[ { "metric_id": "1.1.1", "metric_title": "% of identified Red Criticality application(s) with a defined owner", "asset_types": "Applications", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "Business owner field cannot be null or empty", "data_sources_required": "Cherwell CMDB", "business_justification": "Critical apps need ownership for incident response", "notes": "Variants: Corp (no exclusions), Cust (exemption 1.1.1-Cust), SpecBus (WIP trend metric)" }, { "metric_id": "1.1.1A", "metric_title": "% of identified risk Tier 1 application(s) with a defined owner", "asset_types": "Applications", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Business owner documented, Tier 1 flag must be True", "data_sources_required": "Cherwell CMDB", "business_justification": "Tier 1 apps need ownership for risk management", "notes": "" }, { "metric_id": "1.1.2", "metric_title": "% of production applications assets that have been classified", "asset_types": "Assets, Servers", "asset_types_in_scope": "Production Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Criticality rating defined (not Undefined or No Criticality)", "data_sources_required": "Cherwell CMDB", "business_justification": "Asset classification drives prioritization", "notes": "Variants: Corp (count assets not applications), Cust (currently not reporting)" }, { "metric_id": "1.1.3", "metric_title": "% of Red Criticality applications compliant with disaster recovery exercise requirements", "asset_types": "Applications", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter On-Prem/Charter Managed, Charter Private Cloud/Charter Managed, Hybrid/Charter Managed", "criticality_levels_in_scope": "Critical", "exclusions": "Admin instances excluded", "special_conditions": "DR exercise within 365 days", "data_sources_required": "Cherwell CMDB", "business_justification": "DR testing ensures business continuity", "notes": "9box requirements implemented" }, { "metric_id": "1.1.3A", "metric_title": "% of risk Tier 1 applications compliant with disaster recovery exercise requirements", "asset_types": "Applications", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter On-Prem/Charter Managed, Charter Private Cloud/Charter Managed, Hybrid/Charter Managed", "criticality_levels_in_scope": "Critical, High, Medium", "exclusions": "Admin instances excluded", "special_conditions": "DR exercise based on criticality thresholds", "data_sources_required": "Cherwell CMDB", "business_justification": "DR testing for high-risk applications", "notes": "" }, { "metric_id": "1.2.2", "metric_title": "% of servers associated with Red Criticality applications generating actionable logs", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "Logs seen in last 7 days", "data_sources_required": "Splunk, Cherwell CMDB", "business_justification": "Log visibility for critical systems", "notes": "OS or APP logs ingested by SIEM" }, { "metric_id": "1.2.2A", "metric_title": "% of servers associated with risk Tier 1 applications generating actionable logs", "asset_types": "Servers", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "Logs ingested by SIEM with actionable alerting", "data_sources_required": "Cherwell CMDB, Splunk", "business_justification": "", "notes": "" }, { "metric_id": "1.2.2All", "metric_title": "% of servers associated with applications generating actionable security logs", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "Security logs with actionable alerting", "data_sources_required": "Cherwell CMDB, Splunk", "business_justification": "Comprehensive log monitoring", "notes": "" }, { "metric_id": "1.2.2B", "metric_title": "% of servers associated w/ Red Criticality applications generating actionable OS logs", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "OS logs in Splunk indices containing 'nix' or 'win'", "data_sources_required": "Cherwell CMDB, Splunk", "business_justification": "", "notes": "" }, { "metric_id": "1.2.2C", "metric_title": "% of servers associated w/ Red Criticality applications generating actionable APP logs", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "APP logs in Splunk indices NOT containing 'nix' or 'win'", "data_sources_required": "Cherwell CMDB, Splunk", "business_justification": "", "notes": "" }, { "metric_id": "1.2.3", "metric_title": "% of servers associated with Red Criticality applications monitored for compliance with a defined configuration baseline", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "Tanium deployed and monitoring", "data_sources_required": "Cherwell CMDB, Tanium", "business_justification": "Configuration drift detection", "notes": "" }, { "metric_id": "1.2.3A", "metric_title": "% of servers passing configuration compliance", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "Tanium compliance percentage >= 0.9", "data_sources_required": "Tanium", "business_justification": "90% compliance threshold", "notes": "" }, { "metric_id": "1.2.3All", "metric_title": "% of servers monitored for compliance with a defined configuration baseline", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "Tanium deployed and monitoring", "data_sources_required": "Cherwell CMDB, Tanium", "business_justification": "", "notes": "" }, { "metric_id": "1.2.4", "metric_title": "% Red critical servers with confirmed supported operating systems", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "OS not past end of life and EOL date known", "data_sources_required": "Cherwell CMDB, ESD", "business_justification": "", "notes": "" }, { "metric_id": "1.2.4A", "metric_title": "% of risk Tier 1 applications without end of support