last sync: 2025-Mar-14 18:30:15 UTC

Web Application Firewall (WAF) should use the specified mode for Application Gateway

Azure BuiltIn Policy definition

Source Azure Portal
Display name Web Application Firewall (WAF) should use the specified mode for Application Gateway
Id 12430be1-6cc8-4527-a9a8-e3d38f250096
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Network
Microsoft Learn
Description Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/policySettings.mode Microsoft.Network applicationGatewayWebApplicationFirewallPolicies properties.policySettings.mode True False
Rule resource types IF (1)
Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies
Compliance
The following 153 compliance controls are associated with this Policy definition 'Web Application Firewall (WAF) should use the specified mode for Application Gateway' (12430be1-6cc8-4527-a9a8-e3d38f250096)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ACAT_Security_Policies ACAT_Security_Policies ACAT Security Policies Guidelines for M365 Certification Protecting systems and resources Shared n/a Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. link 16
Canada_Federal_PBMM_3-1-2020 AC_2(7) Canada_Federal_PBMM_3-1-2020_AC_2(7) Canada Federal PBMM 3-1-2020 AC 2(7) Account Management Account Management | Role-Based Schemes Shared 1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; 2. The organization monitors privileged role assignments; and 3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate. To strengthen the security posture and safeguard sensitive data and critical resources. 19
Canada_Federal_PBMM_3-1-2020 AC_6 Canada_Federal_PBMM_3-1-2020_AC_6 Canada Federal PBMM 3-1-2020 AC 6 Least Privilege Least Privilege Shared The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. To mitigate the risk of unauthorized access, data breaches, and system compromises. 17
Canada_Federal_PBMM_3-1-2020 AC_6(1) Canada_Federal_PBMM_3-1-2020_AC_6(1) Canada Federal PBMM 3-1-2020 AC 6(1) Least Privilege Least Privilege | Authorize Access to Security Functions Shared The organization explicitly authorizes access to all security functions not publicly accessible and all security-relevant information not publicly available. To ensure appropriate oversight and control over critical security measures and information. 10
Canada_Federal_PBMM_3-1-2020 AC_6(10) Canada_Federal_PBMM_3-1-2020_AC_6(10) Canada Federal PBMM 3-1-2020 AC 6(10) Least Privilege Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions Shared The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. To mitigate the risk of unauthorized access or malicious activities. 10
Canada_Federal_PBMM_3-1-2020 AC_6(2) Canada_Federal_PBMM_3-1-2020_AC_6(2) Canada Federal PBMM 3-1-2020 AC 6(2) Least Privilege Least Privilege | Non-Privileged Access for Non-Security Functions Shared The organization requires that users of information system accounts, or roles, with access to any security function, use non-privileged accounts or roles, when accessing non-security functions. To enhance security measures and minimise the risk of unauthorized access or misuse of privileges. 17
Canada_Federal_PBMM_3-1-2020 AC_6(5) Canada_Federal_PBMM_3-1-2020_AC_6(5) Canada Federal PBMM 3-1-2020 AC 6(5) Least Privilege Least Privilege | Privileged Accounts Shared The organization restricts privileged accounts on the information system to the minimum number of personnel required to securely administer, manage, and protect the information systems. To reduce the potential attack surface and enhance overall security posture. 10
Canada_Federal_PBMM_3-1-2020 AC_6(9) Canada_Federal_PBMM_3-1-2020_AC_6(9) Canada Federal PBMM 3-1-2020 AC 6(9) Least Privilege Least Privilege | Auditing Use of Privileged Functions Shared The information system audits the execution of privileged functions. To enhance oversight and detect potential security breaches or unauthorized activities. 15
Canada_Federal_PBMM_3-1-2020 CA_3 Canada_Federal_PBMM_3-1-2020_CA_3 Canada Federal PBMM 3-1-2020 CA 3 Information System Connections System Interconnections Shared 1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually. To establish and maintain secure connections between information systems. 77
Canada_Federal_PBMM_3-1-2020 CA_3(3) Canada_Federal_PBMM_3-1-2020_CA_3(3) Canada Federal PBMM 3-1-2020 CA 3(3) Information System Connections System Interconnections | Classified Non-National Security System Connections Shared The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. To ensure the integrity and security of internal systems against external threats. 77
Canada_Federal_PBMM_3-1-2020 CA_3(5) Canada_Federal_PBMM_3-1-2020_CA_3(5) Canada Federal PBMM 3-1-2020 CA 3(5) Information System Connections System Interconnections | Restrictions on External Network Connections Shared The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. To enhance security posture against unauthorized access. 77
