diff --git a/components/cert/types.ts b/components/cert/types.ts
index 8d6394c5..415ca4e4 100644
--- a/components/cert/types.ts
+++ b/components/cert/types.ts
@@ -4,6 +4,7 @@ export interface Control {
description: string;
justification?: string;
evidence?: string;
+ ref?: string;
}
export type ControlState = "no" | "yes" | "na";
@@ -19,6 +20,7 @@ export interface Section {
title: string;
description?: string;
controls: Control[];
+ ref?: string;
}
export interface CertListProps {
diff --git a/docs/pages/certs/sfc-dns-registrar.mdx b/docs/pages/certs/sfc-dns-registrar.mdx
index 911ce7b9..7cce8151 100644
--- a/docs/pages/certs/sfc-dns-registrar.mdx
+++ b/docs/pages/certs/sfc-dns-registrar.mdx
@@ -9,145 +9,158 @@ cert:
title: Governance & Domain Management
controls:
- id: dns-1.1.1
+ title: Domain Management Policies and Procedures
description: Do you maintain documented policies and procedures governing domain management
operations?
- title: Domain Management Policies and Procedures
- id: dns-1.1.2
+ title: Accountability for Domain Security
description: Is there a clearly designated person or team accountable for domain security
(policy maintenance, security reviews, renewal management)?
- title: Accountability for Domain Security
- id: dns-1.2.1
+ title: Domain Inventory and Attributes
description: Do you maintain a comprehensive inventory of all domains including ownership,
purpose, criticality classification, expiration dates, and relationships to business services/applications?
- title: Domain Inventory and Attributes
- id: dns-1.2.2
+ title: Current Configuration Baselines for Critical Domains
description: Do you document and maintain current configuration baselines for all critical
domains (DNS records, security settings, registrar configurations)?
- title: Current Configuration Baselines for Critical Domains
- id: dns-2
title: Risk Assessment & Classification
controls:
- id: dns-2.1.1
+ title: Formal Domain Classification System
description: Do you maintain a formal classification system for domains based on criticality,
financial exposure, and operational impact?
- title: Formal Domain Classification System
- id: dns-2.1.2
+ title: Mapping Domain Classifications to Controls
description: Do you map domain classifications to required security controls (monitoring
frequency, approval requirements, backup procedures)?
- title: Mapping Domain Classifications to Controls
- id: dns-2.2.1
+ title: Registrar and DNS Provider Security Criteria
description: Do you maintain security evaluation criteria for selecting domain registrars
and DNS hosting providers?
- title: Registrar and DNS Provider Security Criteria
- id: dns-3
title: Access Control & Authentication
controls:
- id: dns-3.1.1
+ title: Procedures for Registrar Access
+ ref: /infrastructure/domain-and-dns-security/registrar-and-locks#access-control-best-practices
description: Do you maintain documented procedures for managing access to domain registrar
accounts?
- title: Procedures for Registrar Access
- id: dns-3.1.2
+ title: Multi-factor Authentication for Registrar Accounts
+ ref: /infrastructure/domain-and-dns-security/registrar-and-locks/#multi-factor-authentication
description: Do you enforce multi-factor authentication requirements for all registrar and
DNS management accounts?
- title: Multi-factor Authentication for Registrar Accounts
- id: dns-3.1.3
+ title: Dedicated Domain Security Contact Email
+ ref: /infrastructure/domain-and-dns-security/registrar-and-locks/#dedicated-security-contact-email
description: Do you maintain a separate, dedicated security contact email for domain management
that is independent from your primary domain?
- title: Dedicated Domain Security Contact Email
- id: dns-3.1.4
+ title: Periodic Access Reviews for Domain Privileges
description: Do you conduct periodic access reviews for all personnel with domain management
privileges?
- title: Periodic Access Reviews for Domain Privileges
- id: dns-3.2.1
+ title: Approval Workflows for Critical Domain Operations
description: Do you maintain documented approval workflows for critical domain operations
(transfers, deletions, nameserver changes)?
- title: Approval Workflows for Critical Domain Operations
- id: dns-4
title: Technical Security Controls
+ ref: /infrastructure/domain-and-dns-security/dnssec-and-email
controls:
- id: dns-4.1.1
+ title: DNS Security Configuration Standards
+ ref: /infrastructure/domain-and-dns-security/dnssec-and-email#dnssec-implementation
description: Do you maintain documented standards for DNS security configurations (DNSSEC,
CAA records, TTL policies)?
- title: DNS Security Configuration Standards
- id: dns-4.2.1
+ title: Email Authentication Protocol Standards
+ ref: /infrastructure/domain-and-dns-security/dnssec-and-email#email-security-configuration
description: Do you maintain documented standards for email authentication (SPF, DKIM, DMARC,
MTA-STS)?
- title: Email Authentication Protocol Standards
- id: dns-4.2.2
+ title: DMARC Monitoring and Response Procedures
description: Do you have procedures for monitoring and responding to DMARC reports and policy
violations?
- title: DMARC Monitoring and Response Procedures
- id: dns-4.3.1
+ title: Documented Domain Lock Procedures
+ ref: /infrastructure/domain-and-dns-security/registrar-and-locks#registry-lock-epp-lock
description: Do you maintain documented procedures for implementing domain locks (transfer
locks, registry locks, EPP status codes)?
- title: Documented Domain Lock Procedures
- id: dns-4.3.2
description: Do you have procedures for out-of-band verification of domain changes through
registrar support channels?
title: Out of Band Domain Change Verification
- id: dns-4.3.3
+ title: TLS Certificate Lifecycle Management Procedures
description: Do you maintain documented procedures for TLS certificate lifecycle management,
including issuance, renewal, revocation, and monitoring for expiration across all domains
and services?
- title: TLS Certificate Lifecycle Management Procedures
- id: dns-5
title: Operational Procedures
controls:
- id: dns-5.1.1
+ title: Domain Registration Lifecycle Procedures
+ ref: /infrastructure/domain-and-dns-security/registrar-and-locks#domain-expiration-protection
description: Do you maintain documented procedures for domain registration, renewal, decommissioning,
and expiration prevention (auto-renewal, multiple reminders, backup payment methods)?
- title: Domain Registration Lifecycle Procedures
- id: dns-5.1.2
- description: Do you maintain documented procedures for secure domain transfers between registrars?
title: Secure Domain Transfer Procedures
+ description: Do you maintain documented procedures for secure domain transfers between registrars?
- id: dns-5.2.1
- description: Do you maintain formal change management procedures for DNS record modifications?
title: DNS Change Management Procedures
+ description: Do you maintain formal change management procedures for DNS record modifications?
