Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

120

Canada_Federal_PBMM_3-1-2020_SI_3

SI_3

Canada Federal PBMM 3-1-2020 SI 3

Malicious Code Protection

Shared

1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. 2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. 3. The organization configures malicious code protection mechanisms to: a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. 4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

To mitigate potential impacts on system availability.

Canada_Federal_PBMM_3-1-2020_SI_3(1)

SI_3(1)

Canada Federal PBMM 3-1-2020 SI 3(1)

Malicious Code Protection

Malicious Code Protection | Central Management

Shared

The organization centrally manages malicious code protection mechanisms.

To centrally manage malicious code protection mechanisms.

Canada_Federal_PBMM_3-1-2020_SI_3(2)

SI_3(2)

Canada Federal PBMM 3-1-2020 SI 3(2)

Malicious Code Protection

Malicious Code Protection | Automatic Updates

Shared

The information system automatically updates malicious code protection mechanisms.

To ensure automatic updates in malicious code protection mechanisms.

Canada_Federal_PBMM_3-1-2020_SI_3(7)

SI_3(7)

Canada Federal PBMM 3-1-2020 SI 3(7)

Malicious Code Protection

Malicious Code Protection | Non Signature-Based Detection

Shared

The information system implements non-signature-based malicious code detection mechanisms.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(2)

SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_8(1)

SI_8(1)

Canada Federal PBMM 3-1-2020 SI 8(1)

Spam Protection

Spam Protection | Central Management of Protection Mechanisms

Shared

The organization centrally manages spam protection mechanisms.

To enhance overall security posture.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

12.2

CIS_Controls_v8.1_12.2

CIS Controls v8.1 12.2

Network Infrastructure Management

Establish and maintain a secure network architecture

Shared

1. Establish and maintain a secure network architecture. 2. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.

To ensure appropriate restrictions are placed on network architecture.

12.3

CIS_Controls_v8.1_12.3

CIS Controls v8.1 12.3

Network Infrastructure Management

Securely manage network infrastructure

Shared

1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS.

To ensure proper management of network infrastructure.

12.7

CIS_Controls_v8.1_12.7

CIS Controls v8.1 12.7

Network Infrastructure Management

Ensure remote devices utilize a VPN and are connecting to an enterprise's AAA infrastructure.

Shared

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.

To create a layer of security to ensure protection of data.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

13.4

CIS_Controls_v8.1_13.4

CIS Controls v8.1 13.4

Network Monitoring and Defense

Perform traffic filtering between network segments

Shared

Perform traffic filtering between network segments, where appropriate.

To improve network security and reduce the risk of security breaches and unauthorized access.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

3.12

CIS_Controls_v8.1_3.12

CIS Controls v8.1 3.12

Data Protection

Segment data processing and storage based on sensitivity

Shared

1. Segment data processing and storage based on the sensitivity of the data. 2. Do not process sensitive data on enterprise assets intended for lower sensitivity data.

To minimise the risk of unauthorized access or exposure to sensitive information and enhance data security measures.

6.3

CIS_Controls_v8.1_6.3

CIS Controls v8.1 6.3

Access Control Management

Require MFA for externally-exposed applications

Shared

1. Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. 2. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard.

To ensure unauthorised persons are unable to access approved applications.

6.4

CIS_Controls_v8.1_6.4

CIS Controls v8.1 6.4

Access Control Management

Require MFA for remote network access

Shared

Require MFA for remote network access.

To authenticate users accessing network remotely and ensure safety of enterprise data.

8.11

CIS_Controls_v8.1_8.11

CIS Controls v8.1 8.11

Audit Log Management

Conduct audit log reviews

Shared

1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis.

To ensure the integrity of the data in audit logs.

CMMC_L2_v1.9.0_AC.L1_3.1.20

AC.L1_3.1.20

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20

Access Control

External Connections

Shared

Verify and control/limit connections to and use of external information systems.

To enhance security and minimise potential risks associated with external access.

CMMC_L2_v1.9.0_AC.L2_3.1.14

AC.L2_3.1.14

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.14

Access Control

Remote Access Routing

Shared

Route remote access via managed access control points.

To enhance network security.

CMMC_L2_v1.9.0_AC.L2_3.1.15

AC.L2_3.1.15

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.15

Access Control

Privileged Remote Access

Shared

Authorize remote execution of privileged commands and remote access to security relevant information.

To ensure secure and controlled management of systems and data, even from remote locations.

CMMC_L2_v1.9.0_AC.L2_3.1.3

AC.L2_3.1.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3

Access Control

Control CUI Flow

Shared

Control the flow of CUI in accordance with approved authorizations.

To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations

CMMC_L2_v1.9.0_PE.L2_3.10.6

PE.L2_3.10.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6

Physical Protection

Alternative Work Sites

Shared

Enforce safeguarding measures for CUI at alternate work sites.

To ensure that sensitive information is protected even when employees are working remotely or at off site locations.

CMMC_L2_v1.9.0_SC.L1_3.13.1

SC.L1_3.13.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1

System and Communications Protection

Boundary Protection

Shared

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

To protect information assets from external attacks and insider threats.

CMMC_L2_v1.9.0_SC.L1_3.13.5

SC.L1_3.13.5

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5

System and Communications Protection

Public Access System Separation

Shared

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources.

DCS_02

CSA_v4.0.12_DCS_02

CSA Cloud Controls Matrix v4.0.12 DCS 02

Datacenter Security

Off-Site Transfer Authorization Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually.

DSP_05

CSA_v4.0.12_DSP_05

CSA Cloud Controls Matrix v4.0.12 DSP 05

Data Security and Privacy Lifecycle Management

Data Flow Documentation

Shared

n/a

Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.

DSP_10

CSA_v4.0.12_DSP_10

CSA Cloud Controls Matrix v4.0.12 DSP 10

Data Security and Privacy Lifecycle Management

Sensitive Data Transfer

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.

HRS_04

CSA_v4.0.12_HRS_04

CSA Cloud Controls Matrix v4.0.12 HRS 04

Human Resources

Remote and Home Working Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_1

Cyber Essentials v3.1 1

Cyber Essentials

Firewalls

Shared

n/a

Aim: to make sure that only secure and necessary network services can be accessed from the internet.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

DORA_2022_2554

9.3a

DORA_2022_2554_9.3a

DORA 2022 2554 9.3a

Implement Secure Data Transfer Solutions for ICT Systems

Shared

n/a

Leverage information and communication technology (ICT) solutions and processes that ensure the security of data transfer methods to protect against unauthorized access and data breaches.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

189

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

FFIEC_CAT_2017

4.1.1

FFIEC_CAT_2017_4.1.1

FFIEC CAT 2017 4.1.1

External Dependency Management

Connections

Shared

n/a

- The critical business processes that are dependent on external connectivity have been identified. - The institution ensures that third-party connections are authorized. - A network diagram is in place and identifies all external connections. - Data flow diagrams are in place and document information flow to external parties.

01.i

HITRUST_CSF_v11.3_01.i

HITRUST CSF v11.3 01.i

Network Access Control

Implement role based access to internal and external network services.

Shared

1. It is to be determined who is allowed access to which network and what networked services. 2. The networks and network services to which users have authorized access is to be specified.

Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment.

01.j

HITRUST_CSF_v11.3_01.j

HITRUST CSF v11.3 01.j

Network Access Control

Prevent unauthorized access to networked services.

Shared

1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted.

Appropriate authentication methods shall be used to control access by remote users.

01.m

HITRUST_CSF_v11.3_01.m

HITRUST CSF v11.3 01.m

Network Access Control

Ensure segregation in networks.

Shared

Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security.

Groups of information services, users, and information systems should be segregated on networks.

01.n

HITRUST_CSF_v11.3_01.n

HITRUST CSF v11.3 01.n

Network Access Control

Prevent unauthorised access to shared networks.

Shared

Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security.

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.

01.o

HITRUST_CSF_v11.3_01.o

HITRUST CSF v11.3 01.o

Network Access Control

Implement network routing controls to prevent breach of the access control policy of business applications.

Shared

Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured.

Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

109

09.w

HITRUST_CSF_v11.3_09.w

HITRUST CSF v11.3 09.w

Exchange of Information

Develop and implement policies and procedures, to protect information associated with the interconnection of business information systems.

Shared

1. A security baseline is to be documented and implemented for interconnected systems. 2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements.

Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems.

ISO_IEC_27002_2022

5.14

ISO_IEC_27002_2022_5.14

ISO IEC 27002 2022 5.14

Protection, Preventive Control

Information transfer

Shared

To maintain the security of information transferred within an organization and with any external interested party.

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

ISO_IEC_27002_2022

6.7

ISO_IEC_27002_2022_6.7

ISO IEC 27002 2022 6.7

Protection, Preventive, Control

Remote working

Shared

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

To ensure the security of information when personnel are working remotely.

ISO_IEC_27002_2022

8.9

ISO_IEC_27002_2022_8.9

ISO IEC 27002 2022 8.9

Protection, Preventive Control

Configuration management

Shared

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

408

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

385

2.6.6

K_ISMS_P_2018_2.6.6

K ISMS P 2018 2.6.6

2.6

Prohibit Information Use and Processing Outside of Protected Areas

Shared

n/a

Prohibit the use of information systems and the processing of personal information outside protected areas. If remote access is permitted, establish and implement appropriate protective measures.

