compliance controls are associated with this Policy definition 'Key vaults should have deletion protection enabled' (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v1.0 |
7.11 |
Azure_Security_Benchmark_v1.0_7.11 |
Azure Security Benchmark 7.11 |
Secure Configuration |
Manage Azure secrets securely |
Customer |
Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.
How to integrate with Azure Managed Identities:
https://docs.microsoft.com/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity
How to create a Key Vault:
https://docs.microsoft.com/azure/key-vault/quick-create-portal
How to provide Key Vault authentication with a managed identity:
https://docs.microsoft.com/azure/key-vault/managed-identity |
n/a |
link |
1 |
Azure_Security_Benchmark_v1.0 |
9.4 |
Azure_Security_Benchmark_v1.0_9.4 |
Azure Security Benchmark 9.4 |
Data Recovery |
Ensure protection of backups and customer managed keys |
Customer |
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.
How to enable Soft-Delete in Key Vault:
https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal |
n/a |
link |
1 |
Azure_Security_Benchmark_v2.0 |
BR-4 |
Azure_Security_Benchmark_v2.0_BR-4 |
Azure Security Benchmark BR-4 |
Backup and Recovery |
Mitigate risk of lost keys |
Customer |
Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.
How to enable soft delete and purge protection in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal |
n/a |
link |
2 |
Azure_Security_Benchmark_v3.0 |
DP-8 |
Azure_Security_Benchmark_v3.0_DP-8 |
Microsoft cloud security benchmark DP-8 |
Data Protection |
Ensure security of key and certificate repository |
Shared |
**Security Principle:**
Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security.
**Azure Guidance:**
Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls:
- Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least privileges principle are in place for management plane access and data plane access.
- Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service
- Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, and vice versa.
- Use managed identity to access keys stored in the Azure Key Vault in your workload applications.
- Never have the keys stored in plaintext format outside of the Azure Key Vault.
- When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged.
- Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys.
- Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged.
**Implementation and additional context:**
Azure Key Vault overview:
https://docs.microsoft.com/azure/key-vault/general/overview
Azure Key Vault security best practices:
https://docs.microsoft.com/azure/key-vault/general/best-practices
Use managed identity to access Azure Key Vault:
https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
|
n/a |
link |
6 |
CIS_Azure_1.1.0 |
8.4 |
CIS_Azure_1.1.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
3 |
CIS_Azure_1.3.0 |
8.4 |
CIS_Azure_1.3.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
2 |
CIS_Azure_1.4.0 |
8.6 |
CIS_Azure_1.4.0_8.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.6 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
2 |
CIS_Azure_2.0.0 |
8.5 |
CIS_Azure_2.0.0_8.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.5 |
8 |
Ensure the Key Vault is Recoverable |
Shared |
Once purge-protection and soft-delete are enabled for a Key Vault, the action is irreversible. |
The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.
It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.
WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.
There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption.
Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.
There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault:
1. `enableSoftDelete`:
Setting this parameter to "true" for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged.
2. `enablePurgeProtection`:
enableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to "true" ensures that the Key Vault and its objects cannot be purged.
Enabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently. |
link |
2 |
CIS_Controls_v8.1 |
11.1 |
CIS_Controls_v8.1_11.1 |
CIS Controls v8.1 11.1 |
Data Recovery |
Establish and maintain a data recovery process |
Shared |
1. Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data.