operating system", "asset_types": "Applications", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "Applications not utilizing EOL systems", "data_sources_required": "Cherwell CMDB, ESD", "business_justification": "", "notes": "" }, { "metric_id": "1.2.5", "metric_title": "% of servers associated with Red Criticality Applications with installed and functioning endpoint security agents", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "CrowdStrike agent active within 7 days", "data_sources_required": "Cherwell CMDB, CrowdStrike", "business_justification": "", "notes": "" }, { "metric_id": "1.2.5A", "metric_title": "% of servers associated with risk Tier 1 Applications with installed and functioning endpoint security agents", "asset_types": "Servers", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "CrowdStrike agent active within 7 days", "data_sources_required": "Cherwell CMDB, CrowdStrike", "business_justification": "", "notes": "" }, { "metric_id": "1.2.5All", "metric_title": "% of servers with installed and functioning endpoint security agents", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "CrowdStrike agent active within 7 days", "data_sources_required": "Cherwell CMDB, CrowdStrike", "business_justification": "", "notes": "" }, { "metric_id": "1.3.1A", "metric_title": "% of vulnerabilities (critical and high) associated with Tier 1 Applications detected within SLA / Policy", "asset_types": "Assets", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Critical: 15 days, High: 60 days from first found", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "", "notes": "" }, { "metric_id": "1.4.1", "metric_title": "% of Red Criticality applications compliant with Business Impact Analysis review requirements", "asset_types": "Applications", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All except Admin", "criticality_levels_in_scope": "Critical", "exclusions": "Admin instances excluded", "special_conditions": "BIA completed within 365 days", "data_sources_required": "Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "1.4.1A", "metric_title": "% of Tier 1 applications compliant with Business Impact Analysis review requirements", "asset_types": "Applications", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All except Admin", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Admin instances excluded", "special_conditions": "BIA based on criticality: Low=731 days, others=366 days", "data_sources_required": "Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "1.4.1All", "metric_title": "% of applications compliant with Business Impact Analysis review requirements", "asset_types": "Applications", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All except Admin", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Admin instances excluded", "special_conditions": "BIA based on criticality: Low=731 days, others=366 days", "data_sources_required": "Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "1.4.2", "metric_title": "% of Red Criticality applications with a defined and operational backup process", "asset_types": "Applications", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All except Public Cloud/3rd Party Managed, Public Cloud/Charter Managed", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances, Public cloud managed excluded", "special_conditions": "NetBackup or application method defined", "data_sources_required": "Cherwell CMDB, NetBackup", "business_justification": "", "notes": "" }, { "metric_id": "1.4.2A", "metric_title": "% of Tier 1 application environments with a defined and operational backup process", "asset_types": "Applications", "asset_types_in_scope": "Tier 1 Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All except Public Cloud/3rd Party Managed, Public Cloud/Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances, Public cloud managed excluded", "special_conditions": "NetBackup or specific application IDs", "data_sources_required": "Cherwell CMDB, NetBackup", "business_justification": "", "notes": "" }, { "metric_id": "1.4.2All", "metric_title": "% of application environments with a defined and operational backup process", "asset_types": "Applications", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All except Public Cloud/3rd Party Managed, Public Cloud/Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances, Public cloud managed excluded", "special_conditions": "NetBackup or specific application IDs", "data_sources_required": "Cherwell CMDB, NetBackup", "business_justification": "", "notes": "" }, { "metric_id": "1.5.1A", "metric_title": "% of Red Criticality servers with software components inventoried and cataloged in the system of record", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "Appliances excluded", "special_conditions": "Flexera deployed", "data_sources_required": "Flexera, CMDB", "business_justification": "", "notes": "" }, { "metric_id": "1.5.1B", "metric_title": "% of Red Criticality applications with associated software bill of materials (SBOM) defined maintained and cataloged", "asset_types": "Applications", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "SBOM field = Yes", "data_sources_required": "Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "1.5.2", "metric_title": "% of Red Criticality applications subject to code security testing (e.g. SAST DAST)", "asset_types": "Applications", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "Contrast, Veracode, or SpecFlow deployed", "data_sources_required": "Cherwell CMDB, Contrast", "business_justification": "", "notes": "" }, { "metric_id": "2.3.3", "metric_title": "% of