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 CM_5(5) Canada_Federal_PBMM_3-1-2020_CM_5(5) Canada Federal PBMM 3-1-2020 CM 5(5) Access Restrictions for Change Access Restrictions for Change | Limit Production / Operational Privileges Shared 1. The organization limits privileges to change information system components and system-related information within a production or operational environment; and 2. The organization reviews and re-evaluates privileges at least quarterly. To maintain appropriate access controls. 4
Canada_Federal_PBMM_3-1-2020 CM_5(6) Canada_Federal_PBMM_3-1-2020_CM_5(6) Canada Federal PBMM 3-1-2020 CM 5(6) Access Restrictions for Change Access Restrictions for Change | Limit Library Privileges Shared The organization limits privileges to change software resident within software libraries. To ensure controlled access to maintain integrity and security. 4
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 94
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 100
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 102
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 100
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 94
CIS_Controls_v8.1 3.3 CIS_Controls_v8.1_3.3 CIS Controls v8.1 3.3 Data Protection Configure data access control lists Shared 1. Configure data access control lists based on a user’s need to know. 2. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. To ensure that users have access only to the data necessary for their roles. 25
CIS_Controls_v8.1 6.8 CIS_Controls_v8.1_6.8 CIS Controls v8.1 6.8 Access Control Management Define and maintain role-based access control. Shared 1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. 2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. To implement a system of role-based access control. 30
CIS_Controls_v8.1 8.11 CIS_Controls_v8.1_8.11 CIS Controls v8.1 8.11 Audit Log Management Conduct audit log reviews Shared 1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis. To ensure the integrity of the data in audit logs. 62
CMMC_2.0_L2 CM.L2-3.4.2 CMMC_2.0_L2_CM.L2-3.4.2 404 not found n/a n/a 27
CMMC_2.0_L2 SC.L1-3.13.1 CMMC_2.0_L2_SC.L1-3.13.1 404 not found n/a n/a 56
CMMC_2.0_L2 SC.L2-3.13.6 CMMC_2.0_L2_SC.L2-3.13.6 404 not found n/a n/a 26
CMMC_2.0_L2 SI.L2-3.14.6 CMMC_2.0_L2_SI.L2-3.14.6 404 not found n/a n/a 25
CMMC_L2_v1.9.0 AC.L1_3.1.1 CMMC_L2_v1.9.0_AC.L1_3.1.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.1 Access Control Authorized Access Control Shared Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). To ensure security and integrity. 27
CMMC_L2_v1.9.0 AC.L2_3.1.3 CMMC_L2_v1.9.0_AC.L2_3.1.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 Access Control Control CUI Flow Shared Control the flow of CUI in accordance with approved authorizations. To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations 46
CMMC_L2_v1.9.0 AC.L2_3.1.5 CMMC_L2_v1.9.0_AC.L2_3.1.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.5 Access Control Least Privilege Shared Employ the principle of least privilege, including for specific security functions and privileged accounts. To restrict information system access. 27
CMMC_L2_v1.9.0 SC.L1_3.13.1 CMMC_L2_v1.9.0_SC.L1_3.13.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1 System and Communications Protection Boundary Protection Shared Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. To protect information assets from external attacks and insider threats. 43
CMMC_L2_v1.9.0 SC.L1_3.13.5 CMMC_L2_v1.9.0_SC.L1_3.13.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5 System and Communications Protection Public Access System Separation Shared Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources. 43
CMMC_L2_v1.9.0 SI.L1_3.14.2 CMMC_L2_v1.9.0_SI.L1_3.14.2 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.2 System and Information Integrity Malicious Code Protection Shared Provide protection from malicious code at appropriate locations within organizational information systems. To the integrity, confidentiality, and availability of information assets. 19
CMMC_L2_v1.9.0 SI.L1_3.14.4 CMMC_L2_v1.9.0_SI.L1_3.14.4 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.4 System and Information Integrity Update Malicious Code Protection Shared Update malicious code protection mechanisms when new releases are available. To effectively defend against new and evolving malware threats, minimize the risk of infections, and maintain the security of their information systems and data. 19
CMMC_L2_v1.9.0 SI.L1_3.14.5 CMMC_L2_v1.9.0_SI.L1_3.14.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.5 System and Information Integrity System & File Scanning Shared Perform periodic scans of the information system and real time scans of files from external sources as files are downloaded, opened, or executed. To identify and mitigate security risks, prevent malware infections and minimise the impact of security breaches. 19
