|
|
G.1.2 Software license conflict
|
|
|
G.2.5 Asset inventory
|
|
|
G.2.6 Protection of information at rest
|
|
|
G.3.1 Security-related contract terms
|
|
|
G.3.2 Separation of duties
|
|
|
G.3.3 Information disclosure
|
|
|
G.3.4 Session audits
|
|
|
G.3.5 Notification agreement
|
|
|
G.4.1 Role-based training
|
|
|
G.4.2 Contingency training
|
|
|
G.5.1 Criticality analysis
|
|
|
G.5.2 Track security risks and decisions
|
|
|
P.1.2 Software release integrity
|
|
|
P.3.2 Trusted repositories
|
|
|
P.3.4 Vetted third-party component and container repositories
|
|
|
P.4.5 Regular third-party compliance
|
|
|
E.2.2 Verify dependencies and environment
|
|
|
E.3.1 Authentication
|
|
|
E.3.3 Role-based access control
|
|
|
E.3.4 Information flow enforcement
|
|
|
G.3.x Support Upstream Dependencies
|