- id: dns-6
title: Monitoring & Detection
+ ref: /infrastructure/domain-and-dns-security/monitoring-and-alerting#dns-record-monitoring
controls:
- id: dns-6.1.1
+ title: Continuous Monitoring for DNS Changes
+ ref: /infrastructure/domain-and-dns-security/monitoring-and-alerting/#passive-dns-monitoring
description: Do you maintain continuous monitoring for unauthorized DNS record changes across
all critical domains?
- title: Continuous Monitoring for DNS Changes
- id: dns-6.1.2
+ title: DNS Compromise Indicators Monitoring
description: Do you monitor for specific indicators of DNS compromise (TTL changes, nameserver
modifications, record anomalies)?
- title: DNS Compromise Indicators Monitoring
- id: dns-6.1.3
+ title: Monitor Certificate Transparency Logs
+ ref: /infrastructure/domain-and-dns-security/monitoring-and-alerting/#certificate-transparency-monitoring
description: Do you maintain procedures for monitoring Certificate Transparency logs for
unauthorized certificate issuance?
- title: Monitor Certificate Transparency Logs
- id: dns-6.2.1
+ title: Unauthorized Domain Registration Monitoring
description: Do you monitor domain registration status and registrar lock settings for unauthorized
changes?
- title: Unauthorized Domain Registration Monitoring
- id: dns-6.2.2
+ title: Detecting Domain Expiration Risks
+ ref: /infrastructure/domain-and-dns-security/registrar-and-locks#domain-expiration-protection
description: Do you maintain procedures for detecting and responding to domain expiration
risks?
- title: Detecting Domain Expiration Risks
- id: dns-7
title: Incident Response
+ ref: /infrastructure/domain-and-dns-security/monitoring-and-alerting#incident-response-plan
controls:
- id: dns-7.1.1
+ title: Domain Hijacking Incident Response
description: Do you maintain incident response procedures specific to domain hijacking and
DNS compromise scenarios?
- title: Domain Hijacking Incident Response
- id: dns-7.1.2
+ title: Registrar and DNS Emergency Contacts
description: Do you maintain emergency contact information for registrars and DNS hosting
providers?
- title: Registrar and DNS Emergency Contacts
- id: dns-7.2.1
+ title: Emergency Registry Lock Activation
description: Do you maintain procedures for emergency registry lock activation to prevent
unauthorized domain changes?
- title: Emergency Registry Lock Activation
- id: dns-7.2.2
- description: Do you have documented procedures for regaining control of compromised domains?
title: Regaining Control of Compromised Domains
+ description: Do you have documented procedures for regaining control of compromised domains?
- id: dns-7.2.3
+ title: DNS Record Integrity Validation Procedures
description: Do you maintain procedures for validating DNS record integrity after incident
recovery?
- title: DNS Record Integrity Validation Procedures
---
import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter, CertList } from '../../../components'
diff --git a/docs/pages/certs/sfc-incident-response.mdx b/docs/pages/certs/sfc-incident-response.mdx
index cf0cea0f..0e66b4c3 100644
--- a/docs/pages/certs/sfc-incident-response.mdx
+++ b/docs/pages/certs/sfc-incident-response.mdx
@@ -7,183 +7,207 @@ tags:
cert:
- id: ir-1
title: Team Structure, Roles & Responsibilities
+ ref: /incident-management/overview
controls:
- id: ir-1.1.1
+ title: Documented Incident Response Policy
description: Do you maintain a documented incident response (IR) policy that defines scope,
objectives, and roles?
- title: Documented Incident Response Policy
- id: ir-1.1.2
+ title: Incident Commander and IR Roles
description: Do you have a designated incident commander and incident response team with
clearly defined roles, responsibilities, and decision-making authority? Is the incident
commander role clearly established to coordinate response activities, make time-sensitive
decisions, and ensure clear accountability during incidents?
- title: Incident Commander and IR Roles
- id: ir-1.2.1
+ title: Subject Matter Experts for Protocol Internals
description: Do you have designated subject matter experts (ex. Core Devs) who understand
different parts of protocol internals and can analyze ongoing attacks and prepare response
strategies for potential attack vectors?
- title: Subject Matter Experts for Protocol Internals
- id: ir-1.2.2
+ title: Designated Signer Roles for Emergency Actions
description: Do you have designated signer roles with documented authority and procedures
for executing emergency transactions (pausing, freezing, parameter changes)?
- title: Designated Signer Roles for Emergency Actions
- id: ir-1.2.3
+ title: Periodic Review of IR Roles
description: Do you periodically review and update IR team roles, authorities, and escalation
measures to reflect protocol changes, new teams, or evolving governance structures?
- title: Periodic Review of IR Roles
- id: ir-1.2.4
+ title: Communications Personnel for Public Info
description: Do you have designated Communications personnel responsible for public information
sharing and incident response record-keeping?
- title: Communications Personnel for Public Info
- id: ir-1.2.5
+ title: Legal Support for Incident Response
description: Do you maintain Legal support with documented procedures for analyzing legal
and regulatory implications of response actions, approving whitehat engagement agreements,
and reviewing public communications?
- title: Legal Support for Incident Response
- id: ir-1.3.1
+ title: Procedures for Cross-Team Incident Coordination
+ ref: /incident-management/communication-strategies
description: Do you have documented procedures for coordinating between technical teams
(Core Devs/Auditors) and operational teams (Security Council/Communications) during incidents?
- title: Procedures for Cross-Team Incident Coordination
- id: ir-1.3.2
+ title: External Protocol Stakeholder Contact Methods
+ ref: /incident-management/communication-strategies
description: Do you maintain contact methods & communication channels for external companies
that run protocols you depend on, or that depend on your protocol?
- title: External Protocol Stakeholder Contact Methods
- id: ir-2
title: Monitoring & Detection
+ ref: /incident-management/incident-detection-and-response#key-components-of-incident-detection
controls:
- id: ir-2.1.1
+ title: 24/7 Monitoring and After-Hours Procedures
description: Do you maintain documented monitoring coverage for critical systems, protocols,
and infrastructure components with 24/7 capabilities and procedures for after-hours alert
handling?
- title: 24/7 Monitoring and After-Hours Procedures
- id: ir-2.2.1
+ title: Automated Alerting with Playbooks
description: Do you have automated alerting configured with embedded playbooks for security
events, detecting false alarms, and operational issues?
- title: Automated Alerting with Playbooks
- id: ir-2.2.2
+ title: Regular Alert Testing and Drills
+ ref: /awareness/staying-informed-and-continuous-learning#411-training-approaches
description: Do you conduct regular alert testing and drills to ensure monitoring systems
function correctly under various scenarios?