CMMC_L3 CM.2.064 CMMC_L3_CM.2.064 CMMC L3 CM.2.064 Configuration Management Establish and enforce security configuration settings for information technology products employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. link 10
CMMC_L3 IR.2.093 CMMC_L3_IR.2.093 CMMC L3 IR.2.093 Incident Response Detect and report events. Shared Microsoft and the customer share responsibilities for implementing this requirement. The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine whether an event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects. link 17
CMMC_L3 SC.1.175 CMMC_L3_SC.1.175 CMMC L3 SC.1.175 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. link 30
CMMC_L3 SC.3.183 CMMC_L3_SC.3.183 CMMC L3 SC.3.183 System and Communications Protection Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. link 30
CMMC_L3 SI.2.216 CMMC_L3_SI.2.216 CMMC L3 SI.2.216 System and Information Integrity Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Shared Microsoft and the customer share responsibilities for implementing this requirement. System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. link 23
CSA_v4.0.12 CCC_03 CSA_v4.0.12_CCC_03 CSA Cloud Controls Matrix v4.0.12 CCC 03 Change Control and Configuration Management Change Management Technology Shared n/a Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). 31
CSA_v4.0.12 CCC_04 CSA_v4.0.12_CCC_04 CSA Cloud Controls Matrix v4.0.12 CCC 04 Change Control and Configuration Management Unauthorized Change Protection Shared n/a Restrict the unauthorized addition, removal, update, and management of organization assets. 25
CSA_v4.0.12 DCS_02 CSA_v4.0.12_DCS_02 CSA Cloud Controls Matrix v4.0.12 DCS 02 Datacenter Security Off-Site Transfer Authorization Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually. 45
CSA_v4.0.12 DSP_05 CSA_v4.0.12_DSP_05 CSA Cloud Controls Matrix v4.0.12 DSP 05 Data Security and Privacy Lifecycle Management Data Flow Documentation Shared n/a Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change. 57
CSA_v4.0.12 DSP_10 CSA_v4.0.12_DSP_10 CSA Cloud Controls Matrix v4.0.12 DSP 10 Data Security and Privacy Lifecycle Management Sensitive Data Transfer Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations. 45
CSA_v4.0.12 IAM_05 CSA_v4.0.12_IAM_05 CSA Cloud Controls Matrix v4.0.12 IAM 05 Identity & Access Management Least Privilege Shared n/a Employ the least privilege principle when implementing information system access. 27
CSA_v4.0.12 IAM_07 CSA_v4.0.12_IAM_07 CSA Cloud Controls Matrix v4.0.12 IAM 07 Identity & Access Management User Access Changes and Revocation Shared n/a De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies. 56
CSA_v4.0.12 IAM_10 CSA_v4.0.12_IAM_10 CSA Cloud Controls Matrix v4.0.12 IAM 10 Identity & Access Management Management of Privileged Access Roles Shared n/a Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access. 56
CSA_v4.0.12 TVM_04 CSA_v4.0.12_TVM_04 CSA Cloud Controls Matrix v4.0.12 TVM 04 Threat & Vulnerability Management Detection Updates Shared n/a Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis. 50
Cyber_Essentials_v3.1 1 Cyber_Essentials_v3.1_1 Cyber Essentials v3.1 1 Cyber Essentials Firewalls Shared n/a Aim: to make sure that only secure and necessary network services can be accessed from the internet. 37
Cyber_Essentials_v3.1 2 Cyber_Essentials_v3.1_2 Cyber Essentials v3.1 2 Cyber Essentials Secure Configuration Shared n/a Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. 61
Cyber_Essentials_v3.1 3 Cyber_Essentials_v3.1_3 Cyber Essentials v3.1 3 Cyber Essentials Security Update Management Shared n/a Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available.   38
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
Cyber_Essentials_v3.1 5 Cyber_Essentials_v3.1_5 Cyber Essentials v3.1 5 Cyber Essentials Malware protection Shared n/a Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. 60
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 69
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 67
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 67
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 65
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
FFIEC_CAT_2017 3.1.1 FFIEC_CAT_2017_3.1.1 FFIEC CAT 2017 3.1.1 Cybersecurity Controls Infrastructure Management Shared n/a - Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) 72
FFIEC_CAT_2017 3.1.2 FFIEC_CAT_2017_3.1.2 FFIEC CAT 2017 3.1.2 Cybersecurity Controls Access and Data Management Shared n/a Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames. 59
FFIEC_CAT_2017 3.2.3 FFIEC_CAT_2017_3.2.3 FFIEC CAT 2017 3.2.3 Cybersecurity Controls Event Detection Shared n/a - A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access. 35