2.6.7

K_ISMS_P_2018_2.6.7

K ISMS P 2018 2.6.7

2.6

Establish Internet Connection Control Policies

Shared

n/a

Establish and implement internet connection control policies to prevent data leakage from critical information systems or terminals that perform key roles or handle personal information.

NIST_SP_800-171_R3_3.1.12

.1.12

NIST 800-171 R3 3.1.12

Access Control

Remote Access

Shared

Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system.

a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. b. Authorize each type of remote system access prior to establishing such connections. c. Route remote access to the system through authorized and managed access control points. d. Authorize remote execution of privileged commands and remote access to security-relevant information.

NIST_SP_800-171_R3_3.1.18

.1.18

NIST 800-171 R3 3.1.18

Access Control

Access Control for Mobile Devices

Shared

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields).

a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. b. Authorize the connection of mobile devices to the system. c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices.

.1.3

NIST_SP_800-171_R3_3.1.3

NIST 800-171 R3 3.1.3

Access Control

Information Flow Enforcement

Shared

Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems.

NIST_SP_800-171_R3_3.13.1

.13.1

NIST 800-171 R3 3.13.1

System and Communications Protection Control

Boundary Protection

Shared

Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

NIST_SP_800-171_R3_3.13.9

.13.9

NIST 800-171 R3 3.13.9

System and Communications Protection Control

Network Disconnect

Shared

This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity.

NIST_SP_800-53_R5.1.1_AC.17

AC.17

NIST SP 800-53 R5.1.1 AC.17

Access Control

Remote Access

Shared

a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections.

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3.

NIST_SP_800-53_R5.1.1_AC.17.1

AC.17.1

NIST SP 800-53 R5.1.1 AC.17.1

Access Control

Remote Access | Monitoring and Control

Shared

Employ automated mechanisms to monitor and control remote access methods.

Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a.

NIST_SP_800-53_R5.1.1_AC.17.3

AC.17.3

NIST SP 800-53 R5.1.1 AC.17.3

Access Control

Remote Access | Managed Access Control Points

Shared

Route remote accesses through authorized and managed network access control points.

Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

NIST_SP_800-53_R5.1.1_AC.4

AC.4

NIST SP 800-53 R5.1.1 AC.4

Access Control

Information Flow Enforcement

Shared

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

NIST_SP_800-53_R5.1.1_AC.4.4

AC.4.4

NIST SP 800-53 R5.1.1 AC.4.4

Access Control

Information Flow Enforcement | Flow Control of Encrypted Information

Shared

Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ].

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

NIST_SP_800-53_R5.1.1_AC.4.6

AC.4.6

NIST SP 800-53 R5.1.1 AC.4.6

Access Control

Information Flow Enforcement | Metadata

Shared

Enforce information flow control based on [Assignment: organization-defined metadata].

Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).

NIST_SP_800-53_R5.1.1_SC.7

SC.7

NIST SP 800-53 R5.1.1 SC.7

System and Communications Protection

Boundary Protection

Shared

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

NIST_SP_800-53_R5.1.1_SC.7.3

SC.7.3

NIST SP 800-53 R5.1.1 SC.7.3

System and Communications Protection

Boundary Protection | Access Points

Shared

Limit the number of external network connections to the system.

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

16.5.10.C.01.

NZISM_v3.7_16.5.10.C.01.

NZISM v3.7 16.5.10.C.01.

Remote Access

16.5.10.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system.

16.5.10.C.02.

NZISM_v3.7_16.5.10.C.02.

NZISM v3.7 16.5.10.C.02.

Remote Access

16.5.10.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD authenticate both the remote system user and device during the authentication process.

16.5.11.C.01.

NZISM_v3.7_16.5.11.C.01.

NZISM v3.7 16.5.11.C.01.

Remote Access

16.5.11.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges.

16.5.11.C.02.

NZISM_v3.7_16.5.11.C.02.

NZISM v3.7 16.5.11.C.02.

Remote Access

16.5.11.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges.

16.5.12.C.01.

NZISM_v3.7_16.5.12.C.01.

NZISM v3.7 16.5.12.C.01.

Remote Access

16.5.12.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD establish VPN connections for all remote access connections.

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

19.2.16.C.02.

NZISM_v3.7_19.2.16.C.02.

NZISM v3.7 19.2.16.C.02.

Cross Domain Solutions (CDS)

19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.

Shared

n/a

Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network.

19.2.18.C.01.

NZISM_v3.7_19.2.18.C.01.

NZISM v3.7 19.2.18.C.01.

Cross Domain Solutions (CDS)

19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks.

Shared

n/a

Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path.

Sarbanes_Oxley_Act_(1)_2022_1

19.2.19.C.01.

NZISM_v3.7_19.2.19.C.01.

NZISM v3.7 19.2.19.C.01.

Cross Domain Solutions (CDS)

19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.

Shared

n/a

Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority.

PCI_DSS_v4.0.1

1.2.1

PCI_DSS_v4.0.1_1.2.1

PCI DSS v4.0.1 1.2.1

Install and Maintain Network Security Controls

Configuration standards for NSC rulesets are defined, implemented, and maintained

Shared

n/a

Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards

PCI_DSS_v4.0.1

1.2.7

PCI_DSS_v4.0.1_1.2.7

PCI DSS v4.0.1 1.2.7

Install and Maintain Network Security Controls

Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective

Shared

n/a

Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated

PCI_DSS_v4.0.1

1.4.4

PCI_DSS_v4.0.1_1.4.4

PCI DSS v4.0.1 1.4.4

Install and Maintain Network Security Controls

System components that store cardholder data are not directly accessible from untrusted networks

Shared

n/a

Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks

RBI_ITF_NBFC_v2017

RBI_ITF_NBFC_v2017_6

RBI IT Framework 6

Business Continuity Planning

Business Continuity Planning (BCP) and Disaster Recovery-6

n/a

BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features

link

RBI_ITF_NBFC_v2017

6.4

RBI_ITF_NBFC_v2017_6.4

RBI IT Framework 6.4

Business Continuity Planning

Recovery strategy / Contingency Plan-6.4

n/a

NBFCs shall test the BCP either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan. The test should be based on ???worst case scenarios???. The results along with the gap analysis may be placed before the CIO and the Board. The GAP Analysis along with Board???s insight should form the basis for construction of the updated BCP.

link

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

107

C1.1

SOC_2023_C1.1

SOC 2023 C1.1

Additional Criteria for Confidentiality

Preserve trust, compliance, and competitive advantage.

Shared

n/a

The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.

CC1.3

SOC_2023_CC1.3

SOC 2023 CC1.3

Control Environment

Enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives.

Shared

n/a

1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives.

CC2.2

SOC_2023_CC2.2

SOC 2023 CC2.2

Information and Communication

Facilitate effective internal communication, including objectives and responsibilities for internal control.

Shared

n/a

Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

214

CC5.2

SOC_2023_CC5.2

SOC 2023 CC5.2

Control Activities

Mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations.

Shared

n/a

Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities.

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

225

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

127

CC7.1

SOC_2023_CC7.1

SOC 2023 CC7.1

Systems Operations

Maintain a proactive approach to cybersecurity and mitigate risks effectively.

Shared

n/a

meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities.

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

163

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

209

CC7.5

SOC_2023_CC7.5

SOC 2023 CC7.5

Systems Operations

Ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents.

Shared

n/a

The entity identifies, develops, and implements activities to recover from identified security incidents.

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

143

CC9.2

SOC_2023_CC9.2

SOC 2023 CC9.2

Risk Mitigation

Ensure effective risk management throughout the supply chain and business ecosystem.

Shared

n/a

Entity assesses and manages risks associated with vendors and business partners.

PI1.3

SOC_2023_PI1.3

SOC 2023 PI1.3

Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods)

Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives.

Shared

n/a

The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.

1.1

SWIFT_CSCF_2024_1.1

SWIFT Customer Security Controls Framework 2024 1.1

Physical and Environmental Security

Swift Environment Protection

Shared

1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment.

1.5

SWIFT_CSCF_2024_1.5

SWIFT Customer Security Controls Framework 2024 1.5

Physical and Environmental Security

Customer Environment Protection

Shared

1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

2.1

SWIFT_CSCF_2024_2.1

SWIFT Customer Security Controls Framework 2024 2.1

Risk Management

Internal Data Flow Security

Shared

The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit.

To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components.

2.6

SWIFT_CSCF_2024_2.6

SWIFT Customer Security Controls Framework 2024 2.6

Risk Management

Operator Session Confidentiality and Integrity

Shared

1. Operator sessions, through the jump server when accessing the on-premises or remote (that is hosted or operated by a third party, or both) Swift infrastructure, pose a unique threat because unusual or unexpected activity is more difficult to detect during interactive sessions than it is during application-to-application activity. 2. Therefore, it is important to protect the integrity and confidentiality of these operator sessions to reduce any opportunity for misuse or password theft. When used, access to the virtualisation layer (virtualisation or cloud management console) must be similarly protected.

To protect the confidentiality and integrity of interactive operator sessions that connect to the on- premises or remote (operated by a service provider or outsourcing agent) Swift infrastructure or to a service provider or outsourcing agent Swift-related applications.