vulnerabilities (critical/high) on red critical servers that were closed or risk accepted within due date in the last 30 days", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "Closed by due date or risk accepted by due date, due date in last 30 days", "data_sources_required": "Kenna, Cherwell CMDB", "business_justification": "Risk meter 67-100", "notes": "" }, { "metric_id": "2.3.4", "metric_title": "% of vulnerabilities (critical/high) on servers that were closed/risk accepted within due date in the last 30 days", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Closed by due date or risk accepted by due date, due date in last 30 days", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Risk meter 67-100", "notes": "" }, { "metric_id": "2.3.5", "metric_title": "% of red critical servers without active critical/high-severity vulnerability that are overdue", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "No open overdue or risk accepted vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Risk meter 67-100", "notes": "" }, { "metric_id": "2.3.6", "metric_title": "% of servers without active critical/high-severity vulnerability that are overdue", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "No open overdue or risk accepted vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Risk meter 67-100", "notes": "" }, { "metric_id": "2.3.7", "metric_title": "% of red critical servers with no open past due vulnerabilities (critical/high)", "asset_types": "Servers", "asset_types_in_scope": "Red Critical Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "No open past due vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Risk meter 67-100, past due only", "notes": "" }, { "metric_id": "2.3.8", "metric_title": "% of servers with no open past due vulnerabilities (critical/high)", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "No open past due vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Risk meter 67-100, past due only", "notes": "" }, { "metric_id": "2.3.9", "metric_title": "% of network devices with no open past due vulnerabilities (critical/high)", "asset_types": "Network Devices", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Qualys exclusion list", "special_conditions": "No open past due vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "", "notes": "" }, { "metric_id": "5.2.3", "metric_title": "% of storage components protected by MFA", "asset_types": "Storage Components", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "FOS operating systems excluded", "special_conditions": "MFA method configured", "data_sources_required": "Cherwell CMDB, ESD", "business_justification": "", "notes": "" }, { "metric_id": "5.2.4", "metric_title": "% of network components protected by MFA", "asset_types": "Network Components", "asset_types_in_scope": "Jump Host Application (APP2394)", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "MFA = 1", "data_sources_required": "Cherwell CMDB, Centrify", "business_justification": "", "notes": "" }, { "metric_id": "5.2.5", "metric_title": "% of servers protected by MFA", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Incompatible OS excluded", "special_conditions": "MFA = 1 or ESD MFA Method defined", "data_sources_required": "Cherwell CMDB, Centrify", "business_justification": "", "notes": "" }, { "metric_id": "5.2.6", "metric_title": "% of database servers protected by MFA", "asset_types": "Database Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All statuses", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "MFA method configured for database access", "data_sources_required": "Database security tools", "business_justification": "", "notes": "" }, { "metric_id": "5.2.7", "metric_title": "% of externally accessible enterprise applications protected by MFA", "asset_types": "Applications", "asset_types_in_scope": "Corporate Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Blue Enterprise and Blue Red Network excluded", "special_conditions": "Network: Corp", "data_sources_required": "Cherwell CMDB, JIRA (ESSO)", "business_justification": "", "notes": "" }, { "metric_id": "5.2.8", "metric_title": "% of customer facing applications protected by MFA", "asset_types": "Applications", "asset_types_in_scope": "Customer-Facing Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Applications with exemption 5.2.8-Cust excluded", "special_conditions": "End User Type: Customer", "data_sources_required": "Cherwell CMDB, CyberArk, Cisco ISE, Centrify", "business_justification": "", "notes": "" }, { "metric_id": "5.3.4", "metric_title": "% of database servers with data integrity controls and monitoring", "asset_types": "Servers", "asset_types_in_scope": "Database Servers", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Legacy Enterprise systems excluded", "special_conditions": "Server Type: Database", "data_sources_required": "Cherwell CMDB, Imperva Apex", "business_justification": "", "notes": "" }, { "metric_id": "5.4.2", "metric_title": "% of workstations with endpoint security agents installed and functioning", "asset_types": "Workstations", "asset_types_in_scope": "All Workstations", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Last seen within 30 days", "data_sources_required": "Cherwell CMDB, CrowdStrike", "business_justification": "", "notes": "" }, { "metric_id": "5.4.3", "metric_title": "% of workstations with endpoint DLP agents installed and functioning", "asset_types": "Workstations", "asset_types_in_scope": "All Workstations", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Last seen within 60 