NIST CSF: PR.DS-3 Subcategory
From NIST's Cyber Security Framework (version 1):
Assets are formally managed throughout removal, transfers, and disposition
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Physical media transfer (8.3.3)
ISO 27001:2013 -
Disposal of media (8.3.2)
ISO 27001:2013 -
Secure disposal or re-use of equipment (11.2.7)
ISO 27001:2013 -
Removal of assets (11.2.5)
ISO 27001:2013 -
Handling of assets (8.2.3)
ISO 27001:2013 -
Management of removable media (8.3.1)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Information persistence (SR 4.2)
ISA/IEC 62443-3-3:2013 -
Develop lifecycle management processes for IACS information (4.3.4.4.1)
ISA/IEC 62443-2-1:2009 -
Establish procedures for the addition, removal, and disposal of assets (4.3.3.3.9)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1221 | Template Injection | Defense Evasion |
| T1548.004 | Elevated Execution with Prompt | Defense Evasion, Privilege Escalation |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1021.005 | VNC | Lateral Movement |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1495 | Firmware Corruption | Impact |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1601.001 | Patch System Image | Defense Evasion |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1564.007 | VBA Stomping | Defense Evasion |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1137.001 | Office Template Macros | Persistence |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1505 | Server Software Component | Persistence |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1602 | Data from Configuration Repository | Collection |
| T1119 | Automated Collection | Collection |
| T1218.012 | Verclsid | Defense Evasion |
| T1059.007 | JavaScript | Execution |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1218.004 | InstallUtil | Defense Evasion |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1203 | Exploitation for Client Execution | Execution |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1601 | Modify System Image | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
| T1213.001 | Confluence | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1218.013 | Mavinject | Defense Evasion |
| T1213.002 | Sharepoint | Collection |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1564.006 | Run Virtual Instance | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1137 | Office Application Startup | Persistence |
| T1505.004 | IIS Components | Persistence |
| T1189 | Drive-by Compromise | Initial Access |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1021.004 | SSH | Lateral Movement |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1218.008 | Odbcconf | Defense Evasion |
| T1565.001 | Stored Data Manipulation | Impact |
| T1218.014 | MMC | Defense Evasion |
| T1218.005 | Mshta | Defense Evasion |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1565 | Data Manipulation | Impact |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1559 | Inter-Process Communication | Execution |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1593.003 | Code Repositories | Reconnaissance |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1546.014 | Emond | Persistence, Privilege Escalation |
| T1127.001 | MSBuild | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1530 | Data from Cloud Storage | Collection |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1213 | Data from Information Repositories | Collection |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1046 | Network Service Discovery | Discovery |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1092 | Communication Through Removable Media | Command and Control |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1218.003 | CMSTP | Defense Evasion |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| A3.a | Asset Management | Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling). |
| B3.e | Media Equipment Sanitisation | You appropriately sanitise media and equipment holding data important to the operation of the essential function. |
| B3.d | Mobile Data | You have protected data important to the operation of the essential function on mobile devices. |