compliance controls are associated with this Policy definition 'View and configure system diagnostic data' (0123edae-3567-a05a-9b05-b53ebe9d3e7e)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CM-6(1) |
FedRAMP_High_R4_CM-6(1) |
FedRAMP High CM-6 (1) |
Configuration Management |
Automated Central Management / Application / Verification |
Shared |
n/a |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Supplemental Guidance: Related controls: CA-7, CM-4. |
link |
3 |
FedRAMP_High_R4 |
SI-7(1) |
FedRAMP_High_R4_SI-7(1) |
FedRAMP High SI-7 (1) |
System And Information Integrity |
Integrity Checks |
Shared |
n/a |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]].
Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
link |
2 |
FedRAMP_Moderate_R4 |
CM-6(1) |
FedRAMP_Moderate_R4_CM-6(1) |
FedRAMP Moderate CM-6 (1) |
Configuration Management |
Automated Central Management / Application / Verification |
Shared |
n/a |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Supplemental Guidance: Related controls: CA-7, CM-4. |
link |
3 |
FedRAMP_Moderate_R4 |
SI-7(1) |
FedRAMP_Moderate_R4_SI-7(1) |
FedRAMP Moderate SI-7 (1) |
System And Information Integrity |
Integrity Checks |
Shared |
n/a |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]].
Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
link |
2 |
hipaa |
0228.09k2Organizational.3-09.k |
hipaa-0228.09k2Organizational.3-09.k |
0228.09k2Organizational.3-09.k |
02 Endpoint Protection |
0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Rules for the migration of software from development to operational status are defined and documented by the organization hosting the affected application(s), including that development, test, and operational systems are separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system. |
|
11 |
hipaa |
0603.06g2Organizational.1-06.g |
hipaa-0603.06g2Organizational.1-06.g |
0603.06g2Organizational.1-06.g |
06 Configuration Management |
0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Automated compliance tools are used when possible. |
|
6 |
hipaa |
0618.09b1System.1-09.b |
hipaa-0618.09b1System.1-09.b |
0618.09b1System.1-09.b |
06 Configuration Management |
0618.09b1System.1-09.b 09.01 Documented Operating Procedures |
Shared |
n/a |
Changes to information assets, including systems, networks, and network services, are controlled and archived. |
|
16 |
hipaa |
0626.10h1System.3-10.h |
hipaa-0626.10h1System.3-10.h |
0626.10h1System.3-10.h |
06 Configuration Management |
0626.10h1System.3-10.h 10.04 Security of System Files |
Shared |
n/a |
Operational systems only hold approved programs or executable code. |
|
3 |
hipaa |
0627.10h1System.45-10.h |
hipaa-0627.10h1System.45-10.h |
0627.10h1System.45-10.h |
06 Configuration Management |
0627.10h1System.45-10.h 10.04 Security of System Files |
Shared |
n/a |
The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. |
|
11 |
hipaa |
0644.10k3Organizational.4-10.k |
hipaa-0644.10k3Organizational.4-10.k |
0644.10k3Organizational.4-10.k |
06 Configuration Management |
0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and, (iii) enforce access restrictions and auditing of the enforcement actions. |
|
20 |
hipaa |
0663.10h1System.7-10.h |
hipaa-0663.10h1System.7-10.h |
0663.10h1System.7-10.h |
06 Configuration Management |
0663.10h1System.7-10.h 10.04 Security of System Files |
Shared |
n/a |
The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline. |
|
16 |
hipaa |
0672.10k3System.5-10.k |
hipaa-0672.10k3System.5-10.k |
0672.10k3System.5-10.k |
06 Configuration Management |
0672.10k3System.5-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The integrity of all virtual machine images is ensured at all times by (i) logging and raising an alert for any changes made to virtual machine images, and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity. |
|
12 |
hipaa |
0708.10b2System.2-10.b |
hipaa-0708.10b2System.2-10.b |
0708.10b2System.2-10.b |
07 Vulnerability Management |
0708.10b2System.2-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
System and information integrity requirements are developed, documented, disseminated, reviewed, and updated annually. |
|
3 |
hipaa |
0710.10m2Organizational.1-10.m |
hipaa-0710.10m2Organizational.1-10.m |
0710.10m2Organizational.1-10.m |
07 Vulnerability Management |
0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
A hardened configuration standard exists for all system and network components. |
|
9 |
hipaa |
1206.09aa2System.23-09.aa |
hipaa-1206.09aa2System.23-09.aa |
1206.09aa2System.23-09.aa |
12 Audit Logging & Monitoring |
1206.09aa2System.23-09.aa 09.10 Monitoring |
Shared |
n/a |
Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects. |
|
6 |
hipaa |
1220.09ab3System.56-09.ab |
hipaa-1220.09ab3System.56-09.ab |
1220.09ab3System.56-09.ab |
12 Audit Logging & Monitoring |
1220.09ab3System.56-09.ab 09.10 Monitoring |
Shared |
n/a |
Monitoring includes inbound and outbound communications and file integrity monitoring. |
|
4 |
hipaa |
1791.10a2Organizational.6-10.a |
hipaa-1791.10a2Organizational.6-10.a |
1791.10a2Organizational.6-10.a |
17 Risk Management |
1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. |
|
5 |
ISO27001-2013 |
A.12.5.1 |
ISO27001-2013_A.12.5.1 |
ISO 27001:2013 A.12.5.1 |
Operations Security |
Installation of software on operational systems |
Shared |
n/a |
Procedures shall be implemented to control the installation of software on operational systems. |
link |
18 |
ISO27001-2013 |
A.12.6.2 |
ISO27001-2013_A.12.6.2 |
ISO 27001:2013 A.12.6.2 |
Operations Security |
Restrictions on software installation |
Shared |
n/a |
Rules governing the installation of software by users shall be established and implemented. |
link |
18 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-171_R2_3 |
.4.2 |
NIST_SP_800-171_R2_3.4.2 |
NIST SP 800-171 R2 3.4.2 |
Configuration Management |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings. |
link |
25 |
NIST_SP_800-53_R4 |
CM-6(1) |
NIST_SP_800-53_R4_CM-6(1) |
NIST SP 800-53 Rev. 4 CM-6 (1) |
Configuration Management |
Automated Central Management / Application / Verification |
Shared |
n/a |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Supplemental Guidance: Related controls: CA-7, CM-4. |
link |
3 |
NIST_SP_800-53_R4 |
SI-7(1) |
NIST_SP_800-53_R4_SI-7(1) |
NIST SP 800-53 Rev. 4 SI-7 (1) |
System And Information Integrity |
Integrity Checks |
Shared |
n/a |
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]].
Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. |
link |
2 |
NIST_SP_800-53_R5 |
CM-6(1) |
NIST_SP_800-53_R5_CM-6(1) |
NIST SP 800-53 Rev. 5 CM-6 (1) |
Configuration Management |
Automated Management, Application, and Verification |
Shared |
n/a |
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. |
link |
3 |
NIST_SP_800-53_R5 |
SI-7(1) |
NIST_SP_800-53_R5_SI-7(1) |
NIST SP 800-53 Rev. 5 SI-7 (1) |
System and Information Integrity |
Integrity Checks |
Shared |
n/a |
Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (OneOrMore): at startup;at [Assignment: organization-defined transitional states or security-relevant events] ; [Assignment: organization-defined frequency] ] . |
link |
2 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
PCI_DSS_v4.0 |
11.5.2 |
PCI_DSS_v4.0_11.5.2 |
PCI DSS v4.0 11.5.2 |
Requirement 11: Test Security of Systems and Networks Regularly |
Network intrusions and unexpected file changes are detected and responded to |
Shared |
n/a |
A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files
• To perform critical file comparisons at least once weekly. |
link |
4 |
PCI_DSS_v4.0 |
11.6.1 |
PCI_DSS_v4.0_11.6.1 |
PCI DSS v4.0 11.6.1 |
Requirement 11: Test Security of Systems and Networks Regularly |
Unauthorized changes on payment pages are detected and responded to |
Shared |
n/a |
A change- and tamper-detection mechanism is deployed as follows:
• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
• The mechanism is configured to evaluate the received HTTP header and payment page.
• The mechanism functions are performed as follows:
– At least once every seven days
OR
– Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). |
link |
3 |
PCI_DSS_v4.0 |
6.4.3 |
PCI_DSS_v4.0_6.4.3 |
PCI DSS v4.0 6.4.3 |
Requirement 06: Develop and Maintain Secure Systems and Software |
Public-facing web applications are protected against attacks |
Shared |
n/a |
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary. |
link |
2 |
SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
47 |
SOC_2 |
CC7.1 |
SOC_2_CC7.1 |
SOC 2 Type 2 CC7.1 |
System Operations |
Detection and monitoring of new vulnerabilities |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Defined Configuration Standards — Management has defined configuration
standards.
• Monitors Infrastructure and Software — The entity monitors infrastructure and
software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.
• Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel
to unauthorized modifications of critical system files, configuration files, or content
files.
• Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components.
• Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to
identify potential vulnerabilities or misconfigurations on a periodic basis and after
any significant change in the environment and takes action to remediate identified
deficiencies on a timely basis |
|
15 |
SWIFT_CSCF_v2022 |
6.2 |
SWIFT_CSCF_v2022_6.2 |
SWIFT CSCF v2022 6.2 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure the software integrity of the SWIFT-related components and act upon results. |
Shared |
n/a |
A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. |
link |
6 |
SWIFT_CSCF_v2022 |
6.3 |
SWIFT_CSCF_v2022_6.3 |
SWIFT CSCF v2022 6.3 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure the integrity of the database records for the SWIFT messaging interface or the customer connector and act upon results. |
Shared |
n/a |
A database integrity check is performed at regular intervals on databases that record SWIFT transactions and results are considered for appropriate resolving actions. |
link |
2 |