“…The Identity Management and Access Control objective complements the practices declared in ISO 29146, NIST SP 800-205 and the ISO 24760 family, for which reason it proposes the following capabilities: 55) Management of identities and credentials for users and devices [99]; 56) Access and Physical Protection [100]; 57) Remote Access [101]; 58) Permits with less privilege and segregation of duties [102]; 59) Integrity and Segregation [103] In the Protective Technology objective, recommended practices are included in NIST SP 800-160, NIST SP 800-40, NIST SP 800-86, CMMi, ISO 62443 data protection [106], the maturity model for web applications against cyber-attacks based on in OSWAP [107], and the Action Plan for the implementation of an ICAO Cybersecurity Strategy, the proposed capabilities are: 69) Cryptography [108]; 70) Personnel and Assignment of Cybersecurity Roles [109]; 71) Security in Unattended Systems and Unconnected Assets [110]; 72) Resilience in capacity to ensure availability [111]; 73) Baseline and Update [112]; 74) Vulnerability Management [113]; 75) Guarantee of Integrity and Non-repudiation [114]; 76) Safeguards [115]; 77) Antivirus Protection [116] [117]; 87) Firewall, protection of networks and communications [59]; 88) Deployment Resilience Techniques [118]; 89) Technology Monitoring [119] and 90) Security Architecture [120].…”