- title: Regular Alert Testing and Drills
- - id: ir-2.2.3
+ - id: ir-2.2.3a
+ title: Procedures for Alert Triage and Escalation
+ ref: /incident-management/playbooks/decentralized-ir#4-detection-and-triage-flow
description: Do you have documented procedures for alert triage, classification, and escalation
to appropriate response teams?
- title: Procedures for Alert Triage and Escalation
- id: ir-2.2.4
+ title: Log Retention Policies for Forensics
description: Do you maintain log retention policies with adequate preservation periods for
security and infrastructure logs (including cloud provider logs) to support incident investigation
and forensic analysis?
- title: Log Retention Policies for Forensics
+ - id: ir-2.3.1
+ description: Do you maintain procedures for monitoring leaked credentials and compromised
+ accounts associated with the organization?
+ title: Leaked Credential Monitoring
+ - id: ir-2.3.2
+ description: Do you have procedures for monitoring organizational social media accounts & websites
+ for indicators of compromise or unauthorized activity?
+ title: Social Media Compromise Monitoring
+ - id: ir-2.3.3
+ description: Do you maintain requirements for immutable logging and tamper-evident alerting
+ channels that trigger alerts if logs are altered or monitoring is disabled?
+ title: Immutable Logging and Tamper-Evident Alerting
- id: ir-3
title: Pager Systems & Escalation
controls:
- id: ir-3.1.1
+ title: Redundant Paging Systems with Testing
description: Do you operate redundant paging systems with documented procedures and regular
testing?
- title: Redundant Paging Systems with Testing
- id: ir-3.1.2
+ title: Maintain On-Call Coverage Schedules
description: Do you maintain current on-call schedules with documented coverage requirements
and backup procedures?
- title: Maintain On-Call Coverage Schedules
- id: ir-3.1.3
+ title: Documented Time-Based Escalation Procedures
description: Do you have documented escalation procedures with time-based triggers and management
notification requirements?
- title: Documented Time-Based Escalation Procedures
- id: ir-3.2.1
+ title: Define and Track Response Time Targets
description: Do you define and track response time targets for different incident severity
levels?
- title: Define and Track Response Time Targets
- id: ir-4
title: Response Procedures & Coordination
controls:
- id: ir-4.1.1
+ title: Documented Incident Response Playbooks
+ ref: /incident-management/playbooks/overview
description: Do you maintain documented response playbooks for common incident types (protocol
exploits, infrastructure failures, access control breaches, data security incidents, and
supply chain compromises)?
- title: Documented Incident Response Playbooks
- id: ir-4.1.2
+ title: Step-by-Step Initial Response Procedures
description: Do you have step-by-step procedures for initial response actions including
containment, evidence preservation, and stakeholder notification?
- title: Step-by-Step Initial Response Procedures
- id: ir-4.1.3
+ title: Role-Based Incident Playbooks by Role
description: Do you maintain role-based playbooks that define specific responsibilities
for different team members (Core Devs, Auditors, Signers, Communications, Legal) during
incidents?
- title: Role-Based Incident Playbooks by Role
- id: ir-4.1.4
+ title: Procedures for Coordinating Multisig Operations
+ ref: /multisig-for-protocols/emergency-procedures
description: Do you maintain procedures for coordinating multisig operations during incidents
including signer availability and cross-timezone challenges?
- title: Procedures for Coordinating Multisig Operations
- id: ir-4.2.1
+ title: Documented Criteria for Major Response Decisions
description: Do you have documented criteria for major response decisions (system shutdown,
public disclosure, external assistance) and escalation policies for when to engage leadership?
- title: Documented Criteria for Major Response Decisions
- id: ir-4.2.2
+ title: External Expertise Engagement Contacts
description: Do you maintain contact information and procedures for engaging external expertise
(forensics, legal, specialized consultants)?
- title: External Expertise Engagement Contacts
- id: ir-4.2.3
+ title: Emergency Cards with Key Response Steps
description: Do you maintain emergency cards or quick-reference materials containing key
personnel and response steps for each protocol component?
- title: Emergency Cards with Key Response Steps
- id: ir-5
title: Signer Operations & Emergency Transactions
controls:
- id: ir-5.1.1
+ title: Multiple Channels for Global Signer Reach
+ ref: /incident-management/communication-strategies
description: Do you maintain multiple communication channels (primary and backup) with documented
procedures for reaching signers across time zones, including during emergencies?
- title: Multiple Channels for Global Signer Reach
- id: ir-5.2.1
+ title: Pre-Signed Emergency Transactions for Protocol
description: Do you maintain pre-signed emergency transactions for critical protocol functions
(pause, freeze, parameter changes)?
- title: Pre-Signed Emergency Transactions for Protocol
- id: ir-5.2.2
+ title: Procedures for Rapid Emergency Transactions
description: Do you have documented procedures for rapidly executing emergency transactions
with minimal coordination time?
- title: Procedures for Rapid Emergency Transactions
- id: ir-5.2.3
+ title: Multiple Signing Methods and Backups
+ ref: /wallet-security/secure-multisig-best-practices/#setup-best-practices
description: Do you maintain multiple signing methods and backup procedures for signers
transaction execution?
- title: Multiple Signing Methods and Backups
- id: ir-5.2.4
+ title: Rotating Keys and Replacing Signers
+ ref: /wallet-security/secure-multisig-best-practices/#operational-best-practices
description: Do you have a documented procedure for rotating keys and replacing compromised
signers?
- title: Rotating Keys and Replacing Signers
- id: ir-6
title: Communication & Coordination
controls:
- id: ir-6.1.1
+ title: Dedicated Incident Communication Channels
+ ref: /incident-management/communication-strategies#communication-strategies
description: Do you maintain dedicated communication channels for incident response with
documented access controls, member lists, and procedures for rapidly creating new incident-specific
channels when needed?
- title: Dedicated Incident Communication Channels
- id: ir-6.1.2
+ title: Incident Status Reporting Procedures
description: Do you have documented procedures for incident status reporting including frequency,
format, and distribution lists?
- title: Incident Status Reporting Procedures
- id: ir-6.1.3
- description: Do you maintain secure communication procedures for sensitive incident information?
title: Secure Incident Information Communications
+ description: Do you maintain secure communication procedures for sensitive incident information?
- id: ir-6.2.1
+ title: Coordinating Communications with Protocol Users
description: Do you maintain documented procedures for coordinating communications with
protocol users during and post-exploit?