FFIEC_CAT_2017 4.1.1 FFIEC_CAT_2017_4.1.1 FFIEC CAT 2017 4.1.1 External Dependency Management Connections Shared n/a - The critical business processes that are dependent on external connectivity have been identified. - The institution ensures that third-party connections are authorized. - A network diagram is in place and identifies all external connections. - Data flow diagrams are in place and document information flow to external parties. 43
HITRUST_CSF_v11.3 01.l HITRUST_CSF_v11.3_01.l HITRUST CSF v11.3 01.l Network Access Control To prevent unauthorized access to networked services. Shared Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed. Physical and logical access to diagnostic and configuration ports shall be controlled. 26
HITRUST_CSF_v11.3 01.m HITRUST_CSF_v11.3_01.m HITRUST CSF v11.3 01.m Network Access Control To ensure segregation in networks. Shared Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. Groups of information services, users, and information systems should be segregated on networks. 48
HITRUST_CSF_v11.3 01.n HITRUST_CSF_v11.3_01.n HITRUST CSF v11.3 01.n Network Access Control To prevent unauthorised access to shared networks. Shared Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. 55
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 114
HITRUST_CSF_v11.3 09.h HITRUST_CSF_v11.3_09.h HITRUST CSF v11.3 09.h System Planning and Acceptance To ensure that systems meet the businesses current and projected needs to minimize failures. Shared Use of information systems resources is to be monitored. The availability of adequate capacity and resources shall be planned, prepared, and managed to deliver the required system performance. Projections of future capacity requirements shall be made to mitigate the risk of system overload. 4
HITRUST_CSF_v11.3 09.j HITRUST_CSF_v11.3_09.j HITRUST CSF v11.3 09.j Protection Against Malicious and Mobile Code To ensure that integrity of information and software is protected from malicious or unauthorized code Shared 1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures. 2. Automatic periodic scans of information systems is to be implemented. 3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented. 4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use. 5. Anti-malware audit logs checks to be performed. 6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls. Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. 37
HITRUST_CSF_v11.3 09.m HITRUST_CSF_v11.3_09.m HITRUST CSF v11.3 09.m Network Security Management To ensure the protection of information in networks and protection of the supporting network infrastructure. Shared 1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points. 2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes. 3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized. Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. 24
HITRUST_CSF_v11.3 09.w HITRUST_CSF_v11.3_09.w HITRUST CSF v11.3 09.w Exchange of Information To develop and implement policies and procedures, to protect information associated with the interconnection of business information systems. Shared 1. A security baseline is to be documented and implemented for interconnected systems. 2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements. Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. 45
HITRUST_CSF_v11.3 10.m HITRUST_CSF_v11.3_10.m HITRUST CSF v11.3 10.m Technical Vulnerability Management To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Shared 1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. 47
ISO_IEC_27002_2022 5.14 ISO_IEC_27002_2022_5.14 ISO IEC 27002 2022 5.14 Protection, Preventive Control Information transfer Shared To maintain the security of information transferred within an organization and with any external interested party. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. 46
ISO_IEC_27002_2022 8.2 ISO_IEC_27002_2022_8.2 ISO IEC 27002 2022 8.2 Protection, Preventive, Control Privileged access rights Shared The allocation and use of privileged access rights should be restricted and managed. To ensure only authorized users, software components and services are provided with privileged access rights. 29
ISO_IEC_27002_2022 8.7 ISO_IEC_27002_2022_8.7 ISO IEC 27002 2022 8.7 Identifying, Protection, Preventive Control Protection against malware Shared Protection against malware should be implemented and supported by appropriate user awareness. To ensure information and other associated assets are protected against malware. 19
ISO_IEC_27017_2015 12.4.3 ISO_IEC_27017_2015_12.4.3 ISO IEC 27017 2015 12.4.3 Operations Security Administrator and Operation Logs Shared For Cloud Service Customer: If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. The cloud service customer should determine whether logging capabilities provided by the cloud service provider are appropriate or whether the cloud service customer should implement additional logging capabilities. To log operation and performance of those operations wherein rivileged operation is delegated to the cloud service customer. 28