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure there is a system in place to recover data. |
|
2 |
CIS_Controls_v8.1 |
4.1 |
CIS_Controls_v8.1_4.1 |
CIS Controls v8.1 4.1 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process. |
Shared |
1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure data integrity and safety of enterprise assets. |
|
44 |
CMMC_2.0_L2 |
MP.L2-3.8.9 |
CMMC_2.0_L2_MP.L2-3.8.9 |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
CMMC_L2_v1.9.0 |
MP.L1_3.8.3 |
CMMC_L2_v1.9.0_MP.L1_3.8.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L1 3.8.3 |
Media Protection |
Media Disposal |
Shared |
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
To ensure that sensitive data is securely handled and preventing unauthorized access or disclosure of sensitive information. |
|
1 |
CMMC_L3 |
SC.3.187 |
CMMC_L3_SC.3.187 |
CMMC L3 SC.3.187 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. |
link |
8 |
CSA_v4.0.12 |
BCR_08 |
CSA_v4.0.12_BCR_08 |
CSA Cloud Controls Matrix v4.0.12 BCR 08 |
Business Continuity Management and Operational Resilience |
Backup |
Shared |
n/a |
Periodically backup data stored in the cloud. Ensure the confidentiality,
integrity and availability of the backup, and verify data restoration from backup for resiliency. |
|
7 |
CSA_v4.0.12 |
CEK_08 |
CSA_v4.0.12_CEK_08 |
CSA Cloud Controls Matrix v4.0.12 CEK 08 |
Cryptography, Encryption & Key Management |
CSC Key Management Capability |
Shared |
n/a |
CSPs must provide the capability for CSCs to manage their own data
encryption keys. |
|
6 |
CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
25 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
69 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_9 |
EU_2555_(NIS2)_2022_9 |
EU 2022/2555 (NIS2) 2022 9 |
|
National cyber crisis management frameworks |
Shared |
n/a |
Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. |
|
14 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
65 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.8 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.8 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.8 |
Policy and Implementation - Media Protection |
Media Protection |
Shared |
Ensure proper documentation and implementation of media protection policies and procedure with appropriate security safeguards to avoid issues like data leak. |
Documented and implemented media protection policies and procedures ensure that access to digital and non-digital media in all forms is restricted to authorized individuals using authorized methods and processes. |
|
1 |
FedRAMP_High_R4 |
CP-9 |
FedRAMP_High_R4_CP-9 |
FedRAMP High CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
FedRAMP_Moderate_R4 |
CP-9 |
FedRAMP_Moderate_R4_CP-9 |
FedRAMP Moderate CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
hipaa |
1635.12b1Organizational.2-12.b |
hipaa-1635.12b1Organizational.2-12.b |
1635.12b1Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. |
|
6 |
HITRUST_CSF_v11.3 |
06.c |
HITRUST_CSF_v11.3_06.c |
HITRUST CSF v11.3 06.c |
Compliance with Legal Requirements |
To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. |
Shared |
1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information.
2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. |
Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
|
26 |
HITRUST_CSF_v11.3 |
09.l |
HITRUST_CSF_v11.3_09.l |
HITRUST CSF v11.3 09.l |
Information Back-Up |
To ensure the maintenance, integrity, and availability of organizational information. |
Shared |
1. Restoration procedures are to be tested regularly at appropriate intervals in accordance with an agreed-upon backup policy.
2. Inventory records for the backup copies are to be maintained, and is to include the content of the backup copies, and the current location of the backup copies.
3. Full backups are to be performed weekly to separate media and incremental.
4. Differential backups are to be performed daily to separate media. |
