compliance controls are associated with this Policy definition 'Dependency agent should be enabled for listed virtual machine images' (11ac78e3-31bc-4f0c-8434-37ab963cea07)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_2(4) |
Canada_Federal_PBMM_3-1-2020_AC_2(4) |
Canada Federal PBMM 3-1-2020 AC 2(4) |
Account Management |
Account Management | Automated Audit Actions |
Shared |
1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers.
2. Related controls: AU-2, AU-12. |
To ensure accountability and transparency within the information system. |
|
53 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
17 |
| CSA_v4.0.12 |
CCC_06 |
CSA_v4.0.12_CCC_06 |
CSA Cloud Controls Matrix v4.0.12 CCC 06 |
Change Control and Configuration Management |
Change Management Baseline |
Shared |
n/a |
Establish change management baselines for all relevant authorized
changes on organization assets. |
|
8 |
| CSA_v4.0.12 |
CEK_05 |
CSA_v4.0.12_CEK_05 |
CSA Cloud Controls Matrix v4.0.12 CEK 05 |
Cryptography, Encryption & Key Management |
Encryption Change Management |
Shared |
n/a |
Establish a standard change management procedure, to accommodate
changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
changes. |
|
11 |
| CSA_v4.0.12 |
CEK_06 |
CSA_v4.0.12_CEK_06 |
CSA Cloud Controls Matrix v4.0.12 CEK 06 |
Cryptography, Encryption & Key Management |
Encryption Change Cost Benefit Analysis |
Shared |
n/a |
Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis. |
|
8 |
| CSA_v4.0.12 |
CEK_07 |
CSA_v4.0.12_CEK_07 |
CSA Cloud Controls Matrix v4.0.12 CEK 07 |
Cryptography, Encryption & Key Management |
Encryption Risk Management |
Shared |
n/a |
Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback. |
|
8 |
| CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
25 |
| CSA_v4.0.12 |
DCS_05 |
CSA_v4.0.12_DCS_05 |
CSA Cloud Controls Matrix v4.0.12 DCS 05 |
Datacenter Security |
Assets Classification |
Shared |
n/a |
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk. |
|
6 |
| CSA_v4.0.12 |
DCS_06 |
CSA_v4.0.12_DCS_06 |
CSA Cloud Controls Matrix v4.0.12 DCS 06 |
Datacenter Security |
Assets Cataloguing and Tracking |
Shared |
n/a |
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system. |
|
7 |
| CSA_v4.0.12 |
UEM_04 |
CSA_v4.0.12_UEM_04 |
CSA Cloud Controls Matrix v4.0.12 UEM 04 |
Universal Endpoint Management |
Endpoint Inventory |
Shared |
n/a |
Maintain an inventory of all endpoints used to store and access company
data. |
|
6 |
| CSA_v4.0.12 |
UEM_07 |
CSA_v4.0.12_UEM_07 |
CSA Cloud Controls Matrix v4.0.12 UEM 07 |
Universal Endpoint Management |
Operating Systems |
Shared |
n/a |
Manage changes to endpoint operating systems, patch levels, and/or
applications through the company's change management processes. |
|
6 |
| CSA_v4.0.12 |
UEM_12 |
CSA_v4.0.12_UEM_12 |
CSA Cloud Controls Matrix v4.0.12 UEM 12 |
Universal Endpoint Management |
Remote Locate |
Shared |
n/a |
Enable remote geo-location capabilities for all managed mobile endpoints. |
|
6 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
| HITRUST_CSF_v11.3 |
06.h |
HITRUST_CSF_v11.3_06.h |
HITRUST CSF v11.3 06.h |
Compliance with Security Policies and Standards |
To ensure compliance with security implementation standards by regular checking of information systems. |
Shared |
1. Annual checks on the technical security configuration of systems is to be performed either manually by an individual with experience with the systems and/or with the assistance of automated software tools.