- title: Coordinating Communications with Protocol Users
- id: ir-6.2.2
+ title: Approved Templates and Escalation Procedures
description: Do you have pre-approved communication templates and escalation procedures
for different incident types and severity levels?
- title: Approved Templates and Escalation Procedures
- id: ir-6.2.3
+ title: Public Information Flow and Misinformation Prevention
description: Do you maintain procedures for managing public information flow and preventing
misinformation during active incidents?
- title: Public Information Flow and Misinformation Prevention
- id: ir-7
title: Drills & Testing
controls:
- id: ir-7.1.1
+ title: Regular Incident Response Drills and Evaluation
description: Do you conduct regular incident response drills that test pager systems, escalation
procedures, team coordination, monitoring systems, containment procedures, and recovery
processes? Do you evaluate drill performance, identify gaps, and track improvement actions
based on both exercise findings and real incident experience?
- title: Regular Incident Response Drills and Evaluation
---
diff --git a/docs/pages/certs/sfc-multisig-ops.mdx b/docs/pages/certs/sfc-multisig-ops.mdx
index 5d1f2ba5..2f39cad4 100644
--- a/docs/pages/certs/sfc-multisig-ops.mdx
+++ b/docs/pages/certs/sfc-multisig-ops.mdx
@@ -9,142 +9,157 @@ cert:
title: Governance & Inventory
controls:
- id: ms-1.1.1
+ title: Policies Governing Multisig Operations
description: Do you maintain documented policies and procedures governing your multisig
operations?
- title: Policies Governing Multisig Operations
- id: ms-1.1.2
+ title: Named Responsible Multisig Owner
description: Is there a clearly named person or team accountable for multisig operations
(policy upkeep, reviews, hygiene)?
- title: Named Responsible Multisig Owner
- id: ms-1.1.3
+ title: Multisig Documentation Maintenance Process
+ ref: /multisig-for-protocols/registration-and-documentation#ongoing-management
description: Do you operate a documented maintenance process to keep multisig documentation
current after any operational or signer change?
- title: Multisig Documentation Maintenance Process
- id: ms-1.2.1
+ title: Current Multisig Registry Details
+ ref: /multisig-for-protocols/registration-and-documentation#registration-template
description: Do you keep an up-to-date registry of all multisigs (address, network, purpose,
threshold, modules/guards, admin roles, etc)?
- title: Current Multisig Registry Details
- id: ms-1.2.2
+ title: Authorized Signer Mapping Registry
description: Do you maintain an up-to-date list of authorized signers and map them to the
correct multisigs?
- title: Authorized Signer Mapping Registry
- id: ms-2
title: Risk Assessment & Management
controls:
- id: ms-2.1.1
+ title: Formal Multisig Classification System
+ ref: /multisig-for-protocols/planning-and-classification#classification-process
description: Do you define and maintain a formal classification system for multisig wallets
that covers both impact factors and operational needs?
- title: Formal Multisig Classification System
- id: ms-2.1.2
+ title: Classification Criteria and Controls
description: Do you maintain documented criteria that map each classification level to required
controls (thresholds, quorum composition, review cadence, etc)?
- title: Classification Criteria and Controls
- id: ms-2.1.3
+ title: Review and Update Classifications
description: Do you periodically review and update classifications and associated controls
when conditions change?
- title: Review and Update Classifications
- id: ms-2.1.4
+ title: Timelocks, Modules, and Guards Policies
+ ref: /multisig-for-protocols/use-case-specific-requirements#timelock-configuration
description: Do you maintain documented policies on the use of timelocks, modules and guards,
including justification and security review requirements for any exceptions?
- title: Timelocks, Modules, and Guards Policies
- id: ms-2.1.5
+ title: Exception Approval Process for Multisig
description: Do you maintain a documented exception approval process for deviations from
standard multisig policies, including justification requirements, and authorization levels?
- title: Exception Approval Process for Multisig
- id: ms-3
title: Signer Security & Access Control
controls:
- id: ms-3.1.1
+ title: Cryptographic Signer Identity Attestation
+ ref: /multisig-for-protocols/registration-and-documentation#signer-verification-process
description: Do you maintain a documented process for cryptographic attestation of address
ownership and signer affiliation for multisig signers?
- title: Cryptographic Signer Identity Attestation
- id: ms-3.1.2
- description: Do you maintain a documented standard for signer key management?
title: Signer Key Management Standard
+ description: Do you maintain a documented standard for signer key management?
- id: ms-3.1.3
+ title: Signer Seed Backups and Protection
+ ref: /wallet-security/private-key-management
description: Do you maintain documented policies and procedures for securely backing up
and protecting signer seed phrases and recovery materials?
- title: Signer Seed Backups and Protection
- id: ms-3.1.4
+ title: Multisig Signer Lifecycle Management
+ ref: /multisig-for-protocols/registration-and-documentation#signer-changes
description: Do you operate a documented lifecycle for adding, replacing, and removing signers,
including offboarding and periodic access reviews?
- title: Multisig Signer Lifecycle Management
- id: ms-3.1.5
+ title: Signer Training and Readiness Program
+ ref: /multisig-for-protocols/implementation-checklist#for-signers
description: Do you have a documented training and readiness program for signers before
they are authorized to participate?
- title: Signer Training and Readiness Program
- id: ms-4
title: Operational Procedures
controls:
- id: ms-4.1.1
+ title: Documented Transaction Lifecycle Procedures
description: Do you maintain documented processes for transaction initiation, approval,
simulation, execution, and confirmation, including who is authorized to initiate?
- title: Documented Transaction Lifecycle Procedures
- id: ms-4.1.2
+ title: Signing and Verification Procedures
description: Do you maintain documented signing and verification procedures that must be
followed before any signatures are applied?
- title: Signing and Verification Procedures
- id: ms-4.1.3
+ title: Audit Trails and Retention
description: Do you maintain audit trails and retention for transaction reviews, approvals,
execution, and post-execution confirmation?
- title: Audit Trails and Retention
- id: ms-4.1.4
+ title: Policy for High-Risk Transactions
description: Do you maintain a policy defining enhanced controls for high-risk transactions
(emergency actions, large transfers, protocol configuration changes)?
- title: Policy for High-Risk Transactions
- id: ms-4.1.5
+ title: Multisig Standards and Evaluation
description: Do you maintain documented standards for multisig technology and tools, and
a formal evaluation process for adopting new ones?
- title: Multisig Standards and Evaluation
- id: ms-4.1.6
+ title: Backup Infrastructure for Multisig
+ ref: /multisig-for-protocols/backup-signing-and-infrastructure
description: Do you maintain documented backup infrastructure for multisig operations (alternate
signing interfaces, RPC/explorers, failover procedures), and test their use?