mp.com.1 Secure perimeter mp.com.1 Secure perimeter 404 not found n/a n/a 49
mp.s.3 Protection of web browsing mp.s.3 Protection of web browsing 404 not found n/a n/a 51
New_Zealand_ISM 18.4.8.C.01 New_Zealand_ISM_18.4.8.C.01 New_Zealand_ISM_18.4.8.C.01 18. Network security 18.4.8.C.01 IDS/IPSs on gateways n/a Agencies SHOULD deploy IDS/IPSs in all gateways between the agency’s networks and unsecure public networks or BYOD wireless networks. 5
NIST_CSF_v2.0 PR.AA_05 NIST_CSF_v2.0_PR.AA_05 NIST CSF v2.0 PR.AA 05 PROTECT- Identity Management, Authentication, and Access Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties. Shared n/a To implement safeguards for managing organization’s cybersecurity risks. 29
NIST_SP_800-171_R3_3 .1.3 NIST_SP_800-171_R3_3.1.3 NIST 800-171 R3 3.1.3 Access Control Information Flow Enforcement Shared Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. 46
NIST_SP_800-171_R3_3 .12.5 NIST_SP_800-171_R3_3.12.5 NIST 800-171 R3 3.12.5 Security Assessment Control Information Exchange Shared The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. Types of agreements can include interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service-level agreements, or other types of agreements. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (e.g., service providers, contractors, system developers, and system integrators). Examples of the types of information contained in exchange agreements include the interface characteristics, security requirements, controls, and responsibilities for each system. a. Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements]. b. Document, as part of the exchange agreements, interface characteristics, security requirements, and responsibilities for each system. c. Review and update the exchange agreements periodically. 25
NIST_SP_800-171_R3_3 .13.1 NIST_SP_800-171_R3_3.13.1 NIST 800-171 R3 3.13.1 System and Communications Protection Control Boundary Protection Shared Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. 43
NIST_SP_800-171_R3_3 .14.2 NIST_SP_800-171_R3_3.14.2 NIST 800-171 R3 3.14.2 System and Information Integrity Control Malicious Code Protection Shared Malicious code insertions occur through the exploitation of system vulnerabilities. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code can be inserted into the system in many ways, including by email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to malicious code detection during scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. a. Implement malicious code protection mechanisms at designated locations within the system to detect and eradicate malicious code. b. Update malicious code protection mechanisms as new releases are available in accordance with configuration management policy and procedures. c. Configure malicious code protection mechanisms to: 1. Perform scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or network entry and exit points as the files are downloaded, opened, or executed; and 2. Block malicious code, quarantine malicious code, or take other actions in response to malicious code detection. 19
NIST_SP_800-171_R3_3 .4.6 NIST_SP_800-171_R3_3.4.6 404 not found n/a n/a 24
NIST_SP_800-53_R5.1.1 AC.4 NIST_SP_800-53_R5.1.1_AC.4 NIST SP 800-53 R5.1.1 AC.4 Access Control Information Flow Enforcement Shared Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). 44
NIST_SP_800-53_R5.1.1 AC.6 NIST_SP_800-53_R5.1.1_AC.6 NIST SP 800-53 R5.1.1 AC.6 Access Control Least Privilege Shared Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems. 25
NIST_SP_800-53_R5.1.1 CM.7 NIST_SP_800-53_R5.1.1_CM.7 NIST SP 800-53 R5.1.1 CM.7 Configuration Management Control Least Functionality Shared a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3). 17
NIST_SP_800-53_R5.1.1 SC.5 NIST_SP_800-53_R5.1.1_SC.5 NIST SP 800-53 R5.1.1 SC.5 System and Communications Protection Denial-of-service Protection Shared a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events. 2
NIST_SP_800-53_R5.1.1 SC.7 NIST_SP_800-53_R5.1.1_SC.7 NIST SP 800-53 R5.1.1 SC.7 System and Communications Protection Boundary Protection Shared a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). 43
NIST_SP_800-53_R5.1.1 SI.3 NIST_SP_800-53_R5.1.1_SI.3 NIST SP 800-53 R5.1.1 SI.3 System and Information Integrity Control Malicious Code Protection Shared a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action] ]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. 19
NZ_ISM_v3.5 NS-8 NZ_ISM_v3.5_NS-8 NZISM Security Benchmark NS-8 Network security 18.4.8 IDS/IPSs on gateways Customer n/a If the firewall is configured to block all traffic on a particular range of port numbers, then the IDS should inspect traffic for these port numbers and alert if they are detected. link 4
