last sync: 2025-Feb-14 18:36:58 UTC

Vulnerability assessment should be enabled on your Synapse workspaces

Azure BuiltIn Policy definition

Source Azure Portal
Display name Vulnerability assessment should be enabled on your Synapse workspaces
Id 0049a6b3-a662-4f3e-8635-39cf44ace45a
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Synapse
Microsoft Learn
Description Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Synapse/workspaces/vulnerabilityAssessments/recurringScans.isEnabled Microsoft.Synapse workspaces/vulnerabilityAssessments properties.recurringScans.isEnabled True False
Rule resource types IF (1)
Microsoft.Synapse/workspaces
Compliance
The following 81 compliance controls are associated with this Policy definition 'Vulnerability assessment should be enabled on your Synapse workspaces' (0049a6b3-a662-4f3e-8635-39cf44ace45a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ACAT_Security_Policies ACAT_Security_Policies ACAT Security Policies Guidelines for M365 Certification Protecting systems and resources Shared n/a Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. link 16
C.04.3 - Timelines C.04.3 - Timelines 404 not found n/a n/a 21
Canada_Federal_PBMM_3-1-2020 AC_2 Canada_Federal_PBMM_3-1-2020_AC_2 Canada Federal PBMM 3-1-2020 AC 2 Account Management Account Management Shared 1. The organization identifies and selects which types of information system accounts support organizational missions/business functions. 2. The organization assigns account managers for information system accounts. 3. The organization establishes conditions for group and role membership. 4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. 5. The organization requires approvals by responsible managers for requests to create information system accounts. 6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. 7. The organization monitors the use of information system accounts. 8. The organization notifies account managers: a. When accounts are no longer required; b. When users are terminated or transferred; and c. When individual information system usage or need-to-know changes. 9. The organization authorizes access to the information system based on: a. A valid access authorization; b. Intended system usage; and c. Other attributes as required by the organization or associated missions/business functions. 10. The organization reviews accounts for compliance with account management requirements at least annually. 11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. To ensure the security, integrity, and efficiency of the information systems. 24
Canada_Federal_PBMM_3-1-2020 AC_2(1) Canada_Federal_PBMM_3-1-2020_AC_2(1) Canada Federal PBMM 3-1-2020 AC 2(1) Account Management Account Management | Automated System Account Management Shared The organization employs automated mechanisms to support the management of information system accounts. To streamline and enhance information system account management processes. 24
Canada_Federal_PBMM_3-1-2020 CA_2 Canada_Federal_PBMM_3-1-2020_CA_2 Canada Federal PBMM 3-1-2020 CA 2 Security Assessments Security Assessments Shared 1. The organization develops a security assessment plan that describes the scope of the assessment including: a. Security controls and control enhancements under assessment; b. Assessment procedures to be used to determine security control effectiveness; and c. Assessment environment, assessment team, and assessment roles and responsibilities. 2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. 3. The organization produces a security assessment report that documents the results of the assessment. 4. The organization provides the results of the security control assessment to organization-defined individuals or roles. To enhance the overall security posture of the organization. 24
Canada_Federal_PBMM_3-1-2020 CA_3 Canada_Federal_PBMM_3-1-2020_CA_3 Canada Federal PBMM 3-1-2020 CA 3 Information System Connections System Interconnections Shared 1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually. To establish and maintain secure connections between information systems. 77
Canada_Federal_PBMM_3-1-2020 CA_3(3) Canada_Federal_PBMM_3-1-2020_CA_3(3) Canada Federal PBMM 3-1-2020 CA 3(3) Information System Connections System Interconnections | Classified Non-National Security System Connections Shared The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. To ensure the integrity and security of internal systems against external threats. 77