days", "data_sources_required": "Cherwell CMDB, JAMF, ADDM, MS Defender", "business_justification": "", "notes": "" }, { "metric_id": "5.4.4", "metric_title": "% of workstations utilizing whole device encryption", "asset_types": "Workstations", "asset_types_in_scope": "All Workstations", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Mobile devices excluded", "special_conditions": "Device encryption enabled", "data_sources_required": "Cherwell CMDB, MaaS360, JamF", "business_justification": "", "notes": "" }, { "metric_id": "5.4.5", "metric_title": "% of workstations with internet security agent installed and functioning", "asset_types": "Workstations", "asset_types_in_scope": "All Workstations", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "NetSkope client last seen within 30 days", "data_sources_required": "Cherwell CMDB, JAMF, ADDM, NetSkope", "business_justification": "", "notes": "" }, { "metric_id": "5.4.6", "metric_title": "% of workstations without overdue critical/high vulnerabilities", "asset_types": "Workstations", "asset_types_in_scope": "All Workstations", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Workstations not in Kenna excluded", "special_conditions": "SCCM or JAMF managed workstations", "data_sources_required": "Kenna, SCCM, JAMF", "business_justification": "", "notes": "" }, { "metric_id": "5.5.2", "metric_title": "% of servers with confirmed supported operating systems", "asset_types": "Servers", "asset_types_in_scope": "All Servers", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "EOS data available", "data_sources_required": "Cherwell CMDB, ESD", "business_justification": "", "notes": "" }, { "metric_id": "5.5.4", "metric_title": "% of infrastructure without overdue critical/high vulnerabilities", "asset_types": "Servers", "asset_types_in_scope": "All Infrastructure", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Kenna vulnerability data available", "data_sources_required": "Kenna", "business_justification": "", "notes": "" }, { "metric_id": "5.5.5", "metric_title": "% of servers which have been decommissioned and are no longer connected to the network", "asset_types": "Servers", "asset_types_in_scope": "All Servers", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Retired", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "No recent activity in security tools", "data_sources_required": "Cherwell CMDB, CrowdStrike, Kenna, Splunk", "business_justification": "", "notes": "" }, { "metric_id": "5.6.1", "metric_title": "% of network monitored or scanned for connection of unknown devices", "asset_types": "Network", "asset_types_in_scope": "All Devices", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Customer-owned ranges excluded", "special_conditions": "Charter-known IP ranges", "data_sources_required": "Forescout, Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "5.6.2", "metric_title": "% of IP addresses active on network covered by vulnerability scans", "asset_types": "Network", "asset_types_in_scope": "All IP Addresses", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Exception ranges excluded", "special_conditions": "Charter-known IP ranges", "data_sources_required": "Cherwell CMDB, ESD, Qualys", "business_justification": "", "notes": "" }, { "metric_id": "5.6.2A", "metric_title": "% of Active Workstations and Servers covered by vulnerability scans", "asset_types": "Workstations and Servers", "asset_types_in_scope": "All", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Qualys scan within 60 days", "data_sources_required": "Cherwell CMDB, Qualys", "business_justification": "", "notes": "" }, { "metric_id": "5.6.3", "metric_title": "% of devices identified that are in the centralized asset inventory", "asset_types": "Network Devices", "asset_types_in_scope": "All Devices", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Device discovery and inventory correlation", "data_sources_required": "Forescout, Resolve, Charter Asset Discovery, Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "5.6.3B", "metric_title": "% of devices Managed Enforced over all devices permitted on network by NAC", "asset_types": "Network Devices", "asset_types_in_scope": "All Devices", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Blocked and Uncategorized devices excluded", "special_conditions": "NAC policy enforcement", "data_sources_required": "Forescout", "business_justification": "", "notes": "" }, { "metric_id": "5.6.4", "metric_title": "% of unique undocumented devices detected and remediated within 30 days", "asset_types": "Network Devices", "asset_types_in_scope": "Undocumented Devices", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Unknown", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Device remediation within 30 days", "data_sources_required": "Forescout, Resolve, Charter Asset Discovery, Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "5.7.1", "metric_title": "% of AWS accounts sending logs to SIEM for monitoring", "asset_types": "Cloud Accounts", "asset_types_in_scope": "AWS Accounts", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "CloudTrail and GuardDuty enabled", "data_sources_required": "AWS CloudTrail, AWS GuardDuty", "business_justification": "", "notes": "" }, { "metric_id": "5.7.2", "metric_title": "% of external data connections encrypted in transit accessible to public cloud services", "asset_types": "Cloud Connections", "asset_types_in_scope": "Data Connections", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "External cloud connections", "data_sources_required": "AWS S3 Bucket", "business_justification": "", "notes": "" }, { "metric_id": "5.7.3", "metric_title": "% of