CAP-3G.Q14', N'Does the required CAP Annual Report include assessments conducted only during the previous 12 month period?', N'', NULL, NULL, 1, 13, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6919, N'CAP-3G.Q15', N'Does the Owner/Operator review and update their Cybersecurity Assessment Plan on an annual basis?', N'', NULL, NULL, 1, 14, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+INSERT INTO [dbo].[MATURITY_QUESTIONS] ([Mat_Question_Id], [Question_Title], [Question_Text], [Supplemental_Info], [Category], [Sub_Category], [Maturity_Level_Id], [Sequence], [Maturity_Model_Id], [Parent_Question_Id], [Ranking], [Grouping_Id], [Examination_Approach], [Short_Name], [Mat_Question_Type], [Parent_Option_Id], [Supplemental_Fact], [Scope], [Recommend_Action], [Risk_Addressed], [Services]) VALUES (6920, N'CAP-3G.Q16', N'Has the O/O submitted the CAP to TSA for approval no later than 12 months from the date of the previous Cybersecurity Assessment Plan submission or TSA''s approval of the previous plan?', N'', NULL, NULL, 1, 15, 14, NULL, NULL, NULL, NULL, NULL, NULL, 1157, NULL, NULL, NULL, NULL, NULL)
+SET IDENTITY_INSERT [dbo].[MATURITY_QUESTIONS] OFF
+PRINT(N'Operation applied to 40 rows out of 40')
+
+PRINT(N'Add rows to [dbo].[MATURITY_REFERENCE_TEXT]')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6801, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6802, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6803, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6804, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6805, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6806, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6807, 1, N'')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6808, 1, N'- Inhibit Response Function
- Impact
- Denial of Service
- Inhibit Response Function
- Impact
- Denial of Service
- Information Disclosure
- Lateral Movement
- Information Disclosure
- Lateral Movement
- Initial Access
- Tampering
- Information Disclosure
- Elevation of Privilege
- Initial Access
- Tampering
- Information Disclosure
- Elevation of Privilege
- Initial Access
- Tampering
- Information Disclosure
- Elevation of Privilege
- Privilege Escalation
- Exfiltration
ID.RA-1,
ID.RA-5,
ID.SC-4,
PR.IP-7,
PR.IP-8,
DE.AE-2,
DE.AE-3,
DE.CM-1,
DE.CM-2,
DE.CM-3,
DE.CM-6,
DE.CM-7,
DE.DP-1,
DE.DP-2,
DE.DP-3,
DE.DP-4,
DE.DP-5,
RS.AN-1,
RS.MI-3 - Privilege Escalation
- Exfiltration
- Tampering
- Information Disclosure
- Impact
ID.RA-1,
ID.RA-5,
ID.SC-4,
PR.IP-7,
PR.IP-8,
DE.AE-2,
DE.AE-3,
DE.CM-1,
DE.CM-2,
DE.CM-3,
DE.CM-6,
DE.CM-7,
DE.DP-1,
DE.DP-2,
DE.DP-3,
DE.DP-4,
DE.DP-5,
RS.AN-1,
RS.MI-3 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6850, 1, N'- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
- Execution
- Exfiltration
- Information Disclosure
ID.RA-1,
ID.RA-5,
ID.SC-4,
PR.IP-7,
PR.IP-8,
DE.AE-2,
DE.AE-3,
DE.CM-1,
DE.CM-2,
DE.CM-3,
DE.CM-6,
