Az Policy Advertizer

Azure_Security_Benchmark_v3.0

NS-6

Azure_Security_Benchmark_v3.0_NS-6

Microsoft cloud security benchmark NS-6

Network Security

Deploy web application firewall

Shared

**Security Principle:** Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. **Azure Guidance:** Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. Set your WAF in "detection" or "prevention mode," depending on your needs and threat landscape. Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application. **Implementation and additional context:** How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview

n/a

Canada_Federal_PBMM_3-1-2020_AC_4(21)

AC_4(21)

Canada Federal PBMM 3-1-2020 AC 4(21)

Information Flow Enforcement

Information Flow Enforcement | Physical / Logical Separation of Information Flows

Shared

The information system separates information flows logically or physically using session encryption to accomplish separation of all sessions.

To enhance security measures and safeguard sensitive data from unauthorized access or interception.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(2)

SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_8(1)

SI_8(1)

Canada Federal PBMM 3-1-2020 SI 8(1)

Spam Protection

Spam Protection | Central Management of Protection Mechanisms

Shared

The organization centrally manages spam protection mechanisms.

To enhance overall security posture.

4.7

CIS_Controls_v8.1_4.7

CIS Controls v8.1 4.7

Secure Configuration of Enterprise Assets and Software

Manage default accounts on enterprise assets and software

Shared

1. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. 2. Example implementations can include: disabling default accounts or making them unusable.

To ensure access to default accounts is restricted.

5.3

CIS_Controls_v8.1_5.3

CIS Controls v8.1 5.3

Account Management

Disable dormant accounts

Shared

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

To implement time based expiry of access to systems.

6.1

CIS_Controls_v8.1_6.1

CIS Controls v8.1 6.1

Access Control Management

Establish an access granting process

Shared

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

To implement role based access controls.

6.2

CIS_Controls_v8.1_6.2

CIS Controls v8.1 6.2

Access Control Management

Establish an access revoking process

Shared

1. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. 2. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

To restrict access to enterprise assets.

SC.L1-3.13.1

CMMC_2.0_L2_SC.L1-3.13.1

404 not found

n/a

SC.L1-3.13.5

CMMC_2.0_L2_SC.L1-3.13.5

404 not found

n/a

SC.L2-3.13.2

CMMC_2.0_L2_SC.L2-3.13.2

404 not found

n/a

CMMC_L2_v1.9.0_SI.L2_3.14.3

SC.L2-3.13.6

CMMC_2.0_L2_SC.L2-3.13.6

404 not found

n/a

CMMC_L2_v1.9.0

SI.L2_3.14.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3

System and Information Integrity

Security Alerts & Advisories

Shared

Monitor system security alerts and advisories and take action in response.

To proactively defend against emerging threats and minimize the risk of security incidents or breaches.

CMMC_L2_v1.9.0

SI.L2_3.14.6

CMMC_L2_v1.9.0_SI.L2_3.14.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6

System and Information Integrity

Monitor Communications for Attacks

Shared

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

To protect systems and data from unauthorized access or compromise.

CM.2.064

CMMC_L3_CM.2.064

CMMC L3 CM.2.064

Configuration Management

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.

IR.2.093

CMMC_L3_IR.2.093

CMMC L3 IR.2.093

Incident Response

Detect and report events.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine whether an event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects.

SC.1.175

CMMC_L3_SC.1.175

CMMC L3 SC.1.175

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

SC.3.183

CMMC_L3_SC.3.183

CMMC L3 SC.3.183

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

SI.2.216

CMMC_L3_SI.2.216

CMMC L3 SI.2.216

System and Information Integrity

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.

CSA_v4.0.12

IVS_03

CSA_v4.0.12_IVS_03

CSA Cloud Controls Matrix v4.0.12 IVS 03

Infrastructure & Virtualization Security

Network Security

Shared

n/a

Monitor, encrypt and restrict communications between environments to only authenticated and authorized connections, as justified by the business. Review these configurations at least annually, and support them by a documented justification of all allowed services, protocols, ports, and compensating controls.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FBI_Criminal_Justice_Information_Services_v5.9.5_5

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FedRAMP_High_R4

SC-5

FedRAMP_High_R4_SC-5

FedRAMP High SC-5

System And Communications Protection

Denial Of Service Protection

Shared

n/a

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. References: None.

FedRAMP_High_R4

SC-7

FedRAMP_High_R4_SC-7

FedRAMP High SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77.