NZISM_Security_Benchmark_v1.1 NS-7 NZISM_Security_Benchmark_v1.1_NS-7 NZISM Security Benchmark NS-7 Network security 18.4.8 IDS/IPSs on gateways Customer Agencies SHOULD deploy IDS/IPSs in all gateways between the agency’s networks and unsecure public networks or BYOD wireless networks. Agencies SHOULD deploy IDS/IPSs at all gateways between the agency’s networks and any network not managed by the agency. Agencies SHOULD locate IDS/IPSs within the gateway environment, immediately inside the outermost firewall. If the firewall is configured to block all traffic on a particular range of port numbers, then the IDS should inspect traffic for these port numbers and alert if they are detected. link 3
NZISM_v3.7 14.3.12.C.01. NZISM_v3.7_14.3.12.C.01. NZISM v3.7 14.3.12.C.01. Web Applications 14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. Shared n/a Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. 81
NZISM_v3.7 16.1.33.C.01. NZISM_v3.7_16.1.33.C.01. NZISM v3.7 16.1.33.C.01. Identification, Authentication and Passwords 16.1.33.C.01. - To promote security and accountability within the agency's systems. Shared n/a Agencies MUST NOT use shared credentials to access accounts. 25
NZISM_v3.7 16.1.33.C.02. NZISM_v3.7_16.1.33.C.02. NZISM v3.7 16.1.33.C.02. Identification, Authentication and Passwords 16.1.33.C.02. - To promote security and accountability within the agency's systems. Shared n/a Agencies SHOULD NOT use shared credentials to access accounts. 25
NZISM_v3.7 16.1.34.C.01. NZISM_v3.7_16.1.34.C.01. NZISM v3.7 16.1.34.C.01. Identification, Authentication and Passwords 16.1.34.C.01. - To promote security and accountability within the agency's systems. Shared n/a If agencies choose to allow shared, non user-specific accounts they MUST ensure that an independent means of determining the identification of the system user is implemented. 25
NZISM_v3.7 16.1.35.C.02. NZISM_v3.7_16.1.35.C.02. NZISM v3.7 16.1.35.C.02. Identification, Authentication and Passwords 16.1.35.C.02. - To implement additional authentication factors to enhance security. Shared n/a Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users. 25
NZISM_v3.7 16.1.36.C.01. NZISM_v3.7_16.1.36.C.01. NZISM v3.7 16.1.36.C.01. Identification, Authentication and Passwords 16.1.36.C.01. - To enhance overall security posture. Shared n/a Agencies MUST NOT allow storage of unprotected authentication information that grants system access, or decrypts an encrypted device, to be located on, or with the system or device, to which the authentication information grants access. 17
NZISM_v3.7 16.1.37.C.01. NZISM_v3.7_16.1.37.C.01. NZISM v3.7 16.1.37.C.01. Identification, Authentication and Passwords 16.1.37.C.01. - To enhance overall security posture. Shared n/a Agencies MUST ensure that system authentication data is protected when in transit on agency networks or All-of-Government systems. 17
NZISM_v3.7 16.1.39.C.01. NZISM_v3.7_16.1.39.C.01. NZISM v3.7 16.1.39.C.01. Identification, Authentication and Passwords 16.1.39.C.01. - To enhance overall security posture. Shared n/a Where systems contain NZEO or other nationalities releasability marked or protectively marked information, agencies MUST provide a mechanism that allows system users and processes to identify users who are foreign nationals, including seconded foreign nationals. 17
NZISM_v3.7 16.1.39.C.02. NZISM_v3.7_16.1.39.C.02. NZISM v3.7 16.1.39.C.02. Identification, Authentication and Passwords 16.1.39.C.02. - To enhance overall security posture. Shared n/a Agencies using NZEO systems SHOULD ensure that identification includes specific nationality for all foreign nationals, including seconded foreign nationals. 17
NZISM_v3.7 16.1.41.C.02. NZISM_v3.7_16.1.41.C.02. NZISM v3.7 16.1.41.C.02. Identification, Authentication and Passwords 16.1.41.C.02. - To enhance overall security posture. Shared n/a Agencies MUST NOT: 1. allow predictable reset passwords; 2. reuse passwords when resetting multiple accounts; 3. store passwords in the clear on the system; 4. allow passwords to be reused within eight password changes; and 5. allow system users to use sequential passwords. 17
NZISM_v3.7 16.1.43.C.01. NZISM_v3.7_16.1.43.C.01. NZISM v3.7 16.1.43.C.01. Identification, Authentication and Passwords 16.1.43.C.01. - To enhance overall security posture. Shared n/a Agencies SHOULD disable LAN Manager for password authentication on workstations and servers. 17
NZISM_v3.7 16.1.48.C.02. NZISM_v3.7_16.1.48.C.02. NZISM v3.7 16.1.48.C.02. Identification, Authentication and Passwords 16.1.48.C.02. - To enhance overall security posture. Shared n/a Agencies SHOULD seek legal advice on the exact wording of logon banners. 16
NZISM_v3.7 16.1.49.C.01. NZISM_v3.7_16.1.49.C.01. NZISM v3.7 16.1.49.C.01. Identification, Authentication and Passwords 16.1.49.C.01. - To enhance overall security posture. Shared n/a Agencies SHOULD configure systems to display the date and time of the system user's previous login during the login process. 15
