| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
AM-5 |
Azure_Security_Benchmark_v3.0_AM-5 |
Microsoft cloud security benchmark AM-5 |
Asset Management |
Use only approved applications in virtual machine |
Shared |
**Security Principle:**
Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment.
**Azure Guidance:**
Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
**Implementation and additional context:**
How to use Microsoft Defender for Cloud adaptive application controls:
https://docs.microsoft.com/azure/security-center/security-center-adaptive-application
Understand Azure Automation Change Tracking and Inventory:
https://docs.microsoft.com/azure/automation/change-tracking
How to control PowerShell script execution in Windows environments:
https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 |
n/a |
link |
2 |
| CMMC_2.0_L2 |
CM.L2-3.4.6 |
CMMC_2.0_L2_CM.L2-3.4.6 |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
| CMMC_2.0_L2 |
CM.L2-3.4.7 |
CMMC_2.0_L2_CM.L2-3.4.7 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CMMC_2.0_L2 |
CM.L2-3.4.8 |
CMMC_2.0_L2_CM.L2-3.4.8 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CMMC_2.0_L2 |
CM.L2-3.4.9 |
CMMC_2.0_L2_CM.L2-3.4.9 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CMMC_L3 |
CA.2.158 |
CMMC_L3_CA.2.158 |
CMMC L3 CA.2.158 |
Security Assessment |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.
Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.
Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. |
link |
10 |
| CMMC_L3 |
CA.3.161 |
CMMC_L3_CA.3.161 |
CMMC L3 CA.3.161 |
Security Assessment |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions.
Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. |
link |
10 |
| CMMC_L3 |
CM.2.063 |
CMMC_L3_CM.2.063 |
CMMC L3 CM.2.063 |
Configuration Management |
Control and monitor user-installed software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. |
link |
4 |
| CMMC_L3 |
CM.3.068 |
CMMC_L3_CM.3.068 |
CMMC L3 CM.3.068 |
Configuration Management |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. |
link |
25 |
| FedRAMP_High_R4 |
CM-10 |
FedRAMP_High_R4_CM-10 |
FedRAMP High CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.
References: None. |
link |
4 |
| FedRAMP_High_R4 |
CM-11 |
FedRAMP_High_R4_CM-11 |
FedRAMP High CM-11 |
Configuration Management |
User-Installed Software |
Shared |
n/a |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None. |
link |
2 |
| FedRAMP_High_R4 |
CM-7 |
FedRAMP_High_R4_CM-7 |
FedRAMP High CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.
References: DoD Instruction 8551.01. |
link |
3 |
| FedRAMP_High_R4 |
CM-7(2) |
FedRAMP_High_R4_CM-7(2) |
FedRAMP High CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance: Related controls: CM-8, PM-5. |
link |
2 |
| FedRAMP_High_R4 |
CM-7(5) |
FedRAMP_High_R4_CM-7(5) |
FedRAMP High CM-7 (5) |
Configuration Management |
Authorized Software / Whitelisting |
Shared |
n/a |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-10 |
FedRAMP_Moderate_R4_CM-10 |
FedRAMP Moderate CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
CM-11 |
FedRAMP_Moderate_R4_CM-11 |
FedRAMP Moderate CM-11 |
Configuration Management |
User-Installed Software |
Shared |
n/a |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-7 |
FedRAMP_Moderate_R4_CM-7 |
FedRAMP Moderate CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.
References: DoD Instruction 8551.01. |
link |
3 |
| FedRAMP_Moderate_R4 |
CM-7(2) |
FedRAMP_Moderate_R4_CM-7(2) |
FedRAMP Moderate CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance: Related controls: CM-8, PM-5. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-7(5) |
FedRAMP_Moderate_R4_CM-7(5) |
FedRAMP Moderate CM-7 (5) |
Configuration Management |
Authorized Software / Whitelisting |
Shared |
n/a |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.4.6 |
NIST_SP_800-171_R2_3.4.6 |
NIST SP 800-171 R2 3.4.6 |
Configuration Management |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. |
link |
3 |
| NIST_SP_800-171_R2_3 |
.4.7 |
NIST_SP_800-171_R2_3.4.7 |
NIST SP 800-171 R2 3.4.7 |
Configuration Management |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.4.8 |
NIST_SP_800-171_R2_3.4.8 |
NIST SP 800-171 R2 3.4.8 |
Configuration Management |
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. [SP 800-167] provides guidance on application whitelisting. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.4.9 |
NIST_SP_800-171_R2_3.4.9 |
NIST SP 800-171 R2 3.4.9 |
Configuration Management |
Control and monitor user-installed software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. |
link |
2 |
| NIST_SP_800-53_R4 |
CM-10 |
NIST_SP_800-53_R4_CM-10 |
NIST SP 800-53 Rev. 4 CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.
References: None. |
link |
4 |
| NIST_SP_800-53_R4 |
CM-11 |
NIST_SP_800-53_R4_CM-11 |
NIST SP 800-53 Rev. 4 CM-11 |
Configuration Management |
User-Installed Software |
Shared |
n/a |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None. |
link |
2 |
| NIST_SP_800-53_R4 |
CM-7 |
NIST_SP_800-53_R4_CM-7 |
NIST SP 800-53 Rev. 4 CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.