data encrypted at rest stored in and accessible via public cloud", "asset_types": "Cloud Data", "asset_types_in_scope": "Data Objects", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Public cloud storage", "data_sources_required": "AWS S3 Bucket", "business_justification": "", "notes": "" }, { "metric_id": "5.8.1", "metric_title": "% of applications subject to code security testing within the past year", "asset_types": "Applications", "asset_types_in_scope": "Charter Developed Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Installed", "instance_types_in_scope": "Charter In-house/Third Party Custom", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Development type filtering", "data_sources_required": "Cherwell CMDB, Veracode, SpecFlow", "business_justification": "", "notes": "" }, { "metric_id": "7.1.1", "metric_title": "% of servers generating actionable logs ingested into enterprise monitoring solution", "asset_types": "Servers", "asset_types_in_scope": "All Servers", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Appliances excluded", "special_conditions": "Splunk log ingestion", "data_sources_required": "Cherwell CMDB, Splunk", "business_justification": "", "notes": "" }, { "metric_id": "7.1.4", "metric_title": "% of assets discovered during last quarter that are managed by Charter and documented", "asset_types": "Assets", "asset_types_in_scope": "All Assets", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Quarterly discovery tracking", "data_sources_required": "Cherwell CMDB, Forescout, Resolve, Charter Asset Discovery", "business_justification": "", "notes": "" }, { "metric_id": "7.2.1", "metric_title": "% of cases that met Time to Detect objective within the last month", "asset_types": "Security Cases", "asset_types_in_scope": "All Cases", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Manual/Phishing cases excluded", "special_conditions": "TTD within 10 minutes", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.2.2", "metric_title": "% of cases that met Time to Acknowledge objective within the last month", "asset_types": "Security Cases", "asset_types_in_scope": "All Cases", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "TTA within 15 minutes", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.2.3", "metric_title": "% of cases that met Time to Close objective within the last month", "asset_types": "Security Cases", "asset_types_in_scope": "Closed Cases", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "TTC within 120 hours", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.3.1", "metric_title": "% of incidents that met Time to Detect objective within the last month", "asset_types": "Security Incidents", "asset_types_in_scope": "All Incidents", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "TTD varies by severity", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.3.2", "metric_title": "% of incidents that met Time to Acknowledge objective within the last month", "asset_types": "Security Incidents", "asset_types_in_scope": "All Incidents", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "TTA varies by severity", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.3.3", "metric_title": "% of incidents that met Time to Contain objective within the last month", "asset_types": "Security Incidents", "asset_types_in_scope": "All Incidents", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "TTC varies by severity", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.3.4", "metric_title": "% of incidents that met Time to Close objective within the last month", "asset_types": "Security Incidents", "asset_types_in_scope": "Closed Incidents", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All Severities", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Resolution within target time", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.4.6", "metric_title": "% of incidents closed within defined target resolution time/SLA within last quarter", "asset_types": "Security Incidents", "asset_types_in_scope": "All Incidents", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Closed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Quarterly SLA measurement", "data_sources_required": "Swimlane", "business_justification": "", "notes": "" }, { "metric_id": "7.6.13", "metric_title": "% of applications compliant with disaster recovery exercises requirements", "asset_types": "Applications", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "Critical, High, Medium", "exclusions": "Admin applications excluded", "special_conditions": "DR exercise completion tracking", "data_sources_required": "Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "7.6.15", "metric_title": "% of critical outages not resulting from cyber causes during the past month", "asset_types": "Outages", "asset_types_in_scope": "Critical Outages", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "Critical", "exclusions": "", "special_conditions": "Monthly outage tracking", "data_sources_required": "Swimlane, Remedy Report", "business_justification": "", "notes": "" }, { "metric_id": "7.6.16", "metric_title": "% of applications compliant with disaster recovery plan review requirements", "asset_types": "Applications", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "PROD", "status_in_scope": "Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "Admin applications excluded", "special_conditions": "DR plan review tracking", "data_sources_required": "Cherwell CMDB", "business_justification": "", "notes": "" }, { "metric_id": "8.0.1", "metric_title": "% of