last sync: 2024-Mar-18 18:48:08 UTC

Allowlist rules in your adaptive application control policy should be updated

Azure BuiltIn Policy definition

Source Azure Portal
Display name Allowlist rules in your adaptive application control policy should be updated
Id 123a3936-f020-408a-ba0c-47873faf1534
Version 3.0.0
Details on versioning
Category Security Center
Microsoft Learn
Description Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule resource types IF (2)
Microsoft.ClassicCompute/virtualMachines
Microsoft.Compute/virtualMachines
Compliance
The following 46 compliance controls are associated with this Policy definition 'Allowlist rules in your adaptive application control policy should be updated' (123a3936-f020-408a-ba0c-47873faf1534)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 AM-5 Azure_Security_Benchmark_v3.0_AM-5 Microsoft cloud security benchmark AM-5 Asset Management Use only approved applications in virtual machine Shared **Security Principle:** Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. **Azure Guidance:** Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace. Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. You can also use a third-party solution to discover and identify unapproved software. **Implementation and additional context:** How to use Microsoft Defender for Cloud adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 n/a link 2
CMMC_2.0_L2 CM.L2-3.4.6 CMMC_2.0_L2_CM.L2-3.4.6 404 not found n/a n/a 3
CMMC_2.0_L2 CM.L2-3.4.7 CMMC_2.0_L2_CM.L2-3.4.7 404 not found n/a n/a 2
CMMC_2.0_L2 CM.L2-3.4.8 CMMC_2.0_L2_CM.L2-3.4.8 404 not found n/a n/a 2
CMMC_2.0_L2 CM.L2-3.4.9 CMMC_2.0_L2_CM.L2-3.4.9 404 not found n/a n/a 2
CMMC_L3 CA.2.158 CMMC_L3_CA.2.158 CMMC L3 CA.2.158 Security Assessment Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. link 10
CMMC_L3 CA.3.161 CMMC_L3_CA.3.161 CMMC L3 CA.3.161 Security Assessment Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Shared Microsoft and the customer share responsibilities for implementing this requirement. Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. link 10
CMMC_L3 CM.2.063 CMMC_L3_CM.2.063 CMMC L3 CM.2.063 Configuration Management Control and monitor user-installed software. Shared Microsoft and the customer share responsibilities for implementing this requirement. Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. link 4
CMMC_L3 CM.3.068 CMMC_L3_CM.3.068 CMMC L3 CM.3.068 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Shared Microsoft and the customer share responsibilities for implementing this requirement. Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. link 25
FedRAMP_High_R4 CM-10 FedRAMP_High_R4_CM-10 FedRAMP High CM-10 Configuration Management Software Usage Restrictions Shared n/a The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. References: None. link 4
FedRAMP_High_R4 CM-11 FedRAMP_High_R4_CM-11 FedRAMP High CM-11 Configuration Management User-Installed Software Shared n/a The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. References: None. link 2
FedRAMP_High_R4 CM-7 FedRAMP_High_R4_CM-7 FedRAMP High CM-7 Configuration Management Least Functionality Shared n/a The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. References: DoD Instruction 8551.01. link 3
FedRAMP_High_R4 CM-7(2) FedRAMP_High_R4_CM-7(2) FedRAMP High CM-7 (2) Configuration Management Prevent Program Execution Shared n/a The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. link 2
FedRAMP_High_R4 CM-7(5) FedRAMP_High_R4_CM-7(5) FedRAMP High CM-7 (5) Configuration Management Authorized Software / Whitelisting Shared n/a The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. link 2
FedRAMP_Moderate_R4 CM-10 FedRAMP_Moderate_R4_CM-10 FedRAMP Moderate CM-10 Configuration Management Software Usage Restrictions Shared n/a The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. References: None. link 4
FedRAMP_Moderate_R4 CM-11 FedRAMP_Moderate_R4_CM-11 FedRAMP Moderate CM-11 Configuration Management User-Installed Software Shared n/a The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. References: None. link 2
FedRAMP_Moderate_R4 CM-7 FedRAMP_Moderate_R4_CM-7 FedRAMP Moderate CM-7 Configuration Management Least Functionality Shared n/a The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. References: DoD Instruction 8551.01. link 3