FedRAMP_High_R4

SC-7(3)

FedRAMP_High_R4_SC-7(3)

FedRAMP High SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

FedRAMP_Moderate_R4

SC-5

FedRAMP_Moderate_R4_SC-5

FedRAMP Moderate SC-5

System And Communications Protection

Denial Of Service Protection

Shared

n/a

FedRAMP_Moderate_R4

SC-7

FedRAMP_Moderate_R4_SC-7

FedRAMP Moderate SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

FedRAMP_Moderate_R4_SC-7(3)

FedRAMP_Moderate_R4

SC-7(3)

FedRAMP Moderate SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

FFIEC_CAT_2017

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

01.j

HITRUST_CSF_v11.3_01.j

HITRUST CSF v11.3 01.j

Network Access Control

Prevent unauthorized access to networked services.

Shared

1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted.

Appropriate authentication methods shall be used to control access by remote users.

01.n

HITRUST_CSF_v11.3_01.n

HITRUST CSF v11.3 01.n

Network Access Control

Prevent unauthorised access to shared networks.

Shared

Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security.

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.

01.o

HITRUST_CSF_v11.3_01.o

HITRUST CSF v11.3 01.o

Network Access Control

Implement network routing controls to prevent breach of the access control policy of business applications.

Shared

Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured.

Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

113

09.h

HITRUST_CSF_v11.3_09.h

HITRUST CSF v11.3 09.h

System Planning and Acceptance

Ensure that systems meet the businesses current and projected needs to minimize failures.

Shared

Use of information systems resources is to be monitored.

The availability of adequate capacity and resources shall be planned, prepared, and managed to deliver the required system performance. Projections of future capacity requirements shall be made to mitigate the risk of system overload.

ISO_IEC_27017_2015_13.1.3

10.j

HITRUST_CSF_v11.3_10.j

HITRUST CSF v11.3 10.j

Security of System Files

Ensure restriction on access to program source code.

Shared

1. Program source code is to be stored in a central location, specifically in program source libraries and access is to be strictly restricted. 2. To prevent program corruption, access to source libraries is to be controlled by not storing them in operational systems.

Access to program source code shall be restricted.

ISO_IEC_27002_2022

5.15

ISO_IEC_27002_2022_5.15

ISO IEC 27002 2022 5.15

Protection, Preventive Control

Access control

Shared

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

To ensure authorized access and to prevent unauthorized access to information and other associated assets.

ISO_IEC_27002_2022

8.16

ISO_IEC_27002_2022_8.16

ISO IEC 27002 2022 8.16

Response, Detection, Corrective Control

Monitoring activities

Shared

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

To detect anomalous behaviour and potential information security incidents.

ISO_IEC_27002_2022

8.3

ISO_IEC_27002_2022_8.3

ISO IEC 27002 2022 8.3

Protection, Preventive, Control

Information access restriction

Shared

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

To ensure only authorized access and to prevent unauthorized access to information and other associated assets.

ISO_IEC_27017_2015

13.1.3

ISO IEC 27017 2015 13.1.3

Communicaton Security

Segregation in Networks

Shared

For Cloud Service Customer: The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements. For Cloud Service Provider: The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements. The cloud service provider should enforce segregation of network access for the following cases: (i) segregation between tenants in a multi-tenant environment; (ii) segregation between the cloud service provider's internal administration environment and the cloud service customer's cloud computing environment. Where appropriate, the cloud service provider should help the cloud service customer verify the segregation implemented by the cloud service provider.

To split the network in security boundaries and to control traffic between them based on business needs.

mp.com.1 Secure perimeter

404 not found

n/a

mp.s.3 Protection of web browsing

404 not found

n/a

New_Zealand_ISM

18.4.8.C.01

New_Zealand_ISM_18.4.8.C.01

18. Network security

18.4.8.C.01 IDS/IPSs on gateways

n/a

Agencies SHOULD deploy IDS/IPSs in all gateways between the agency’s networks and unsecure public networks or BYOD wireless networks.

NIST_CSF_v2.0

DE.CM

NIST_CSF_v2.0_DE.CM

404 not found

n/a

NIST_SP_800-171_R2_3.13.1

.13.1

NIST SP 800-171 R2 3.13.1

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R2_3.13.2

.13.2

NIST SP 800-171 R2 3.13.2

System and Communications Protection

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.

NIST_SP_800-171_R2_3.13.5

.13.5

NIST SP 800-171 R2 3.13.5

System and Communications Protection

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies

NIST_SP_800-171_R2_3.13.6

.13.6

NIST SP 800-171 R2 3.13.6

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R3_3.14.6

NIST_SP_800-171_R3_3

.14.6

NIST 800-171 R3 3.14.6

System and Information Integrity Control

System Monitoring

Shared

System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives. Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements.

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks; and 2. Unauthorized connections. b. Identify unauthorized use of the system. c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions.

NIST_SP_800-53_R4

SC-5

NIST_SP_800-53_R4_SC-5

NIST SP 800-53 Rev. 4 SC-5

System And Communications Protection

Denial Of Service Protection

Shared

n/a

NIST_SP_800-53_R4

SC-7

NIST_SP_800-53_R4_SC-7

NIST SP 800-53 Rev. 4 SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

NIST_SP_800-53_R4_SC-7(3)

NIST_SP_800-53_R4

SC-7(3)

NIST SP 800-53 Rev. 4 SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

NIST_SP_800-53_R5.1.1_AC.3.5

NIST_SP_800-53_R5.1.1

AC.3.5

NIST SP 800-53 R5.1.1 AC.3.5

Access Control

Access Enforcement | Security-relevant Information

Shared

Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.

NIST_SP_800-53_R5.1.1

SC.5.1

NIST_SP_800-53_R5.1.1_SC.5.1

NIST SP 800-53 R5.1.1 SC.5.1

System and Communications Protection

Denial-of-service Protection | Restrict Ability to Attack Other Systems

Shared

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].

Restricting the ability of individuals to launch denial-of-service attacks requires the mechanisms commonly used for such attacks to be unavailable. Individuals of concern include hostile insiders or external adversaries who have breached or compromised the system and are using it to launch a denial-of-service attack. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems.

NIST_SP_800-53_R5.1.1

SI.4.4

NIST_SP_800-53_R5.1.1_SI.4.4

NIST SP 800-53 R5.1.1 SI.4.4

System and Information Integrity Control

System Monitoring | Inbound and Outbound Communications Traffic

Shared

(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; (b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.

NIST_SP_800-53_R5

SC-5

NIST_SP_800-53_R5_SC-5

NIST SP 800-53 Rev. 5 SC-5

System and Communications Protection

Denial-of-service Protection

Shared

n/a

a. [Selection: Protect against;Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].

NIST_SP_800-53_R5

SC-7

NIST_SP_800-53_R5_SC-7

NIST SP 800-53 Rev. 5 SC-7

System and Communications Protection

Boundary Protection

Shared

n/a

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

NIST_SP_800-53_R5_SC-7(3)

NIST_SP_800-53_R5

SC-7(3)

NIST SP 800-53 Rev. 5 SC-7 (3)

System and Communications Protection

Access Points

Shared

n/a

Limit the number of external network connections to the system.

NZ_ISM_v3.5

NS-8

NZ_ISM_v3.5_NS-8

NZISM Security Benchmark NS-8

Network security

18.4.8 IDS/IPSs on gateways

Customer

n/a

If the firewall is configured to block all traffic on a particular range of port numbers, then the IDS should inspect traffic for these port numbers and alert if they are detected.

14.3.10.C.01.

NZISM_v3.7_14.3.10.C.01.

NZISM v3.7 14.3.10.C.01.

Web Applications

14.3.10.C.01. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways.

14.3.10.C.02.

NZISM_v3.7_14.3.10.C.02.

NZISM v3.7 14.3.10.C.02.

Web Applications

14.3.10.C.02. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address.

14.3.10.C.03.

NZISM_v3.7_14.3.10.C.03.

NZISM v3.7 14.3.10.C.03.

Web Applications

14.3.10.C.03. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites.

14.3.10.C.04.

NZISM_v3.7_14.3.10.C.04.

NZISM v3.7 14.3.10.C.04.

Web Applications

14.3.10.C.04. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective.

16.5.10.C.02.

NZISM_v3.7_16.5.10.C.02.

NZISM v3.7 16.5.10.C.02.

Remote Access

16.5.10.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD authenticate both the remote system user and device during the authentication process.

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

19.2.16.C.02.

NZISM_v3.7_19.2.16.C.02.

NZISM v3.7 19.2.16.C.02.