Canada_Federal_PBMM_3-1-2020 CA_3(5) Canada_Federal_PBMM_3-1-2020_CA_3(5) Canada Federal PBMM 3-1-2020 CA 3(5) Information System Connections System Interconnections | Restrictions on External Network Connections Shared The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. To enhance security posture against unauthorized access. 77
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 CM_2 Canada_Federal_PBMM_3-1-2020_CM_2 Canada Federal PBMM 3-1-2020 CM 2 Baseline Configuration Baseline Configuration Shared The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. To support effective management and security practices. 24
Canada_Federal_PBMM_3-1-2020 CM_2(1) Canada_Federal_PBMM_3-1-2020_CM_2(1) Canada Federal PBMM 3-1-2020 CM 2(1) Baseline Configuration Baseline Configuration | Reviews and Updates Shared The organization reviews and updates the baseline configuration of the information system: 1. at least annually; or 2. When required due to significant changes as defined in NIST SP 800-37 rev1; and 3. As an integral part of information system component installations and upgrades. To ensure alignment with current security standards and operational requirements. 24
Canada_Federal_PBMM_3-1-2020 CM_2(2) Canada_Federal_PBMM_3-1-2020_CM_2(2) Canada Federal PBMM 3-1-2020 CM 2(2) Baseline Configuration Baseline Configuration | Automation Support for Accuracy / Currency Shared The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration 23
Canada_Federal_PBMM_3-1-2020 IA_5 Canada_Federal_PBMM_3-1-2020_IA_5 Canada Federal PBMM 3-1-2020 IA 5 Authenticator Management Authenticator Management Shared 1. The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. 2. The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. 3. The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. 4. The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. 5. The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. 6. The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. 7. The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. 8. The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. 9. The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. 10. The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. To effectively manage information system authenticators through verification of recipient identity. 21
Canada_Federal_PBMM_3-1-2020 IA_5(11) Canada_Federal_PBMM_3-1-2020_IA_5(11) Canada Federal PBMM 3-1-2020 IA 5(11) Authenticator Management Authenticator Management | Hardware Token-Based Authentication Shared The information system, for hardware token-based authentication, employs mechanisms that satisfy CCCS's ITSP.30.031 token quality requirements. To enhance overall security and compliance with CCCS guidelines. 20
Canada_Federal_PBMM_3-1-2020 MP_1 Canada_Federal_PBMM_3-1-2020_MP_1 Canada Federal PBMM 3-1-2020 MP 1 Media Protection Policy and Procedures Media Protection Policy and Procedures Shared 1. The organization develops, documents, and disseminates to all personnel: a. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the media protection policy and associated media protection controls. 2. The organization reviews and updates the current: a. Media protection policy at least every 3 years; and b. Media protection procedures at least annually. To implement media protection policy and procedures. 14
Canada_Federal_PBMM_3-1-2020 PL_1 Canada_Federal_PBMM_3-1-2020_PL_1 Canada Federal PBMM 3-1-2020 PL 1 Security Planning Policy and Procedures Security Planning Policy and Procedures Shared 1. The organization develops, documents, and disseminates to personnel or roles with security planning responsibilities a. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the security planning policy and associated security planning controls. 2. The organization reviews and updates the current: a. Security planning policy at least every 3 years; and b. Security planning procedures at least annually. To ensure safety of data and enhance security posture. 14
Canada_Federal_PBMM_3-1-2020 PL_2 Canada_Federal_PBMM_3-1-2020_PL_2 Canada Federal PBMM 3-1-2020 PL 2 System Security Plan System Security Plan Shared 1. The organization develops a security plan for the information system that: a. Is consistent with the organization’s enterprise architecture; b. Explicitly defines the authorization boundary for the system; c. Describes the operational context of the information system in terms of missions and business processes; d. Provides the security categorization of the information system including supporting rationale; e. Describes the operational environment for the information system and relationships with or connections to other information systems; f. Provides an overview of the security requirements for the system; g. Identifies any relevant overlays, if applicable; h. Describes the security controls in place or planned for meeting those requirements including a rationale for tailoring decisions; and i. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation. 2. The organization distributes copies of the security plan and communicates subsequent changes to the plan to personnel or roles with security planning responsibilities. 3. The organization reviews the security plan for the information system at least annually. 4. The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. 5. The organization protects the security plan from unauthorized disclosure and modification. To ensure safety of data and enhance security posture. 7
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 100
CIS_Controls_v8.1 12.1 CIS_Controls_v8.1_12.1 CIS Controls v8.1 12.1 Network Infrastructure Management Ensure network infrastructure is up to date Shared 1. Ensure network infrastructure is kept up-to-date. 2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. 3. Review software versions monthly, or more frequently, to verify software support. To prevent any unauthorized or malicious activity on network systems. 23
CIS_Controls_v8.1 12.3 CIS_Controls_v8.1_12.3 CIS Controls v8.1 12.3 Network Infrastructure Management Securely manage network infrastructure Shared 1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS. To ensure proper management of network infrastructure. 39
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 102
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 100
CIS_Controls_v8.1 16.12 CIS_Controls_v8.1_16.12 CIS Controls v8.1 16.12 Application Software Security Implement code-level security checks Shared Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application. 23
CIS_Controls_v8.1 16.13 CIS_Controls_v8.1_16.13 CIS Controls v8.1 16.13 Application Software Security Conduct application penetration testing Shared 1. Conduct application penetration testing. 2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. 3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. To identify potential security weaknesses and assess the overall security posture of the application. 23
CIS_Controls_v8.1 16.2 CIS_Controls_v8.1_16.2 CIS Controls v8.1 16.2 Application Software Security Establish and maintain a process to accept and address software vulnerabilities Shared 1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. 2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. 3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. 4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. 5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures. 23
CIS_Controls_v8.1 16.5 CIS_Controls_v8.1_16.5 CIS Controls v8.1 16.5 Application Software Security Use up-to-date and trusted third-party software components Shared 1. Use up-to-date and trusted third-party software components. 2. When possible, choose established and proven frameworks and libraries that provide adequate security. 3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. To utilize up-to-date and trusted third-party software components in application development. 18
CIS_Controls_v8.1 16.6 CIS_Controls_v8.1_16.6 CIS Controls v8.1 16.6 Application Software Security Establish and maintain a severity rating system and process for application vulnerabilities Shared 1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. 2. This process includes setting a minimum level of security acceptability for releasing code or applications. 3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. 4. Review and update the system and process annually. To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks. 18
CIS_Controls_v8.1 16.7 CIS_Controls_v8.1_16.7 CIS Controls v8.1 16.7 Application Software Security Use standard hardening configuration templates for application infrastructure Shared 1. Use standard, industry-recommended hardening configuration templates for application infrastructure components. 2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. 3. Do not allow in-house developed software to weaken configuration hardening. To ensure that in-house developed software does not compromise the established configuration hardening standards. 18
CIS_Controls_v8.1 18.1 CIS_Controls_v8.1_18.1 CIS Controls v8.1 18.1 Penetration Testing Establish and maintain a penetration testing program Shared 1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. 2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise. 18
CIS_Controls_v8.1 18.2 CIS_Controls_v8.1_18.2 CIS Controls v8.1 18.2 Penetration Testing Perform periodic external penetration tests Shared 1. Perform periodic external penetration tests based on program requirements, no less than annually. 2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. 3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. 4. The testing may be clear box or opaque box. To ensure thorough assessment and mitigation of potential vulnerabilities. 17
CIS_Controls_v8.1 18.3 CIS_Controls_v8.1_18.3 CIS Controls v8.1 18.3 Penetration Testing Remediate penetration test findings Shared Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. To mitigate security risks effectively. 17
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 94
CIS_Controls_v8.1 18.5 CIS_Controls_v8.1_18.5 404 not found n/a n/a 17
CMMC_2.0_L2 RA.L2-3.11.2 CMMC_2.0_L2_RA.L2-3.11.2 404 not found n/a n/a 17
CMMC_2.0_L2 RA.L2-3.11.3 CMMC_2.0_L2_RA.L2-3.11.3 404 not found n/a n/a 17
CMMC_L2_v1.9.0 SI.L1_3.14.1 CMMC_L2_v1.9.0_SI.L1_3.14.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1 System and Information Integrity Flaw Remediation Shared Identify, report, and correct information and information system flaws in a timely manner. To safeguard assets and maintain operational continuity. 24
CSA_v4.0.12 AIS_07 CSA_v4.0.12_AIS_07 CSA Cloud Controls Matrix v4.0.12 AIS 07 Application & Interface Security Application Vulnerability Remediation Shared n/a Define and implement a process to remediate application security vulnerabilities, automating remediation when possible. 22
CSA_v4.0.12 CCC_07 CSA_v4.0.12_CCC_07 CSA Cloud Controls Matrix v4.0.12 CCC 07 Change Control and Configuration Management Detection of Baseline Deviation Shared n/a Implement detection measures with proactive notification in case of changes deviating from the established baseline. 22
CSA_v4.0.12 TVM_04 CSA_v4.0.12_TVM_04 CSA Cloud Controls Matrix v4.0.12 TVM 04 Threat & Vulnerability Management Detection Updates Shared n/a Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis. 50
CSA_v4.0.12 TVM_08 CSA_v4.0.12_TVM_08 CSA Cloud Controls Matrix v4.0.12 TVM 08 Threat & Vulnerability Management Vulnerability Prioritization Shared n/a Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework. 22
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 69
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 67
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 67
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 65
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
FedRAMP_High_R4 RA-5 FedRAMP_High_R4_RA-5 FedRAMP High RA-5 Risk Assessment Vulnerability Scanning Shared n/a The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. link 19
FedRAMP_Moderate_R4 RA-5 FedRAMP_Moderate_R4_RA-5 FedRAMP Moderate RA-5 Risk Assessment Vulnerability Scanning Shared n/a The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. link 19
HITRUST_CSF_v11.3 10.c HITRUST_CSF_v11.3_10.c HITRUST CSF v11.3 10.c Correct Processing in Applications To incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. Shared Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. 36
HITRUST_CSF_v11.3 10.m HITRUST_CSF_v11.3_10.m HITRUST CSF v11.3 10.m Technical Vulnerability Management To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Shared 1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. 47
NIST_CSF_v2.0 DE.CM_09 NIST_CSF_v2.0_DE.CM_09 NIST CSF v2.0 DE.CM 09 DETECT- Continuous Monitoring Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. Shared n/a To identify and analyze the cybersecurity attacks and compromises. 25
NIST_SP_800-171_R2_3 .11.2 NIST_SP_800-171_R2_3.11.2 NIST SP 800-171 R2 3.11.2 Risk Assessment Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. [SP 800-40] provides guidance on vulnerability management. link 20
NIST_SP_800-171_R2_3 .11.3 NIST_SP_800-171_R2_3.11.3 NIST SP 800-171 R2 3.11.3 Risk Assessment Remediate vulnerabilities in accordance with risk assessments. Shared Microsoft and the customer share responsibilities for implementing this requirement. Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. link 19
NIST_SP_800-171_R3_3 .14.1 NIST_SP_800-171_R3_3.14.1 NIST 800-171 R3 3.14.1 System and Information Integrity Control Flaw Remediation Shared Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. a. Identify, report, and correct system flaws. b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates. 24
NIST_SP_800-53_R4 RA-5 NIST_SP_800-53_R4_RA-5 NIST SP 800-53 Rev. 4 RA-5 Risk Assessment Vulnerability Scanning Shared n/a The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. link 19
NIST_SP_800-53_R5.1.1 SI.2 NIST_SP_800-53_R5.1.1_SI.2 NIST SP 800-53 R5.1.1 SI.2 System and Information Integrity Control Flaw Remediation Shared a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process. The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. 24
NIST_SP_800-53_R5 RA-5 NIST_SP_800-53_R5_RA-5 NIST SP 800-53 Rev. 5 RA-5 Risk Assessment Vulnerability Monitoring and Scanning Shared n/a a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. link 19
NL_BIO_Cloud_Theme C.04.3(2) NL_BIO_Cloud_Theme_C.04.3(2) NL_BIO_Cloud_Theme_C.04.3(2) C.04 Technical Vulnerability Management Technical vulnerabilities n/a The malware protection is carried out on various environments, such as on mail servers, (desktop) computers and when accessing the organization's network. The scan for malware includes: all files received over networks or through any form of storage medium, even before use; all attachments and downloads even before use; virtual machines; network traffic. 20
NL_BIO_Cloud_Theme U.17.1(2) NL_BIO_Cloud_Theme_U.17.1(2) NL_BIO_Cloud_Theme_U.17.1(2) U.17 Multi-tenant architecture Encrypted n/a CSC data on transport and at rest is encrypted. 5
NZISM_v3.7 12.4.4.C.01. NZISM_v3.7_12.4.4.C.01. NZISM v3.7 12.4.4.C.01. Product Patching and Updating 12.4.4.C.01. - To mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data. Shared n/a Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update. 25
NZISM_v3.7 12.4.4.C.02. NZISM_v3.7_12.4.4.C.02. NZISM v3.7 12.4.4.C.02. Product Patching and Updating 12.4.4.C.02. - To minimise the risk of disruptions or vulnerabilities introduced by the patches. Shared n/a Agencies MUST implement a patch management strategy, including an evaluation or testing process. 29
NZISM_v3.7 12.4.4.C.04. NZISM_v3.7_12.4.4.C.04. NZISM v3.7 12.4.4.C.04. Product Patching and Updating 12.4.4.C.04. - To mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data. Shared n/a Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update. 29
NZISM_v3.7 12.4.4.C.05. NZISM_v3.7_12.4.4.C.05. NZISM v3.7 12.4.4.C.05. Product Patching and Updating 12.4.4.C.05. - To reduce the potential attack surface for malicious actors. Shared n/a Agencies SHOULD apply all non-critical security patches as soon as possible. 27
NZISM_v3.7 12.4.4.C.06. NZISM_v3.7_12.4.4.C.06. NZISM v3.7 12.4.4.C.06. Product Patching and Updating 12.4.4.C.06. - To maintain the integrity and effectiveness of the patching process. Shared n/a Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process. 26
NZISM_v3.7 14.3.12.C.01. NZISM_v3.7_14.3.12.C.01. NZISM v3.7 14.3.12.C.01. Web Applications 14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. Shared n/a Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. 82
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.exp.4 Security maintenance and updates op.exp.4 Security maintenance and updates 404 not found n/a n/a 78
op.exp.5 Change management op.exp.5 Change management 404 not found n/a n/a 71
op.mon.3 Monitoring op.mon.3 Monitoring 404 not found n/a n/a 51
PCI_DSS_v4.0.1 6.3.3 PCI_DSS_v4.0.1_6.3.3 PCI DSS v4.0.1 6.3.3 Develop and Maintain Secure Systems and Software All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1 Shared n/a Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement 24
RBI_ITF_NBFC_v2017 3.3 RBI_ITF_NBFC_v2017_3.3 RBI IT Framework 3.3 Information and Cyber Security Vulnerability Management-3.3 n/a A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy link 8
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SWIFT_CSCF_2024 2.2 SWIFT_CSCF_2024_2.2 SWIFT Customer Security Controls Framework 2024 2.2 Risk Management Security Updates Shared 1. The closure of known security vulnerabilities is effective in reducing the various pathways that an attacker may use during an attack. 2. A security update process that is comprehensive, repeatable, and implemented in a timely manner is necessary to continuously close these known vulnerabilities when security updates are available. To minimise the occurrence of known technical vulnerabilities on operator PCs and within the user’s Swift infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. 24
U.17.1 - Encrypted U.17.1 - Encrypted 404 not found n/a n/a 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
ACAT for Microsoft 365 Certification 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5 Regulatory Compliance GA BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-01-22 09:14:53 add 0049a6b3-a662-4f3e-8635-39cf44ace45a
JSON compare n/a
JSON
api-version=2021-06-01
EPAC