DE.CM-7,
DE.DP-1,
DE.DP-2,
DE.DP-3,
DE.DP-4,
DE.DP-5,
RS.AN-1,
RS.MI-3 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6868, 1, N' ID.RA-1,
ID.RA-5,
ID.SC-4,
PR.IP-7,
PR.IP-8,
DE.AE-2,
DE.AE-3,
DE.CM-1,
DE.CM-2,
DE.CM-3,
DE.CM-6,
DE.CM-7,
DE.DP-1,
DE.DP-2,
DE.DP-3,
DE.DP-4,
DE.DP-5,
RS.AN-1,
RS.MI-3 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6870, 1, N' ID.RA-1,
ID.RA-5,
ID.SC-4,
PR.IP-7,
PR.IP-8,
DE.AE-2,
DE.AE-3,
DE.CM-1,
DE.CM-2,
DE.CM-3,
DE.CM-6,
DE.CM-7,
DE.DP-1,
DE.DP-2,
DE.DP-3,
DE.DP-4,
DE.DP-5,
RS.AN-1,
RS.MI-3 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6871, 1, N' ID.RA-1,
ID.RA-5,
ID.SC-4,
PR.IP-7,
PR.IP-8,
DE.AE-2,
DE.AE-3,
DE.CM-1,
DE.CM-2,
DE.CM-3,
DE.CM-6,
DE.CM-7,
DE.DP-1,
DE.DP-2,
DE.DP-3,
DE.DP-4,
DE.DP-5,
RS.AN-1,
RS.MI-3 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6872, 1, N'- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
- Lateral Movement
TA0108,
TA0104,
TA0110,
TA0111,
TA0103,
TA0102,
TA0109,
TA0100,
TA0101,
TA0107,
TA0106,
TA0105 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6874, 1, N'- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
- Lateral Movement
TA0108,
TA0104,
TA0110,
TA0111,
TA0103,
TA0102,
TA0109,
TA0100,
TA0101,
TA0107,
TA0106,
TA0105 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6875, 1, N'- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
- Lateral Movement
TA0108,
TA0104,
TA0110,
TA0111,
TA0103,
TA0102,
TA0109,
TA0100,
TA0101,
TA0107,
TA0106,
TA0105 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6894, 1, N' ID.SC-5,
PR.IP-7,
PR.IP-8,
PR.IP-9,
DE.AE-3,
DE.AE-5,
RS.AN-4,
RS.CO-1,
RS.CO-2,
RS.CO-3,
RS.CO-4,
RS.IM-1,
RS.IM-2,
RS.RP-1,
RC.IM-1,
RC.IM-2,
RC.RP-1 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6896, 1, N' ID.SC-4,
PR.PT-1,
DE.AE-2,
DE.AE-3,
DE.DP-4,
RS.AN-1,
RS.CO-2,
ID.GV-1,
ID.GV-3,
PR.PT-1,
DE.DP-2 - Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
- Lateral Movement
TA0108,
TA0104,
TA0110,
TA0111,
TA0103,
TA0102,
TA0109,
TA0100,
TA0101,
TA0107,
TA0106,
TA0105 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6897, 1, N'- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
- Lateral Movement
TA0108,
TA0104,
TA0110,
TA0111,
TA0103,
TA0102,
TA0109,
TA0100,
TA0101,
TA0107,
TA0106,
TA0105 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6899, 1, N' ID.AM-5,
ID.AM-6,
ID.BE-4,
ID.BE-5,
ID.RA-4,
ID.SC-5,
PR.DS-4,
PR.IP-7,
PR.IP-8,
PR.IP-9,
DE.AE-3,
DE.AE-4,
RS.AN-2,
RS.AN-4,
RS.CO-1,
RS.CO-3,
RS.CO-4,
RS.IM-1,
RS.IM-2,
RS.RP-1,
RC.CO-3,
RC.IM-1,
RC.IM-2 ')
+INSERT INTO [dbo].[MATURITY_REFERENCE_TEXT] ([Mat_Question_Id], [Sequence], [Reference_Text]) VALUES (6900, 1, N'- Tampering
- Privilege Escalation
- Lateral Movement
- Tampering
- Impact
- Privilege Escalation
- Lateral Movement
- Tampering
- Privilege Escalation
- Lateral Movement
- Tampering
- Privilege Escalation
- Lateral Movement
- Tampering
- Privilege Escalation
- Lateral Movement