Back-up copies of information and software shall be taken and tested regularly. |
|
7 |
HITRUST_CSF_v11.3 |
10.c |
HITRUST_CSF_v11.3_10.c |
HITRUST CSF v11.3 10.c |
Correct Processing in Applications |
To incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. |
Shared |
Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. |
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
|
36 |
ISO_IEC_27002_2022 |
7.14 |
ISO_IEC_27002_2022_7.14 |
ISO IEC 27002 2022 7.14 |
Protection,
Preventive, Control |
Secure disposal or re-use of equipment |
Shared |
Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
To prevent leakage of information from equipment to be disposed or re-used |
|
1 |
New_Zealand_ISM |
23.4.9.C.01 |
New_Zealand_ISM_23.4.9.C.01 |
New_Zealand_ISM_23.4.9.C.01 |
23. Public Cloud Security |
23.4.9.C.01 Data protection mechanisms |
|
n/a |
For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements. |
|
17 |
NIST_CSF_v2.0 |
PR.DS_01 |
NIST_CSF_v2.0_PR.DS_01 |
NIST CSF v2.0 PR.DS 01 |
PROTECT-Data Security |
The confidentiality, integrity, and availability of data-at-rest are protected. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
4 |
NIST_SP_800-171_R2_3 |
.8.9 |
NIST_SP_800-171_R2_3.8.9 |
NIST SP 800-171 R2 3.8.9 |
Media Protection |
Protect the confidentiality of backup CUI at storage locations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. |
link |
8 |
NIST_SP_800-171_R3_3 |
.8.3 |
NIST_SP_800-171_R3_3.8.3 |
404 not found |
|
|
|
n/a |
n/a |
|
1 |
NIST_SP_800-171_R3_3 |
.8.9 |
NIST_SP_800-171_R3_3.8.9 |
NIST 800-171 R3 3.8.9 |
Media Protection Control |
System Backup – Cryptographic Protection |
Shared |
Backup storage locations may include system-level information and user-level information System-level information includes system state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. Hardware-enabled security technologies (e.g., hardware security modules [HSM]) can be used to enhance cryptographic protection for backup information. HSM devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation/verification) are typically hosted on the HSM device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to 03.13.11. |
Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations. |
|
4 |
NIST_SP_800-53_R4 |
CP-9 |
NIST_SP_800-53_R4_CP-9 |
NIST SP 800-53 Rev. 4 CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
NIST_SP_800-53_R5.1.1 |
CP.9 |
NIST_SP_800-53_R5.1.1_CP.9 |
NIST SP 800-53 R5.1.1 CP.9 |
Contingency Planning Control |
System Backup |
Shared |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components]
[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. |
|
4 |
NIST_SP_800-53_R5.1.1 |
MP.6 |
NIST_SP_800-53_R5.1.1_MP.6 |
NIST SP 800-53 R5.1.1 MP.6 |
Media Protection Control |
Media Sanitization |
Shared |
a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and
b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information. |
|
1 |
NIST_SP_800-53_R5.1.1 |
SI.7.5 |
NIST_SP_800-53_R5.1.1_SI.7.5 |
NIST SP 800-53 R5.1.1 SI.7.5 |
System and Information Integrity Control |
Software, Firmware, and Information Integrity | Automated Response to Integrity Violations |
Shared |
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]
] when integrity violations are discovered. |
Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur. |
|
4 |
NIST_SP_800-53_R5 |
CP-9 |
NIST_SP_800-53_R5_CP-9 |
NIST SP 800-53 Rev. 5 CP-9 |
Contingency Planning |
System Backup |
Shared |
n/a |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
link |
9 |
NL_BIO_Cloud_Theme |
U.04.1(2) |
NL_BIO_Cloud_Theme_U.04.1(2) |
NL_BIO_Cloud_Theme_U.04.1(2) |
U.04 Data and Cloud Service Recovery |
Restore Function |
|
n/a |
In the event of calamities, the data and cloud services are restored within the agreed period and maximum data loss and made available to the CSC. |
|
3 |
NL_BIO_Cloud_Theme |
U.04.2(2) |
NL_BIO_Cloud_Theme_U.04.2(2) |
NL_BIO_Cloud_Theme_U.04.2(2) |
U.04 Data and Cloud Service Recovery |
Restore Function |
|
n/a |
The continuous process of recoverable protection of data is monitored. |
|
3 |
NL_BIO_Cloud_Theme |
U.04.3(2) |
NL_BIO_Cloud_Theme_U.04.3(2) |
NL_BIO_Cloud_Theme_U.04.3(2) |
U.04 Data and Cloud Service Recovery |
Tested |
|
n/a |
The adequate functioning of recovery functions is periodically tested by qualified personnel and the results are shared with the CSC. |
|
3 |
NZ_ISM_v3.5 |
CR-2 |
NZ_ISM_v3.5_CR-2 |
NZISM Security Benchmark CR-2 |
Cryptography |
17.1.52 Data Recovery |
Customer |
n/a |
It is important for continuity and operational stability that cryptographic products provide a means of data recovery to allow for the recovery of data in circumstances such as where the encryption key is unavailable due to loss, damage or failure. This includes production, storage, backup and virtual systems. This is sometimes described as ???key escrow???. |
link |
2 |
NZISM_Security_Benchmark_v1.1 |
CR-2 |
NZISM_Security_Benchmark_v1.1_CR-2 |
NZISM Security Benchmark CR-2 |
Cryptography |
17.1.45 Data Recovery |
Customer |
Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
It is important for continuity and operational stability that cryptographic products provide a means of data recovery to allow for the recovery of data in circumstances such as where the encryption key is unavailable due to loss, damage or failure. This includes production, storage, backup and virtual systems. This is sometimes described as “key escrow”. |
link |
2 |
NZISM_v3.7 |
12.6.4.C.01. |
NZISM_v3.7_12.6.4.C.01. |
NZISM v3.7 12.6.4.C.01. |
Product Sanitisation and Disposal |
12.6.4.C.01. - To safeguard classified information and mitigate risks during disposal. |
Shared |
n/a |
Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal. |
|
1 |
NZISM_v3.7 |
12.6.4.C.02. |
NZISM_v3.7_12.6.4.C.02. |
NZISM v3.7 12.6.4.C.02. |
Product Sanitisation and Disposal |
12.6.4.C.02. - To ensure the protection of sensitive information. |
Shared |
n/a |
IT equipment and associated media that have processed or stored NZEO information, and cannot be sanitised, MUST be returned to New Zealand for sanitisation or destruction, declassification and disposal. |
|
1 |
NZISM_v3.7 |
13.1.12.C.03. |
NZISM_v3.7_13.1.12.C.03. |
NZISM v3.7 13.1.12.C.03. |
System Decommissioning |
13.1.12.C.03. - To ensure continuity and resilience in the event of system failures or data loss. |
Shared |
n/a |
Agencies SHOULD archive essential software, system logic, system documentation and other system data to allow information to be recovered from archive. |
|
1 |
NZISM_v3.7 |
13.1.9.C.01. |
NZISM_v3.7_13.1.9.C.01. |
NZISM v3.7 13.1.9.C.01. |
System Decommissioning |
13.1.9.C.01. - To safeguard sensitive data and minimise security risks during the transition process. |
Shared |
n/a |
When the Information System reaches the end of its service life in an organisation, policy and procedures SHOULD be in place to ensure secure decommissioning and transfer or disposal, in order to satisfy corporate, legal and statutory requirements. |
|
1 |
NZISM_v3.7 |
22.1.26.C.01. |
NZISM_v3.7_22.1.26.C.01. |
NZISM v3.7 22.1.26.C.01. |
Cloud Computing |
22.1.26.C.01. - To ensure safety of data. |
Shared |
n/a |
Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. |
|
11 |
NZISM_v3.7 |
5.1.21.C.02. |
NZISM_v3.7_5.1.21.C.02. |
NZISM v3.7 5.1.21.C.02. |
Documentation Fundamentals |
5.1.21.C.02. - To establish a systematic approach to reviewing information security documentation, |
Shared |
n/a |
Agencies SHOULD ensure that information security documentation is reviewed:
1. At least annually; or
2. In response to significant changes in the environment, business or system; and
3. With the date of the most recent review being recorded on each document. |
|
6 |
NZISM_v3.7 |
6.4.6.C.01. |
NZISM_v3.7_6.4.6.C.01. |
NZISM v3.7 6.4.6.C.01. |
Business Continuity and Disaster Recovery |
6.4.6.C.01. - To enhance operational resilience. |
Shared |
n/a |
Agencies SHOULD:
1.Identify vital records;
2. backup all vital records;
3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4.
4. classification of the information; and
5. test backup and restoration processes regularly to confirm their effectiveness. |
|
13 |
NZISM_v3.7 |
7.3.11.C.01. |
NZISM_v3.7_7.3.11.C.01. |
NZISM v3.7 7.3.11.C.01. |
Managing Information Security Incidents |
7.3.11.C.01. - To support comprehensive investigations and ensure accountability |
Shared |
n/a |
Agencies SHOULD:
1. transfer a copy of raw audit trails and other relevant data onto media for secure archiving, as well as securing manual log records for retention; and
2. ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation. |
|
8 |
NZISM_v3.7 |
7.3.6.C.01. |
NZISM_v3.7_7.3.6.C.01. |
NZISM v3.7 7.3.6.C.01. |
Managing Information Security Incidents |
7.3.6.C.01. - To enhance incident management and oversight. |
Shared |
n/a |
Agencies SHOULD ensure that all information security incidents are recorded in a register. |
|
8 |
PCI_DSS_v4.0.1 |
9.4.3 |
PCI_DSS_v4.0.1_9.4.3 |
PCI DSS v4.0.1 9.4.3 |
Restrict Physical Access to Cardholder Data |
Media with cardholder data sent outside the facility is secured as follows: Media sent outside the facility is logged. Media is sent by secured courier or other delivery method that can be accurately tracked. Offsite tracking logs include details about media location |
Shared |
n/a |
Examine documentation to verify that procedures are defined for securing media sent outside the facility in accordance with all elements specified in this requirement. Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked. Examine offsite tracking logs for all media to verify tracking details are documented |
|
4 |
RBI_CSF_Banks_v2016 |
21.1 |
RBI_CSF_Banks_v2016_21.1 |
|
Metrics |
Metrics-21.1 |
|
n/a |
Develop a comprehensive set of metrics that provide for prospective and
retrospective measures, like key performance indicators and key risk indicators |
|
15 |
RBI_ITF_NBFC_v2017 |
3.1.h |
RBI_ITF_NBFC_v2017_3.1.h |
RBI IT Framework 3.1.h |
Information and Cyber Security |
Public Key Infrastructure (PKI)-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. |
link |
31 |
RMiT_v1.0 |
10.16 |
RMiT_v1.0_10.16 |
RMiT 10.16 |
Cryptography |
Cryptography - 10.16 |
Shared |
n/a |
A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for:
(a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation;
(b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction;
(c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and
(d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. |
link |
10 |
RMiT_v1.0 |
11.15 |
RMiT_v1.0_11.15 |
RMiT 11.15 |
Data Loss Prevention (DLP) |
Data Loss Prevention (DLP) - 11.15 |
Shared |
n/a |
A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following:
(a) data in-use - data being processed by IT resources;
(b) data in-motion - data being transmitted on the network; and
(c) data at-rest - data stored in storage mediums such as servers, backup media and databases. |
link |
14 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
75 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
SWIFT_CSCF_2024 |
6.2 |
SWIFT_CSCF_2024_6.2 |
SWIFT Customer Security Controls Framework 2024 6.2 |
Risk Management |
Software Integrity |
Shared |
Software integrity checks provide a detective control against unexpected modification to operational software. |
To ensure the software integrity of the Swift-related components and act upon results. |
|
16 |
SWIFT_CSCF_2024 |
6.3 |
SWIFT_CSCF_2024_6.3 |
SWIFT Customer Security Controls Framework 2024 6.3 |
Risk Management |
Database Integrity |
Shared |
Database integrity checks allow unexpected modification to records stored within the database to be detected. |
To ensure the integrity of the database records for the Swift messaging interface or the customer connector and act upon results. |
|
16 |
SWIFT_CSCF_v2021 |
5.4 |
SWIFT_CSCF_v2021_5.4 |
SWIFT CSCF v2021 5.4 |
Manage Identities and Segregate Privileges |
Physical and Logical Password Storage |
|
n/a |
Protect physically and logically repository of recorded passwords. |
link |
4 |
SWIFT_CSCF_v2022 |
5.4 |
SWIFT_CSCF_v2022_5.4 |
SWIFT CSCF v2022 5.4 |
5. Manage Identities and Segregate Privileges |
Protect physically and logically the repository of recorded passwords. |
Shared |
n/a |
Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. |
link |
6 |
|
U.04.1 - Restore function |
U.04.1 - Restore function |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
|
U.04.2 - Restore function |
U.04.2 - Restore function |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
|
U.04.3 - Tested |
U.04.3 - Tested |
404 not found |
|
|
|
n/a |
n/a |
|
3 |