2. Technical compliance checking is to be implemented to show compliance in support of technical interoperability. |
Information systems shall be regularly checked for compliance with security implementation standards. |
|
7 |
| ISO_IEC_27002_2022 |
5.9 |
ISO_IEC_27002_2022_5.9 |
ISO IEC 27002 2022 5.9 |
Preventive,
Identifying Control |
Inventory of information and other associated assets |
Shared |
An inventory of information and other associated assets, including owners, should be developed and maintained.
|
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
8 |
| ISO_IEC_27017_2015 |
8.1.1 |
ISO_IEC_27017_2015_8.1.1 |
ISO IEC 27017 2015 8.1.1 |
Asset Management |
Inventory of Assets |
Shared |
For Cloud Service Customer:
The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service.
For Cloud Service Provider:
The inventory of assets of the cloud service provider should explicitly identify:
(i) cloud service customer data;
(ii) cloud service derived data. |
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
8 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| ISO27001-2013 |
A.12.4.4 |
ISO27001-2013_A.12.4.4 |
ISO 27001:2013 A.12.4.4 |
Operations Security |
Clock Synchronization |
Shared |
n/a |
The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source. |
link |
8 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
| NIS2 |
PV._Posture_and_Vulnerability_Management_5 |
NIS2_PV._Posture_and_Vulnerability_Management_5 |
NIS2_PV._Posture_and_Vulnerability_Management_5 |
PV. Posture and Vulnerability Management |
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure |
|
n/a |
missing value |
|
47 |
| NIST_SP_800-171_R3_3 |
.4.10 |
NIST_SP_800-171_R3_3.4.10 |
NIST 800-171 R3 3.4.10 |
Configuration Management Control |
System Component Inventory |
Shared |
System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information. |
a. Develop and document an inventory of system components.
b. Review and update the system component inventory periodically.
c. Update the system component inventory as part of installations, removals, and system updates. |
|
7 |
| NIST_SP_800-53_R5.1.1 |
CM.8 |
NIST_SP_800-53_R5.1.1_CM.8 |
NIST SP 800-53 R5.1.1 CM.8 |
Configuration Management Control |
System Component Inventory |
Shared |
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency]. |
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.
Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components. |
|
6 |
| NL_BIO_Cloud_Theme |
U.15.1(2) |
NL_BIO_Cloud_Theme_U.15.1(2) |
NL_BIO_Cloud_Theme_U.15.1(2) |
U.15 Logging and monitoring |
Events Logged |
|
n/a |
The malware protection is carried out on various environments, such as on mail servers, (desktop) computers and when accessing the organization's network. The scan for malware includes: all files received over networks or through any form of storage medium, even before use; all attachments and downloads even before use; virtual machines; network traffic. |
|
46 |
| NL_BIO_Cloud_Theme |
U.15.3(2) |
NL_BIO_Cloud_Theme_U.15.3(2) |
NL_BIO_Cloud_Theme_U.15.3(2) |
U.15 Logging and monitoring |
Events Logged |
|
n/a |
The CSP maintains a list of all assets that are critical in terms of logging and monitoring and regularly reviews this list for correctness. |
|
6 |
| NZISM_v3.7 |
14.1.9.C.01. |
NZISM_v3.7_14.1.9.C.01. |
NZISM v3.7 14.1.9.C.01. |
Standard Operating Environments |
14.1.9.C.01. - To maintain system reliability, protect sensitive information, and fulfill security requirements. |
Shared |
n/a |
Agencies MUST ensure that for all servers and workstations:
1. a technical specification is agreed for each platform with specified controls;
2. a standard configuration created and updated for each operating system type and version;
3. system users do not have the ability to install or disable software without approval; and