FedRAMP_Moderate_R4 CM-7(2) FedRAMP_Moderate_R4_CM-7(2) FedRAMP Moderate CM-7 (2) Configuration Management Prevent Program Execution Shared n/a The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. link 2
FedRAMP_Moderate_R4 CM-7(5) FedRAMP_Moderate_R4_CM-7(5) FedRAMP Moderate CM-7 (5) Configuration Management Authorized Software / Whitelisting Shared n/a The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. link 2
NIST_SP_800-171_R2_3 .4.6 NIST_SP_800-171_R2_3.4.6 NIST SP 800-171 R2 3.4.6 Configuration Management Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Shared Microsoft and the customer share responsibilities for implementing this requirement. Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. link 3
NIST_SP_800-171_R2_3 .4.7 NIST_SP_800-171_R2_3.4.7 NIST SP 800-171 R2 3.4.7 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Shared Microsoft and the customer share responsibilities for implementing this requirement. Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. link 2
NIST_SP_800-171_R2_3 .4.8 NIST_SP_800-171_R2_3.4.8 NIST SP 800-171 R2 3.4.8 Configuration Management Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Shared Microsoft and the customer share responsibilities for implementing this requirement. The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. [SP 800-167] provides guidance on application whitelisting. link 2
NIST_SP_800-171_R2_3 .4.9 NIST_SP_800-171_R2_3.4.9 NIST SP 800-171 R2 3.4.9 Configuration Management Control and monitor user-installed software. Shared Microsoft and the customer share responsibilities for implementing this requirement. Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. link 2
NIST_SP_800-53_R4 CM-10 NIST_SP_800-53_R4_CM-10 NIST SP 800-53 Rev. 4 CM-10 Configuration Management Software Usage Restrictions Shared n/a The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. References: None. link 4
NIST_SP_800-53_R4 CM-11 NIST_SP_800-53_R4_CM-11 NIST SP 800-53 Rev. 4 CM-11 Configuration Management User-Installed Software Shared n/a The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. References: None. link 2
NIST_SP_800-53_R4 CM-7 NIST_SP_800-53_R4_CM-7 NIST SP 800-53 Rev. 4 CM-7 Configuration Management Least Functionality Shared n/a The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. References: DoD Instruction 8551.01. link 3
NIST_SP_800-53_R4 CM-7(2) NIST_SP_800-53_R4_CM-7(2) NIST SP 800-53 Rev. 4 CM-7 (2) Configuration Management Prevent Program Execution Shared n/a The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. link 2
NIST_SP_800-53_R4 CM-7(5) NIST_SP_800-53_R4_CM-7(5) NIST SP 800-53 Rev. 4 CM-7 (5) Configuration Management Authorized Software / Whitelisting Shared n/a The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. link 2
NIST_SP_800-53_R5 CM-10 NIST_SP_800-53_R5_CM-10 NIST SP 800-53 Rev. 5 CM-10 Configuration Management Software Usage Restrictions Shared n/a a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. link 4
NIST_SP_800-53_R5 CM-11 NIST_SP_800-53_R5_CM-11 NIST SP 800-53 Rev. 5 CM-11 Configuration Management User-installed Software Shared n/a a. Establish [Assignment: organization-defined policies] governing the installation of software by users; b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and c. Monitor policy compliance [Assignment: organization-defined frequency]. link 2
NIST_SP_800-53_R5 CM-7 NIST_SP_800-53_R5_CM-7 NIST SP 800-53 Rev. 5 CM-7 Configuration Management Least Functionality Shared n/a a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. link 3
NIST_SP_800-53_R5 CM-7(2) NIST_SP_800-53_R5_CM-7(2) NIST SP 800-53 Rev. 5 CM-7 (2) Configuration Management Prevent Program Execution Shared n/a Prevent program execution in accordance with [Selection (OneOrMore): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] ;rules authorizing the terms and conditions of software program usage] . link 2
NIST_SP_800-53_R5 CM-7(5) NIST_SP_800-53_R5_CM-7(5) NIST SP 800-53 Rev. 5 CM-7 (5) Configuration Management Authorized Software ??? Allow-by-exception Shared n/a (a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. link 2
NZ_ISM_v3.5 SS-5 NZ_ISM_v3.5_SS-5 NZISM Security Benchmark SS-5 Software security 14.2.4 Application Whitelisting Customer n/a Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code. Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running. Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. link 2