NZISM_v3.7 16.1.50.C.01. NZISM_v3.7_16.1.50.C.01. NZISM v3.7 16.1.50.C.01. Identification, Authentication and Passwords 16.1.50.C.01. - To enhance overall security posture. Shared n/a Agencies SHOULD NOT permit the display of last logged on username, credentials or other identifying details. 15
NZISM_v3.7 16.1.50.C.02. NZISM_v3.7_16.1.50.C.02. NZISM v3.7 16.1.50.C.02. Identification, Authentication and Passwords 16.1.50.C.02. - To enhance overall security posture. Shared n/a Agencies SHOULD NOT permit the caching of credentials unless specifically required. 15
NZISM_v3.7 16.2.3.C.01. NZISM_v3.7_16.2.3.C.01. NZISM v3.7 16.2.3.C.01. System Access and Passwords 16.2.3.C.01. - To enhance overall security posture. Shared n/a Agencies MUST NOT allow access to NZEO information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens. 14
PCI_DSS_v4.0.1 1.2.5 PCI_DSS_v4.0.1_1.2.5 PCI DSS v4.0.1 1.2.5 Install and Maintain Network Security Controls All services, protocols, and ports allowed are identified, approved, and have a defined business need Shared n/a Examine documentation to verify that a list exists of all allowed services, protocols, and ports, including business justification and approval for each. Examine configuration settings for NSCs to verify that only approved services, protocols, and ports are in use 19
PCI_DSS_v4.0.1 1.4.4 PCI_DSS_v4.0.1_1.4.4 PCI DSS v4.0.1 1.4.4 Install and Maintain Network Security Controls System components that store cardholder data are not directly accessible from untrusted networks Shared n/a Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks 43
PCI_DSS_v4.0.1 2.2.4 PCI_DSS_v4.0.1_2.2.4 PCI DSS v4.0.1 2.2.4 Apply Secure Configurations to All System Components Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled Shared n/a Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled 25
PCI_DSS_v4.0.1 5.2.1 PCI_DSS_v4.0.1_5.2.1 PCI DSS v4.0.1 5.2.1 Protect All Systems and Networks from Malicious Software An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware Shared n/a Examine system components to verify that an anti-malware solution(s) is deployed on all system components, except for those determined to not be at risk from malware based on periodic evaluations per Requirement 5.2.3. For any system components without an anti-malware solution, examine the periodic evaluations to verify the component was evaluated and the evaluation concludes that the component is not at risk from malware 19
PCI_DSS_v4.0.1 5.2.2 PCI_DSS_v4.0.1_5.2.2 PCI DSS v4.0.1 5.2.2 Protect All Systems and Networks from Malicious Software The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware Shared n/a Examine vendor documentation and configurations of the anti-malware solution(s) to verify that the solution detects all known types of malware and removes, blocks, or contains all known types of malware 19
PCI_DSS_v4.0.1 5.2.3 PCI_DSS_v4.0.1_5.2.3 PCI DSS v4.0.1 5.2.3 Protect All Systems and Networks from Malicious Software Any system components that are not at risk for malware are evaluated periodically to include the following: a documented list of all system components not at risk for malware, identification and evaluation of evolving malware threats for those system components, confirmation whether such system components continue to not require anti-malware protection Shared n/a Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement. Interview personnel to verify that the evaluations include all elements specified in this requirement. Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements 19
PCI_DSS_v4.0.1 5.3.1 PCI_DSS_v4.0.1_5.3.1 PCI DSS v4.0.1 5.3.1 Protect All Systems and Networks from Malicious Software The anti-malware solution(s) is kept current via automatic updates Shared n/a Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution is configured to perform automatic updates. Examine system components and logs, to verify that the anti-malware solution(s) and definitions are current and have been promptly deployed 19
PCI_DSS_v4.0.1 5.3.2 PCI_DSS_v4.0.1_5.3.2 PCI DSS v4.0.1 5.3.2 Protect All Systems and Networks from Malicious Software The anti-malware solution(s) performs periodic scans and active or real-time scans, or performs continuous behavioral analysis of systems or processes Shared n/a Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution(s) is configured to perform at least one of the elements specified in this requirement. Examine system components, including all operating system types identified as at risk for malware, to verify the solution(s) is enabled in accordance with at least one of the elements specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement 19