- title: Backup Infrastructure for Multisig
- id: ms-5
title: Communication & Coordination
controls:
- id: ms-5.1.1
+ title: Multisig Primary and Backup Communications
+ ref: /multisig-for-protocols/communication-setup
description: Do you maintain dedicated primary and backup communication channels for multisig
operations with documented membership controls and onboarding/offboarding procedures?
- title: Multisig Primary and Backup Communications
- id: ms-5.1.2
+ title: Signer Identity Verification Procedures
+ ref: /multisig-for-protocols/registration-and-documentation#signer-verification-process
description: Do you have procedures to verify the identity of signers during sensitive communications,
with periodic checks to ensure authenticity?
- title: Signer Identity Verification Procedures
- id: ms-5.1.3
+ title: Documented Escalation and On-Call Policies
description: Do you maintain documented escalation policies that define response-time expectations,
on-call coverage, and procedures for urgent coordination?
- title: Documented Escalation and On-Call Policies
- id: ms-5.1.4
+ title: Channel Compromise Response and Verification
description: Do you maintain procedures for responding to suspected communication channel
compromise, including switching to backup channels and out-of-band verification, and ensure
signers know how to invoke them?
- title: Channel Compromise Response and Verification
- id: ms-5.1.5
+ title: Emergency Contacts for Multisig
description: Do you maintain and distribute an up-to-date emergency contact list for multisig
operations?
- title: Emergency Contacts for Multisig
- id: ms-6
title: Emergency Operations
controls:
- id: ms-6.1.1
+ title: Emergency Playbooks for Compromise
+ ref: /multisig-for-protocols/emergency-procedures
description: Do you maintain written emergency playbooks covering key compromise, lost access,
and urgent protocol actions?
- title: Emergency Playbooks for Compromise
- id: ms-6.1.2
+ title: 24/7 Paging for Emergency Multisigs
+ ref: /multisig-for-protocols/communication-setup#paging-system-criticalemergency-multisigs
description: For critical/emergency-class multisigs, do you provide 24/7 paging to reach
the required threshold and document escalation paths?
- title: 24/7 Paging for Emergency Multisigs
- id: ms-6.1.3
+ title: Multisig Monitoring and Alerts
+ ref: /multisig-for-protocols/setup-and-configuration#active-monitoring
description: Do you maintain monitoring infrastructure and procedures to detect unauthorized,
anomalous, or suspicious activity across all multisigs, with documented alerting and escalation
paths?
- title: Multisig Monitoring and Alerts
- id: ms-6.1.4
+ title: Rehearsals for Emergency Playbooks
+ ref: /multisig-for-protocols/use-case-specific-requirements#emergency-response-multisigs
description: Do you conduct periodic rehearsals and drills of emergency playbooks to test
response procedures, communication channels, and signer coordination under simulated emergency
conditions?
- title: Rehearsals for Emergency Playbooks
---
diff --git a/docs/pages/certs/sfc-treasury-ops.mdx b/docs/pages/certs/sfc-treasury-ops.mdx
index e7d61cc5..9f3e0fce 100644
--- a/docs/pages/certs/sfc-treasury-ops.mdx
+++ b/docs/pages/certs/sfc-treasury-ops.mdx
@@ -9,191 +9,201 @@ cert:
title: Governance & Treasury Architecture
controls:
- id: tro-1.1.1
+ title: Documented Treasury Security Policies
description: Do you maintain documented security policies that define how treasury operations
are conducted (e.g., access control principles, transaction verification requirements,
incident response procedures)?
- title: Documented Treasury Security Policies
- id: tro-1.1.2
+ title: Accountability for Treasury Operations
description: Is there an individual or team accountable for treasury operations (e.g., policy
upkeep, reviews, operational hygiene)?
- title: Accountability for Treasury Operations
- id: tro-1.1.3
+ title: Treasury Infrastructure Change Management
description: Do you maintain formal change management procedures for treasury infrastructure
modifications (e.g., wallet setups, custody configurations, signer permissions, protocol
integrations)?
- title: Treasury Infrastructure Change Management
- id: tro-1.1.4
+ title: Treasury Wallet Risk Classification
+ ref: /multisig-for-protocols/planning-and-classification#step-1-impact-assessment
description: Do you have a documented process to classify treasury wallets (e.g. multisigs)
and accounts based on risk level and assign appropriate security controls?
- title: Treasury Wallet Risk Classification
- id: tro-1.1.5
+ title: Custodial vs Non-Custodial Rationale
description: Do you have documented rationale for choosing between custodial and non-custodial
treasury solutions and technology choice like MPC, HSM?
- title: Custodial vs Non-Custodial Rationale
- id: tro-1.1.6
+ title: Fund Allocation Limits and Triggers
description: Do you have documented policies for maximum fund allocations per wallet type
and rebalancing triggers?
- title: Fund Allocation Limits and Triggers
- id: tro-2
title: Access Control & Authentication
controls:
- id: tro-2.1.1
+ title: Custody Platform Security Configurations
description: 'Do you maintain documented security configurations for custody platforms,
including: Transaction policy rules, Multi-approval workflows and thresholds, Address
whitelisting configurations, Velocity Limits)?'
- title: Custody Platform Security Configurations
- id: tro-2.1.2
+ title: Treasury Platform Authentication Requirements
description: Do you maintain documented authentication requirements for treasury platforms
(e.g., multi-factor authentication standards, session management)?
- title: Treasury Platform Authentication Requirements
- id: tro-2.1.3
+ title: Credential and Secret Management Procedures
description: Do you have procedures for managing credentials and secrets used in treasury
operations (e.g., API keys, service accounts)?
- title: Credential and Secret Management Procedures
- id: tro-2.1.4
+ title: Access Review for Treasury Systems
description: Do you conduct periodic reviews of who has access to treasury systems to ensure
only authorized personnel retain access?
- title: Access Review for Treasury Systems
- id: tro-2.1.5
+ title: Treasury Network Security Controls
description: Do you implement network security controls for treasury access (IP whitelisting,
VPN requirements, Geographic access restrictions)?
- title: Treasury Network Security Controls
- id: tro-2.1.6
- description: Do you implement controls to isolate owner account credentials?
title: Isolate Owner Account Credentials
+ description: Do you implement controls to isolate owner account credentials?
- id: tro-3
title: Transaction Security & Verification
controls:
- id: tro-3.1.1
- description: Do you maintain documented procedures for transaction security and verification?
title: Transaction Security and Verification Procedures
+ ref: /wallet-security/signing-verification
+ description: Do you maintain documented procedures for transaction security and verification?
- id: tro-3.1.2
- description: Do you conduct traning programs with all signers?
title: Training for All Signers
+ ref: /multisig-for-protocols/use-case-specific-requirements#training--drills
+ description: Do you conduct traning programs with all signers?
- id: tro-3.1.3
+ title: Pre-Execution Transaction Verification Procedures
+ ref: /wallet-security/tools-&-resources#transaction-simulation
description: Do you have procedures for verifying transaction details before execution (e.g.,
recipient address validation, amount verification, network confirmation, test transactions,
simulation requirements)?
- title: Pre-Execution Transaction Verification Procedures
- id: tro-3.1.4
+ title: Secure Communication Procedures for Treasury
+ ref: /multisig-for-protocols/communication-setup
description: Do you maintain secure communication procedures for coordinating treasury operations
and verifying requests?
- title: Secure Communication Procedures for Treasury
- id: tro-3.1.5
- description: Do you have documented procedures for receiving funds?
title: Documented Funds Receiving Procedures
+ description: Do you have documented procedures for receiving funds?
- id: tro-3.1.6
- description: Do you maintain procedures for conducting OTC (over-the-counter) transactions?
title: Procedures for OTC Transactions
+ description: Do you maintain procedures for conducting OTC (over-the-counter) transactions?
- id: tro-4
title: DeFi Risk Assessment
controls:
- id: tro-4.1.1
+ title: DeFi Protocol Evaluation and Monitoring
description: Do you maintain documented procedures for evaluating and monitoring DeFi protocols
where treasury funds are deployed?
- title: DeFi Protocol Evaluation and Monitoring
- id: tro-4.1.2
+ title: Documented Procedures for DeFi Positions
description: Do you have documented procedures for managing DeFi positions (e.g., emergency
withdrawal procedures, alternative access methods if UIs are unavailable)?
- title: Documented Procedures for DeFi Positions
- id: tro-4.1.3
+ title: Exposure Limits for Protocol Deployments
description: Do you define and enforce exposure limits for protocol deployments (e.g., per
protocol, chain, category)?
- title: Exposure Limits for Protocol Deployments
- id: tro-4.1.4
+ title: Verifying Contract Addresses and Approvals
description: Do you have procedures for verifying smart contract addresses and managing
token approvals?
- title: Verifying Contract Addresses and Approvals
- id: tro-5
title: Staking Risk Assessment
controls:
- - id: tro-4.1.1
+ - id: tro-5.1.1
+ title: Evaluating and Monitoring Staking Solutions
description: Do you maintain documented procedures for evaluating and monitoring staking
solutions where treasury funds are deployed?
- title: Evaluating and Monitoring Staking Solutions
- - id: tro-4.1.2
+ - id: tro-5.1.2
+ title: Staking Position Management Procedures
description: Do you have documented procedures for managing staking positions (e.g., unstaking
procedures, emergency exit methods, alternative access if primary UIs are unavailable)?
- title: Staking Position Management Procedures
- - id: tro-4.1.3
+ - id: tro-5.1.3
+ title: Exposure Limits for Staking Deployments
description: Do you define and enforce exposure limits for staking deployments (e.g. per
staking provider, per liquid staking protocol, etc)?
- title: Exposure Limits for Staking Deployments
- - id: tro-4.1.4
- description: Do you have procedures for verifying smart contract addresses?
+ - id: tro-5.1.4
title: Verifying Smart Contract Addresses
+ description: Do you have procedures for verifying smart contract addresses?
- id: tro-6
title: Operational Security
controls:
- - id: tro-5.1.1
+ - id: tro-6.1.1
+ title: Operational Security Requirements for Treasury Personnel
+ ref: /multisig-for-protocols/personal-security-opsec
description: Do you maintain documented operational security requirements for treasury personnel
(signing device setup, device security requirements, etc)?
- title: Operational Security Requirements for Treasury Personnel
- - id: tro-5.1.2
+ - id: tro-6.1.2
+ title: Treasury Sensitive Information Security Policy
+ ref: /wallet-security/private-key-management
description: Do you have policies for secure storage and handling of sensitive treasury
information (e.g., credentials, hardware wallets, backup materials)?
- title: Treasury Sensitive Information Security Policy
- - id: tro-5.1.3
+ - id: tro-6.1.3
+ title: Travel Security Procedures for Treasury Personnel
description: Do you have travel security procedures for treasury personnel with signing/access
capabilities?
- title: Travel Security Procedures for Treasury Personnel
- id: tro-7
title: Monitoring & Incident Response
controls:
- - id: tro-6.1.1
- description: Do you monitor treasury transactions and account states for anomalous activity?
+ - id: tro-7.1.1
title: Monitoring Treasury Transactions for Anomalies
- - id: tro-6.1.2
+ description: Do you monitor treasury transactions and account states for anomalous activity?
+ - id: tro-7.1.2
+ title: Treasury Security Incident Response Procedures
+ ref: /incident-management/playbooks/overview
description: Do you maintain security incident response procedures specific to treasury
operations (e.g., severity levels, escalation, containment, fund protection)?
- title: Treasury Security Incident Response Procedures
- - id: tro-6.1.3
+ - id: tro-7.1.3
+ title: External Threat Intelligence for Treasury
description: Do you track external threat intelligence relevant to your treasury holdings
and infrastructure (e.g., protocol vulnerabilities, DeFi risks)?
- title: External Threat Intelligence for Treasury
- - id: tro-6.1.4
+ - id: tro-7.1.4
+ title: Regular Security Drills and Exercises
+ ref: /multisig-for-protocols/use-case-specific-requirements#training--drills
description: Do you conduct regular security drills and exercises to test incident response
capabilities?
- title: Regular Security Drills and Exercises
- - id: tro-6.1.5
+ - id: tro-7.1.5
+ title: Vendor Availability and Service Notifications Monitoring
description: Do you monitor for vendor availability and service notifications (e.g., custody
platform status, infrastructure provider alerts)?
- title: Vendor Availability and Service Notifications Monitoring
- - id: tro-6.1.6
- description: Do you monitor transactions and wallet addresses for compliance risk?
+ - id: tro-7.1.6
title: Transactions and Wallet Addresses Monitoring
+ description: Do you monitor transactions and wallet addresses for compliance risk?
- id: tro-8
title: Vendor & Infrastructure Security
controls:
- - id: tro-7.1.1
+ - id: tro-8.1.1
+ title: Third-Party Services Security Evaluation
description: Do you maintain security evaluation criteria for third-party services critical
to treasury operations, including initial due diligence and ongoing monitoring?