NZISM_Security_Benchmark_v1.1 SS-5 NZISM_Security_Benchmark_v1.1_SS-5 NZISM Security Benchmark SS-5 Software security 14.2.4 Application Whitelisting Customer Agencies SHOULD implement application whitelisting as part of the SOE for workstations, servers and any other network device. Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code. Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running. Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. link 2
RBI_CSF_Banks_v2016 13.1 RBI_CSF_Banks_v2016_13.1 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 n/a Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. 27
RBI_CSF_Banks_v2016 13.3 RBI_CSF_Banks_v2016_13.3 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.3 n/a Consider implementing whitelisting of internet websites/systems. 15
RBI_CSF_Banks_v2016 14.1 RBI_CSF_Banks_v2016_14.1 Anti-Phishing Anti-Phishing-14.1 n/a Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. 31
RBI_CSF_Banks_v2016 2.1 RBI_CSF_Banks_v2016_2.1 Preventing Execution Of Unauthorised Software Software Inventory-2.1 n/a Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications / software/libraries, etc. 2
RBI_CSF_Banks_v2016 2.2 RBI_CSF_Banks_v2016_2.2 Preventing Execution Of Unauthorised Software Authorised Software Installation-2.2 n/a Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems. 2
RBI_CSF_Banks_v2016 4.2 RBI_CSF_Banks_v2016_4.2 Network Management And Security Network Inventory-4.2 n/a Maintain an up-to-date/centralised inventory of authorised devices connected to bank???s network (within/outside bank???s premises) and authorised devices enabling the bank???s network. The bank may consider implementing solutions to automate network discovery and management. 6
RBI_ITF_NBFC_v2017 2 RBI_ITF_NBFC_v2017_2 RBI IT Framework 2 IT Policy IT Policy-2 n/a NBFCs may formulate a Board approved IT Policy, in line with the objectives of their organisation comprising the following: a. An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC; b. NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT Operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management. c. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available. d. The NBFCs which are currently not using IPv6 platform should migrate to the same as per National Telecom Policy issued by the Government of India in 2012. (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012) link 2
RMiT_v1.0 11.17 RMiT_v1.0_11.17 RMiT 11.17 Security Operations Centre (SOC) Security Operations Centre (SOC) - 11.17 Shared n/a A financial institution must ensure its SOC, whether managed in-house or by third party service providers, has adequate capabilities for proactive monitoring of its technology security posture. This shall enable the financial institution to detect anomalous user or network activities, flag potential breaches and establish the appropriate response supported by skilled resources based on the level of complexity of the alerts. The outcome of the SOC activities shall also inform the financial institution's reviews of its cybersecurity posture and strategy. link 4
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 53
SOC_2 CC7.1 SOC_2_CC7.1 SOC 2 Type 2 CC7.1 System Operations Detection and monitoring of new vulnerabilities Shared The customer is responsible for implementing this recommendation. • Uses Defined Configuration Standards — Management has defined configuration standards. • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. • Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. • Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components. • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis 17
SWIFT_CSCF_v2022 1.1 SWIFT_CSCF_v2022_1.1 SWIFT CSCF v2022 1.1 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. Shared n/a A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. link 22
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-01-05 16:06:49 change Major (2.0.0 > 3.0.0)
2020-07-14 15:28:17 change Previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated
2020-05-29 15:39:09 add 123a3936-f020-408a-ba0c-47873faf1534
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC