compliance controls are associated with this Policy definition 'Assess risk in third party relationships' (0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CMMC_L2_v1.9.0 |
AC.L1_3.1.20 |
CMMC_L2_v1.9.0_AC.L1_3.1.20 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20 |
Access Control |
External Connections |
Shared |
Verify and control/limit connections to and use of external information systems. |
To enhance security and minimise potential risks associated with external access. |
|
27 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FedRAMP_High_R4 |
SA-12 |
FedRAMP_High_R4_SA-12 |
FedRAMP High SA-12 |
System And Services Acquisition |
Supply Chain Protection |
Shared |
n/a |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information
system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-
4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7.
References: NIST Special Publication 800-161; NIST Interagency Report 7622. |
link |
4 |
FedRAMP_High_R4 |
SA-9(1) |
FedRAMP_High_R4_SA-9(1) |
FedRAMP High SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
FedRAMP_Moderate_R4 |
SA-9(1) |
FedRAMP_Moderate_R4_SA-9(1) |
FedRAMP Moderate SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
hipaa |
1450.05i2Organizational.2-05.i |
hipaa-1450.05i2Organizational.2-05.i |
1450.05i2Organizational.2-05.i |
14 Third Party Assurance |
1450.05i2Organizational.2-05.i 05.02 External Parties |
Shared |
n/a |
The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. |
|
10 |
hipaa |
1451.05iCSPOrganizational.2-05.i |
hipaa-1451.05iCSPOrganizational.2-05.i |
1451.05iCSPOrganizational.2-05.i |
14 Third Party Assurance |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties |
Shared |
n/a |
Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. |
|
21 |
hipaa |
1453.05kCSPOrganizational.2-05.k |
hipaa-1453.05kCSPOrganizational.2-05.k |
1453.05kCSPOrganizational.2-05.k |
14 Third Party Assurance |
1453.05kCSPOrganizational.2-05.k 05.02 External Parties |
Shared |
n/a |
Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. |
|
10 |
hipaa |
1454.05kCSPOrganizational.3-05.k |
hipaa-1454.05kCSPOrganizational.3-05.k |
1454.05kCSPOrganizational.3-05.k |
14 Third Party Assurance |
1454.05kCSPOrganizational.3-05.k 05.02 External Parties |
Shared |
n/a |
Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. |
|
8 |
hipaa |
17120.10a3Organizational.5-10.a |
hipaa-17120.10a3Organizational.5-10.a |
17120.10a3Organizational.5-10.a |
17 Risk Management |
17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. |
|
10 |
HITRUST_CSF_v11.3 |
01.n |
HITRUST_CSF_v11.3_01.n |
HITRUST CSF v11.3 01.n |
Network Access Control |
To prevent unauthorised access to shared networks. |
Shared |
Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. |
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
|
55 |
ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
ISO27001-2013 |
A.15.1.1 |
ISO27001-2013_A.15.1.1 |
ISO 27001:2013 A.15.1.1 |
Supplier Relationships |
Information security policy for supplier relationships |
Shared |
n/a |
Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. |
link |
6 |
ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
ISO27001-2013 |
A.15.1.3 |
ISO27001-2013_A.15.1.3 |
ISO 27001:2013 A.15.1.3 |
Supplier Relationships |
Information and communication technology supply chain |
Shared |
n/a |
Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
link |
4 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
59 |
NIST_SP_800-171_R2_3 |
.11.1 |
NIST_SP_800-171_R2_3.11.1 |
NIST SP 800-171 R2 3.11.1 |
Risk Assessment |
Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments. |
link |
2 |
NIST_SP_800-171_R3_3 |
.1.18 |
NIST_SP_800-171_R3_3.1.18 |
NIST 800-171 R3 3.1.18 |
Access Control |
Access Control for Mobile Devices |
Shared |
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields). |
a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices.
b. Authorize the connection of mobile devices to the system.
c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices. |
|
28 |
NIST_SP_800-171_R3_3 |
.13.9 |
NIST_SP_800-171_R3_3.13.9 |
NIST 800-171 R3 3.13.9 |
System and Communications Protection Control |
Network Disconnect |
Shared |
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses. |
Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity. |
|
27 |
NIST_SP_800-53_R4 |
SA-12 |
NIST_SP_800-53_R4_SA-12 |
NIST SP 800-53 Rev. 4 SA-12 |
System And Services Acquisition |
Supply Chain Protection |
Shared |
n/a |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information
system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-
4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7.
References: NIST Special Publication 800-161; NIST Interagency Report 7622. |
link |
4 |
NIST_SP_800-53_R4 |
SA-9(1) |
NIST_SP_800-53_R4_SA-9(1) |
NIST SP 800-53 Rev. 4 SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
NIST_SP_800-53_R5.1.1 |
SC.7.3 |
NIST_SP_800-53_R5.1.1_SC.7.3 |
NIST SP 800-53 R5.1.1 SC.7.3 |
System and Communications Protection |
Boundary Protection | Access Points |
Shared |
Limit the number of external network connections to the system. |
Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system. |
|
25 |
NIST_SP_800-53_R5 |
SA-9(1) |
NIST_SP_800-53_R5_SA-9(1) |
NIST SP 800-53 Rev. 5 SA-9 (1) |
System and Services Acquisition |
Risk Assessments and Organizational Approvals |
Shared |
n/a |
(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
(b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
link |
2 |
NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
82 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
|
op.pl.4 Sizing and capacity management |
op.pl.4 Sizing and capacity management |
404 not found |
|
|
|
n/a |
n/a |
|
12 |
|
op.pl.5 Certified components |
op.pl.5 Certified components |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
PCI_DSS_v4.0 |
12.8.3 |
PCI_DSS_v4.0_12.8.3 |
PCI DSS v4.0 12.8.3 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. |
link |
5 |
PCI_DSS_v4.0 |
12.8.4 |
PCI_DSS_v4.0_12.8.4 |
PCI DSS v4.0 12.8.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
link |
8 |
SOC_2 |
CC3.4 |
SOC_2_CC3.4 |
SOC 2 Type 2 CC3.4 |
Risk Assessment |
COSO Principle 9 |
Shared |
The customer is responsible for implementing this recommendation. |
• Assesses Changes in the External Environment — The risk identification process
considers changes to the regulatory, economic, and physical environment in which
the entity operates.
• Assesses Changes in the Business Model — The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business
lines, acquired or divested business operations on the system of internal control,
rapid growth, changing reliance on foreign geographies, and new technologies.
• Assesses Changes in Leadership — The entity considers changes in management
and respective attitudes and philosophies on the system of internal control.
Page 25
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
Additional point of focus specifically related to all engagements using the trust services criteria:
• Assesses Changes in Systems and Technology — The risk identification process
considers changes arising from changes in the entity’s systems and changes in the
technology environment.
• Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships |
|
6 |
SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
219 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
230 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
214 |
SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
SWIFT_CSCF_v2022 |
2.8.5 |
SWIFT_CSCF_v2022_2.8.5 |
SWIFT CSCF v2022 2.8.5 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure a consistent and effective approach for the customers’ messaging monitoring. |
Shared |
n/a |
Ensure a consistent and effective approach for the customers’ messaging monitoring. |
link |
8 |