- title: Third-Party Services Security Evaluation
- - id: tro-7.1.2
+ - id: tro-8.1.2
+ title: Vendor Security Control
description: Do you have procedures to verify vendors are implementing the security controls
they contractually committed to?
- title: Vendor Security Control
- - id: tro-7.1.3
+ - id: tro-8.1.3
+ title: Backup and Alternate Access
+ ref: /multisig-for-protocols/backup-signing-and-infrastructure
description: Do you have backup infrastructure and alternate access methods for treasury
continuity?
- title: Backup and Alternate Access
- id: tro-9
title: Accounting & Financial Reporting
controls:
- - id: tro-8.1.1
+ - id: tro-9.1.1
description: Do you maintain procedures for recording all treasury transactions in your
accounting system with appropriate categorization and documentation?
title: Transaction Recording Procedures
- - id: tro-8.1.2
+ - id: tro-9.1.2
+ title: Periodic Reconciliation
description: Do you conduct periodic reconciliation between Custody platform records, Blockchain
balances, Accounting records, etc?
- title: 'Periodic Reconciliation'
- - id: tro-8.1.3
- description: Do you have documented procedures for treasury-related financial reporting?
+ - id: tro-9.1.3
title: Documented Procedures
- - id: tro-8.1.4
- description: Do you maintain insurance coverage appropriate for your treasury operations?
+ description: Do you have documented procedures for treasury-related financial reporting?
+ - id: tro-9.1.4
title: Insurance Coverage
+ description: Do you maintain insurance coverage appropriate for your treasury operations?
---
diff --git a/docs/pages/certs/sfc-workspace-security.mdx b/docs/pages/certs/sfc-workspace-security.mdx
index 0152b1f1..06becfda 100644
--- a/docs/pages/certs/sfc-workspace-security.mdx
+++ b/docs/pages/certs/sfc-workspace-security.mdx
@@ -9,189 +9,212 @@ cert:
title: Governance & Inventory
controls:
- id: ws-1.1.1
+ title: Documented Workspace Security Policies
description: Do you maintain documented security policies governing workspace operations
(device standards, account management, access control)?
- title: Documented Workspace Security Policies
- id: ws-1.1.2
+ title: Accountability for Workspace Security
description: Is there a clearly designated person or team accountable for workspace security
(policy maintenance, reviews)?
- title: Accountability for Workspace Security
- id: ws-1.1.3
+ title: Policy Review and Update Process
description: Do you operate a documented review and update process for security policies
with defined triggers (incidents, technology updates)?
- title: Policy Review and Update Process
- id: ws-1.2.1
+ title: Device Ownership and Security Status
description: Do you maintain an inventory of organizational devices (laptops, phones, tablets)
that tracks ownership and critical security status (encryption, OS version)?
- title: Device Ownership and Security Status
- id: ws-1.2.2
+ title: Accounts Inventory and Ownership
description: Do you maintain an inventory of organizational accounts (email, cloud services,
social media, DNS, development tools) with defined ownership?
- title: Accounts Inventory and Ownership
- id: ws-1.2.3
+ title: Information Classification by Sensitivity
description: Do you classify information and systems based on sensitivity and criticality
to determine appropriate security controls?
- title: Information Classification by Sensitivity
- id: ws-2
title: Device Security & Management
controls:
- id: ws-2.1.1
+ title: Security Requirements for Company Devices
description: Do you maintain documented security requirements for company issued devices
(encryption, authentication, patching, software restrictions)?
- title: Security Requirements for Company Devices
- id: ws-2.1.2
+ title: Device Provisioning and Compliance
description: Do you have procedures for provisioning devices according to security requirements
and verifying ongoing compliance?
- title: Device Provisioning and Compliance
+ - id: ws-2.1.3
+ title: Device Supply Chain Security
+ description: Do you maintain procedures for device procurement through verified supply chains
+ and verification of device integrity upon receipt?
- id: ws-2.2.1
+ title: Device Access Authentication Requirements
description: Do you enforce authentication requirements for device access (password complexity,
timeout settings, lock screens)?
- title: Device Access Authentication Requirements
- id: ws-2.2.2
+ title: Administrative Privilege Management on Devices
description: Do you maintain procedures for managing administrative privileges on devices
(separation from daily use accounts, approval processes)?
- title: Administrative Privilege Management on Devices
- id: ws-2.3.1
+ title: Corporate vs Personal Device Usage Policies
description: Do you maintain policies distinguishing between corporate and personal device
usage with appropriate security controls?
- title: Corporate vs Personal Device Usage Policies
- id: ws-2.3.2
+ title: Remote Device Management for Loss/Compromise
description: Do you have procedures for remotely managing organizational devices in case
of loss or compromise (remote lock/wipe capabilities)?
- title: Remote Device Management for Loss/Compromise
- id: ws-2.4.1
+ title: Secure Device Decommissioning Procedures
description: Do you maintain procedures for secure device decommissioning including data
sanitization?
- title: Secure Device Decommissioning Procedures
- id: ws-2.4.2
- description: Do you have documented procedures for responding to lost or stolen devices?
title: Lost or Stolen Device Procedures
+ description: Do you have documented procedures for responding to lost or stolen devices?
- id: ws-2.5.1
+ title: EDR/MDM Deployment and Monitoring
description: Do you maintain endpoint detection and response (EDR) or mobile device management
(MDM) solutions on organizational devices with documented deployment and monitoring procedures?
- title: EDR/MDM Deployment and Monitoring
- - id: ws-2.5.1
+ - id: ws-2.5.2
description: Do you have procedures for responding to EDR/MDM alerts and enforcing compliance
with security policies through these platforms?
title: EDR/MDM Alert Response Procedures
+ - id: ws-2.6.1
+ title: Browser and Application Security
+ description: Do you maintain policies for browser and application security (browser isolation,
+ extension approval, external file handling)?
+ - id: ws-2.7.1
+ description: Do you maintain requirements for physical workspace security for both on-site
+ and remote work environments?
+ title: Physical Workspace Security
- id: ws-3
title: Account Management & Access Control
controls:
- id: ws-3.1.1
+ title: User Account Provisioning Lifecycle
description: Do you have procedures for provisioning, modifying, and deprovisioning user
accounts with appropriate approvals?
- title: User Account Provisioning Lifecycle
- id: ws-3.1.2
+ title: MFA Enforcement with Exceptions
+ ref: /awareness/cultivating-a-security-aware-mindset#342-multi-factor-authentication-mfa
description: Do you enforce multi-factor authentication for critical accounts with a documented
exceptions process?