4. installed software and operating system patching is up to date. |
|
5 |
| NZISM_v3.7 |
17.1.58.C.02. |
NZISM_v3.7_17.1.58.C.02. |
NZISM v3.7 17.1.58.C.02. |
Cryptographic Fundamentals |
17.1.58.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. |
|
24 |
| NZISM_v3.7 |
17.5.7.C.02. |
NZISM_v3.7_17.5.7.C.02. |
NZISM v3.7 17.5.7.C.02. |
Secure Shell |
17.5.7.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password. |
|
42 |
| NZISM_v3.7 |
22.1.24.C.02. |
NZISM_v3.7_22.1.24.C.02. |
NZISM v3.7 22.1.24.C.02. |
Cloud Computing |
22.1.24.C.02. - To enhance security posture. |
Shared |
n/a |
Agencies intending to adopt cloud technologies or services SHOULD apply separation and access controls to protect data and systems where support is provided by offshore technical staff. |
|
5 |
| NZISM_v3.7 |
22.1.26.C.01. |
NZISM_v3.7_22.1.26.C.01. |
NZISM v3.7 22.1.26.C.01. |
Cloud Computing |
22.1.26.C.01. - To ensure safety of data. |
Shared |
n/a |
Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. |
|
11 |
| NZISM_v3.7 |
23.1.56.C.01. |
NZISM_v3.7_23.1.56.C.01. |
NZISM v3.7 23.1.56.C.01. |
Public Cloud Security Concepts |
23.1.56.C.01. - To reduce manual errors and ensure adherence to security standards. |
Shared |
n/a |
Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available. |
|
5 |
| NZISM_v3.7 |
23.2.20.C.01. |
NZISM_v3.7_23.2.20.C.01. |
NZISM v3.7 23.2.20.C.01. |
Governance, Risk Assessment & Assurance |
23.2.20.C.01. - To enhance confidence in the security and reliability of cloud services and mitigate risks associated with potential vulnerabilities or non-compliance with security standards. |
Shared |
n/a |
Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants. |
|
5 |
| NZISM_v3.7 |
6.4.6.C.01. |
NZISM_v3.7_6.4.6.C.01. |
NZISM v3.7 6.4.6.C.01. |
Business Continuity and Disaster Recovery |
6.4.6.C.01. - To enhance operational resilience. |
Shared |
n/a |
Agencies SHOULD:
1.Identify vital records;
2. backup all vital records;
3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4.
4. classification of the information; and
5. test backup and restoration processes regularly to confirm their effectiveness. |
|
13 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
| PCI_DSS_v4.0.1 |
9.5.1 |
PCI_DSS_v4.0.1_9.5.1 |
PCI DSS v4.0.1 9.5.1 |
Restrict Physical Access to Cardholder Data |
Protection Measures for POI Devices Against Tampering and Unauthorized Substitution |
Shared |
n/a |
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. |
|
9 |
| PCI_DSS_v4.0.1 |
9.5.1.1 |
PCI_DSS_v4.0.1_9.5.1.1 |
PCI DSS v4.0.1 9.5.1.1 |
Restrict Physical Access to Cardholder Data |
Maintenance of an Up-to-Date List of POI Devices |
Shared |
n/a |
An up-to-date list of POI devices is maintained, including:
• Make and model of the device.
• Location of device.
• Device serial number or other methods of unique identification. |
|
7 |
| SOC_2023 |
CC1.4 |
SOC_2023_CC1.4 |
SOC 2023 CC1.4 |
Control Environment |
To ensure organizational resilience, innovation, and competitiveness in the long run. |
Shared |
n/a |
Entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives by establishing policies and procedures, evaluating the competence required and address its shortcomings, attracts, develops and retains individuals through mentoring and training and plan and prepare for succession by developing contingency plans for assignments of responsibilities important for internal control. |
|
7 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SOC_2023 |
CM_8b |
SOC_2023_CM_8b |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
|
U.15.1 - Events logged |
U.15.1 - Events logged |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
U.15.3 - Events logged |
U.15.3 - Events logged |
404 not found |
|
|
|
n/a |
n/a |
|
6 |