Resources/Accounts compliant with Cloud Configuration Standards", "asset_types": "Cloud Resources", "asset_types_in_scope": "All Cloud Resources", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Cloud configuration compliance", "data_sources_required": "CrowdStrike CSPM", "business_justification": "", "notes": "" }, { "metric_id": "8.0.2", "metric_title": "% of Accounts using AMIs and ECRs with supported OS", "asset_types": "Cloud Accounts", "asset_types_in_scope": "AMI/ECR Images", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Supported OS validation", "data_sources_required": "Cloud Image Management", "business_justification": "", "notes": "" }, { "metric_id": "8.0.3", "metric_title": "% of cloud accounts configured for MFA requirements", "asset_types": "Cloud Accounts", "asset_types_in_scope": "All Cloud Accounts", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "MFA configuration validation", "data_sources_required": "Cloud Account Management", "business_justification": "", "notes": "" }, { "metric_id": "8.0.4", "metric_title": "% of cloud accounts configured for WAF requirements", "asset_types": "Cloud Accounts", "asset_types_in_scope": "All Cloud Accounts", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "WAF configuration validation", "data_sources_required": "Cloud Security Management", "business_justification": "", "notes": "" }, { "metric_id": "8.0.5", "metric_title": "% of cloud accounts logging", "asset_types": "Cloud Accounts", "asset_types_in_scope": "All Cloud Accounts", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Logging configuration validation", "data_sources_required": "Cloud Logging Management", "business_justification": "", "notes": "" }, { "metric_id": "8.0.6", "metric_title": "% of cloud accounts configured for vulnerability scanning on compute resources", "asset_types": "Cloud Accounts", "asset_types_in_scope": "Compute Resources", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "All", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Inspector service enabled", "data_sources_required": "AWS Inspector", "business_justification": "", "notes": "" }, { "metric_id": "8.0.7", "metric_title": "% of cloud compute resources covered by vulnerability scans", "asset_types": "Cloud Resources", "asset_types_in_scope": "Compute Resources", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "AWS Account resources excluded", "special_conditions": "Active scan status", "data_sources_required": "AWS Inspector", "business_justification": "", "notes": "" }, { "metric_id": "2.3.4i", "metric_title": "% of vulnerabilities (critical/high) on servers that were closed/risk accepted within due date in the last 30 days (infrastructure)", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Closed by due date or risk accepted by due date, due date in last 30 days", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Vulnerability Management", "notes": "Infrastructure variant of 2.3.4" }, { "metric_id": "2.3.6i", "metric_title": "% of servers without active critical/high-severity vulnerability that are overdue (infrastructure)", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "No open overdue or risk accepted vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Vulnerability Management", "notes": "Infrastructure variant of 2.3.6" }, { "metric_id": "2.3.8i", "metric_title": "% of servers with no open past due vulnerabilities (critical/high) (infrastructure)", "asset_types": "Servers", "asset_types_in_scope": "All Applications", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "No open past due vulnerabilities", "data_sources_required": "Cherwell CMDB, Kenna", "business_justification": "Vulnerability Management", "notes": "Infrastructure variant of 2.3.8" }, { "metric_id": "5.5.4i", "metric_title": "% of infrastructure without overdue critical/high vulnerabilities (infrastructure)", "asset_types": "Servers", "asset_types_in_scope": "All Infrastructure", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "Charter Managed", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Kenna vulnerability data available", "data_sources_required": "Kenna", "business_justification": "Vulnerability Management", "notes": "Infrastructure variant of 5.5.4" }, { "metric_id": "Missing_AppID", "metric_title": "Assets missing Application ID assignment", "asset_types": "Assets", "asset_types_in_scope": "All Assets", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Application ID field is empty or null", "data_sources_required": "Cherwell CMDB", "business_justification": "Asset Data Quality", "notes": "Data quality metric for CMDB hygiene" }, { "metric_id": "Missing_DF", "metric_title": "Assets missing Data Function assignment", "asset_types": "Assets", "asset_types_in_scope": "All Assets", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Data Function field is empty or null", "data_sources_required": "Cherwell CMDB", "business_justification": "Asset Data Quality", "notes": "Data quality metric for CMDB hygiene" }, { "metric_id": "Missing_OS", "metric_title": "Assets missing Operating System assignment", "asset_types": "Assets", "asset_types_in_scope": "All Assets", "application_types_in_scope": "", "environment_in_scope": "All environments", "status_in_scope": "Active, Installed", "instance_types_in_scope": "All instance types", "criticality_levels_in_scope": "All criticality levels", "exclusions": "", "special_conditions": "Operating System field is empty or null", "data_sources_required": "Cherwell CMDB", "business_justification": "Asset Data Quality", "notes": "Data quality metric for CMDB hygiene" } ]