- title: MFA Enforcement with Exceptions
- id: ws-3.2.1
+ title: Security Configuration Standards Maintenance
description: Do you maintain security configuration standards for enterprise platforms (Google
Workspace, Microsoft 365, collaboration tools)?
- title: Security Configuration Standards Maintenance
- id: ws-3.2.2
+ title: Periodic Access Reviews and Revocation
description: Do you conduct periodic access reviews for corporate systems with documented
revocation procedures?
- title: Periodic Access Reviews and Revocation
- id: ws-3.3.1
+ title: Organizational Social Media Security
description: Do you maintain procedures for securing organizational social media and external
service accounts?
- title: Organizational Social Media Security
- id: ws-3.3.2
+ title: Ownership Verification for External Accounts
description: Do you have procedures for verifying ownership and preventing unauthorized
use of organizational external accounts?
- title: Ownership Verification for External Accounts
+ - id: ws-3.3.3
+ description: Do you maintain policies for account security controls (recovery method restrictions,
+ organizational identity verification)?
+ title: Account Security Controls
- id: ws-3.4.1
+ title: Domain Registration and DNS Management
description: Do you maintain security procedures for domain registration and DNS management
(registrar lock, change controls)?
- title: Domain Registration and DNS Management
- id: ws-3.4.2
+ title: DNS Change Validation and Approval
description: Do you have procedures for validating and approving DNS changes with appropriate
documentation?
- title: DNS Change Validation and Approval
- id: ws-4
title: Password & Credential Management
controls:
- id: ws-4.1.1
+ title: Password Policy Requirements and Rotation
description: Do you maintain documented password requirements with risk-based complexity
and rotation standards?
- title: Password Policy Requirements and Rotation
- id: ws-4.1.2
+ title: Secure Password Storage and Transmission
+ ref: /awareness/cultivating-a-security-aware-mindset#341-password-management
description: Do you have procedures for secure password storage and transmission (password
managers, encrypted channels)?
- title: Secure Password Storage and Transmission
- id: ws-4.2.1
+ title: Credential Rotation Based on Risk
description: Do you maintain procedures for credential rotation based on risk, time intervals,
or security events?
- title: Credential Rotation Based on Risk
- id: ws-4.2.2
+ title: Enhanced Controls for High-Privilege Credentials
description: Do you have enhanced controls for high-privilege credentials (admin accounts,
service accounts, API keys)?
- title: Enhanced Controls for High-Privilege Credentials
+ - id: ws-4.2.3
+ description: Do you maintain policies prohibiting credential sharing and requiring individual
+ accounts for accountability?
+ title: Account Sharing Prohibition
- id: ws-5
title: Development Environment Security
controls:
- id: ws-5.1.1
+ title: Evaluation Criteria for Development Tools
description: Do you maintain criteria for evaluating and approving development tools (IDEs,
extensions, libraries, AI assistants)?
- title: Evaluation Criteria for Development Tools
- id: ws-5.1.2
+ title: Access Control for Source Code Repositories
description: Do you maintain access control procedures for source code repositories with
role-based permissions?
- title: Access Control for Source Code Repositories
- id: ws-5.1.3
+ title: Sensitive Data Exposure Prevention in Repositories
description: Do you have procedures for preventing exposure of sensitive information in
code repositories?
- title: Sensitive Data Exposure Prevention in Repositories
- id: ws-5.1.4
+ title: Dev Dependencies and Supply Chain Management
description: Do you have procedures for managing development dependencies and supply chain
risks?
- title: Dev Dependencies and Supply Chain Management
- id: ws-6
title: Network & Communication Security
controls:
- id: ws-6.1.1
+ title: Secure Network Access Procedures
description: Do you maintain procedures for secure network access including remote access
methods (primarily for organizations with physical offices - if not select N/A)?
- title: Secure Network Access Procedures
- id: ws-6.1.2
+ title: Secure Organizational Communication Channels
+ ref: /awareness/cultivating-a-security-aware-mindset#343-secure-communication
description: Do you maintain procedures for securing organizational communication channels
(email, messaging, collaboration tools)?
- title: Secure Organizational Communication Channels
- id: ws-6.1.3
+ title: Identity Verification for Sensitive Communications
description: Do you have procedures for verifying identity in sensitive communications to
prevent impersonation?
- title: Identity Verification for Sensitive Communications
- id: ws-6.1.4
+ title: Employee Travel Security Procedures
description: Do you maintain security procedures specific to employee travel (device handling,
network usage, data access)?
- title: Employee Travel Security Procedures
- id: ws-7
title: Monitoring & Incident Response
controls:
- id: ws-7.1.1
+ title: Workspace Security Incident Response
description: Do you maintain procedures for detecting and responding to workspace security
incidents (account takeovers, data leaks, device compromise)?
- title: Workspace Security Incident Response
- id: ws-7.1.2
+ title: Workspace Incident Response Procedures
description: Do you have documented response procedures for different types of workspace
security incidents?
- title: Workspace Incident Response Procedures
- id: ws-8
title: Employee Lifecycle & Training
controls:
- id: ws-8.1.1
+ title: 'Security Onboarding: Provisioning and Training'
description: Do you maintain security onboarding procedures including device provisioning,
account creation, and initial training?
- title: 'Security Onboarding: Provisioning and Training'
- id: ws-8.1.2
+ title: Pre-Access Identity and Authorization Verification
description: Do you have procedures for verifying employee identity and authorization before
granting access?
- title: Pre-Access Identity and Authorization Verification
- id: ws-8.1.3
+ title: Workspace Security Awareness Program Updates
description: Do you maintain a security awareness program covering workspace security topics
with regular updates?
- title: Workspace Security Awareness Program Updates
- id: ws-8.1.4
description: Do you maintain comprehensive offboarding procedures including access revocation,
device return, and credential rotation?
diff --git a/utils/generate-folder-indexes.js b/utils/generate-folder-indexes.js
index f1079345..64fbb853 100644
--- a/utils/generate-folder-indexes.js
+++ b/utils/generate-folder-indexes.js
@@ -37,6 +37,12 @@ function toTitleCase(input) {
function parseFrontmatter(raw) {
if (matter) {
return matter(raw).data || {};
+ try {
+ return matter(raw).data || {};
+ } catch (error) {
+ console.warn(`gray-matter failed to parse frontmatter, falling back to basic parser: ${error.message}`);
+ // fall through to basic parser below
+ }
}
const match = raw.match(/^---\n([\s\S]*?)\n---/);