References: DoD Instruction 8551.01. |
link |
3 |
| NIST_SP_800-53_R4 |
CM-7(2) |
NIST_SP_800-53_R4_CM-7(2) |
NIST SP 800-53 Rev. 4 CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance: Related controls: CM-8, PM-5. |
link |
2 |
| NIST_SP_800-53_R4 |
CM-7(5) |
NIST_SP_800-53_R4_CM-7(5) |
NIST SP 800-53 Rev. 4 CM-7 (5) |
Configuration Management |
Authorized Software / Whitelisting |
Shared |
n/a |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
link |
2 |
| NIST_SP_800-53_R5 |
CM-10 |
NIST_SP_800-53_R5_CM-10 |
NIST SP 800-53 Rev. 5 CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
a. Use software and associated documentation in accordance with contract agreements and copyright laws;
b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
link |
4 |
| NIST_SP_800-53_R5 |
CM-11 |
NIST_SP_800-53_R5_CM-11 |
NIST SP 800-53 Rev. 5 CM-11 |
Configuration Management |
User-installed Software |
Shared |
n/a |
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
c. Monitor policy compliance [Assignment: organization-defined frequency]. |
link |
2 |
| NIST_SP_800-53_R5 |
CM-7 |
NIST_SP_800-53_R5_CM-7 |
NIST SP 800-53 Rev. 5 CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
link |
3 |
| NIST_SP_800-53_R5 |
CM-7(2) |
NIST_SP_800-53_R5_CM-7(2) |
NIST SP 800-53 Rev. 5 CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
Prevent program execution in accordance with [Selection (OneOrMore): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] ;rules authorizing the terms and conditions of software program usage] . |
link |
2 |
| NIST_SP_800-53_R5 |
CM-7(5) |
NIST_SP_800-53_R5_CM-7(5) |
NIST SP 800-53 Rev. 5 CM-7 (5) |
Configuration Management |
Authorized Software ??? Allow-by-exception |
Shared |
n/a |
(a) Identify [Assignment: organization-defined software programs authorized to execute on the system];
(b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
(c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. |
link |
2 |
| NZ_ISM_v3.5 |
SS-5 |
NZ_ISM_v3.5_SS-5 |
NZISM Security Benchmark SS-5 |
Software security |
14.2.4 Application Whitelisting |
Customer |
n/a |
Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.
Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running.
Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. |
link |
2 |
| NZISM_Security_Benchmark_v1.1 |
SS-5 |
NZISM_Security_Benchmark_v1.1_SS-5 |
NZISM Security Benchmark SS-5 |
Software security |
14.2.4 Application Whitelisting |
Customer |
Agencies SHOULD implement application whitelisting as part of the SOE for workstations, servers and any other network device. |
Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.
Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running.
Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. |
link |
2 |
| RBI_CSF_Banks_v2016 |
13.1 |
RBI_CSF_Banks_v2016_13.1 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.1 |
|
n/a |
Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. |
|
27 |
| RBI_CSF_Banks_v2016 |
13.3 |
RBI_CSF_Banks_v2016_13.3 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.3 |
|
n/a |
Consider implementing whitelisting of internet websites/systems. |
|
15 |
| RBI_CSF_Banks_v2016 |
14.1 |
RBI_CSF_Banks_v2016_14.1 |
|
Anti-Phishing |
Anti-Phishing-14.1 |
|
n/a |
Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. |
|
31 |
| RBI_CSF_Banks_v2016 |
2.1 |
RBI_CSF_Banks_v2016_2.1 |
|
Preventing Execution Of Unauthorised Software |
Software Inventory-2.1 |
|
n/a |
Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications / software/libraries, etc. |
|
2 |
| RBI_CSF_Banks_v2016 |
2.2 |
RBI_CSF_Banks_v2016_2.2 |
|
Preventing Execution Of Unauthorised Software |
Authorised Software Installation-2.2 |
|
n/a |
Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems. |
|
2 |
| RBI_CSF_Banks_v2016 |
4.2 |
RBI_CSF_Banks_v2016_4.2 |
|
Network Management And Security |
Network Inventory-4.2 |
|
n/a |
Maintain an up-to-date/centralised inventory of authorised devices connected to bank???s network (within/outside bank???s premises) and authorised devices enabling the bank???s network. The bank may consider implementing solutions to automate network discovery and management. |
|
6 |
| RBI_ITF_NBFC_v2017 |
2 |
RBI_ITF_NBFC_v2017_2 |
RBI IT Framework 2 |
IT Policy |
IT Policy-2 |
|
n/a |
NBFCs may formulate a Board approved IT Policy, in line with the objectives of their organisation comprising the following:
a. An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC;
b. NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT Operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
c. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available.
d. The NBFCs which are currently not using IPv6 platform should migrate to the same as per National Telecom Policy issued by the Government of India in 2012. (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012) |
link |
2 |
| RMiT_v1.0 |
11.17 |
RMiT_v1.0_11.17 |
RMiT 11.17 |
Security Operations Centre (SOC) |
Security Operations Centre (SOC) - 11.17 |
Shared |
n/a |
A financial institution must ensure its SOC, whether managed in-house or by third party service providers, has adequate capabilities for proactive monitoring of its technology security posture. This shall enable the financial institution to detect anomalous user or network activities, flag potential breaches and establish the appropriate response supported by skilled resources based on the level of complexity of the alerts. The outcome of the SOC activities shall also inform the financial institution's reviews of its cybersecurity posture and strategy. |
link |
4 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
54 |
| SOC_2 |
CC7.1 |
SOC_2_CC7.1 |
SOC 2 Type 2 CC7.1 |
System Operations |
Detection and monitoring of new vulnerabilities |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Defined Configuration Standards — Management has defined configuration
standards.
• Monitors Infrastructure and Software — The entity monitors infrastructure and
software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.
• Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel
to unauthorized modifications of critical system files, configuration files, or content
files.
• Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components.
• Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to
identify potential vulnerabilities or misconfigurations on a periodic basis and after
any significant change in the environment and takes action to remediate identified
deficiencies on a timely basis |
|
17 |
| SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
22 |