Cross Domain Solutions (CDS)

19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.

Shared

n/a

Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network.

19.2.18.C.01.

NZISM_v3.7_19.2.18.C.01.

NZISM v3.7 19.2.18.C.01.

Cross Domain Solutions (CDS)

19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks.

Shared

n/a

Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path.

19.2.19.C.01.

NZISM_v3.7_19.2.19.C.01.

NZISM v3.7 19.2.19.C.01.

Cross Domain Solutions (CDS)

19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.

Shared

n/a

Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority.

19.2.19.C.02.

NZISM_v3.7_19.2.19.C.02.

NZISM v3.7 19.2.19.C.02.

Cross Domain Solutions (CDS)

19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches.

Shared

n/a

Trusted sources MUST authorise all data to be exported from a security domain.

13.4

RBI_CSF_Banks_v2016_13.4

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.4

n/a

Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway

4.10

RBI_CSF_Banks_v2016_4.10

Network Management And Security

Perimeter Protection And Detection-4.10

n/a

Boundary defences should be multi-layered with properly configured firewalls, proxies, DMZ perimeter networks, and network--???based IPS and IDS. Mechanism to filter both inbound and outbound traffic to be put in place.

4.3

RBI_CSF_Banks_v2016_4.3

Network Management And Security

Network Device Configuration Management-4.3

n/a

Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security.

4.7

RBI_CSF_Banks_v2016_4.7

Network Management And Security

Anomaly Detection-4.7

n/a

Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.

RBI_ITF_NBFC_v2017

RBI_ITF_NBFC_v2017_5

RBI IT Framework 5

IS Audit

Policy for Information System Audit (IS Audit)-5

n/a

The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization???s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.

RMiT_v1.0

11.13

RMiT_v1.0_11.13

RMiT 11.13

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) - 11.13

Shared

n/a

A financial institution must ensure its technology systems and infrastructure, including critical systems outsourced to or hosted by third party service providers, are adequately protected against all types of DDoS attacks (including volumetric, protocol and application layer attacks) through the following measures: (a) subscribing to DDoS mitigation services, which include automatic 'clean pipe' services to filter and divert any potential malicious traffic away from the network bandwidth; (b) regularly assessing the capability of the provider to expand network bandwidth on-demand including upstream provider capability, adequacy of the provider's incident response plan and its responsiveness to an attack; and (c) implementing mechanisms to mitigate against Domain Name Server (DNS) based layer attacks.

SOC_2

CC6.6

SOC_2_CC6.6

SOC 2 Type 2 CC6.6

Logical and Physical Access Controls

Security measures against threats outside system boundaries

Shared

The customer is responsible for implementing this recommendation.

• Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

1.1

SWIFT_CSCF_2024_1.1

SWIFT Customer Security Controls Framework 2024 1.1

Physical and Environmental Security

Swift Environment Protection

Shared

1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment.

1.3

SWIFT_CSCF_2024_1.3

SWIFT Customer Security Controls Framework 2024 1.3

Cloud Platform Protection

Virtualisation or Cloud Platform Protection

Shared

1. Security controls that apply to non-virtualised (physical) systems are equally applicable to virtual systems. 2. The additional virtualisation layer needs extra attention from a security perspective. The uncontrolled proliferation of VMs could lead to unaccounted machines with the risk of unmanaged, unpatched systems open to unauthorised access to data. 3. If appropriate controls have been implemented to this underlying layer, then Swift does not limit the use of virtual technology for any component of the user’s Swift infrastructure or the associated supporting infrastructure (for example, virtual firewalls).

To secure the virtualisation or cloud platform and virtual machines (VMs) that host Swift-related components to the same level as physical systems.

1.5

SWIFT_CSCF_2024_1.5

SWIFT Customer Security Controls Framework 2024 1.5

Physical and Environmental Security

Customer Environment Protection

Shared

1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

2.9

SWIFT_CSCF_2024_2.9

SWIFT Customer Security Controls Framework 2024 2.9

Transaction Controls

Transaction Business Controls

Shared

1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions. 2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity.

To ensure outbound transaction activity within the expected bounds of normal business.

6.4

SWIFT_CSCF_2024_6.4

SWIFT Customer Security Controls Framework 2024 6.4

Access Control

Logging and Monitoring

Shared

1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring.

To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment.

6.5

SWIFT_CSCF_2024_6.5

404 not found

n/a