PCI_DSS_v4.0.1 5.3.3 PCI_DSS_v4.0.1_5.3.3 PCI DSS v4.0.1 5.3.3 Protect All Systems and Networks from Malicious Software For removable electronic media, the anti-malware solution(s) performs automatic scans of when the media is inserted, connected, or logically mounted, or performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted Shared n/a Examine anti-malware solution(s) configurations to verify that, for removable electronic media, the solution is configured to perform at least one of the elements specified in this requirement. Examine system components with removable electronic media connected to verify that the solution(s) is enabled in accordance with at least one of the elements as specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement 19
PCI_DSS_v4.0.1 7.2.1 PCI_DSS_v4.0.1_7.2.1 PCI DSS v4.0.1 7.2.1 Restrict Access to System Components and Cardholder Data by Business Need to Know An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function Shared n/a Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement 43
PCI_DSS_v4.0.1 7.2.2 PCI_DSS_v4.0.1_7.2.2 PCI DSS v4.0.1 7.2.2 Restrict Access to System Components and Cardholder Data by Business Need to Know Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities Shared n/a Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement 43
PCI_DSS_v4.0.1 7.2.5 PCI_DSS_v4.0.1_7.2.5 PCI DSS v4.0.1 7.2.5 Restrict Access to System Components and Cardholder Data by Business Need to Know All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use Shared n/a Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement 44
PCI_DSS_v4.0.1 7.2.6 PCI_DSS_v4.0.1_7.2.6 PCI DSS v4.0.1 7.2.6 Restrict Access to System Components and Cardholder Data by Business Need to Know All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD Shared n/a Examine policies and procedures and interview personnel to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with all elements specified in this requirement. Examine configuration settings for querying repositories of stored cardholder data to verify they are in accordance with all elements specified in this requirement 41
PCI_DSS_v4.0.1 7.3.1 PCI_DSS_v4.0.1_7.3.1 PCI DSS v4.0.1 7.3.1 Restrict Access to System Components and Cardholder Data by Business Need to Know An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components Shared n/a Examine vendor documentation and system settings to verify that access is managed for each system component via an access control system(s) that restricts access based on a user’s need to know and covers all system components 27
RBI_CSF_Banks_v2016 6.7 RBI_CSF_Banks_v2016_6.7 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.7 n/a Ensure that software/application development practices addresses the vulnerabilities based on best practices baselines such as Open Web Application Security Project (OWASP) proactively and adopt principle of defence-in-depth to provide layered security mechanism. 2
RBI_ITF_NBFC_v2017 5 RBI_ITF_NBFC_v2017_5 RBI IT Framework 5 IS Audit Policy for Information System Audit (IS Audit)-5 n/a The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization???s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc. link 14
RMiT_v1.0 Appendix_5.6 RMiT_v1.0_Appendix_5.6 RMiT Appendix 5.6 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.6 Customer n/a Ensure security controls for remote access to server include the following: (a) restrict access to only hardened and locked down end-point devices; (b) use secure tunnels such as TLS and VPN IPSec; (c) deploy ‘gateway’ server with adequate perimeter defences and protection such as firewall, IPS and antivirus; and (d) close relevant ports immediately upon expiry of remote access. link 19
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 111
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC6.2 SOC_2023_CC6.2 SOC 2023 CC6.2 Logical and Physical Access Controls To ensure effective access control and ensuring the security of the organization's systems and data. Shared n/a 1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. 50
SOC_2023 CC6.3 SOC_2023_CC6.3 404 not found n/a n/a 56
SOC_2023 CC6.7 SOC_2023_CC6.7 404 not found n/a n/a 52
SOC_2023 CC6.8 SOC_2023_CC6.8 SOC 2023 CC6.8 Logical and Physical Access Controls To mitigate the risk of cybersecurity threats, safeguard critical systems and data, and maintain operational continuity and integrity. Shared n/a Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. 33
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SOC_2023 PI1.3 SOC_2023_PI1.3 SOC 2023 PI1.3 Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) To enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. Shared n/a The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. 50
SWIFT_CSCF_2024 1.1 SWIFT_CSCF_2024_1.1 SWIFT Customer Security Controls Framework 2024 1.1 Physical and Environmental Security Swift Environment Protection Shared 1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. 69
SWIFT_CSCF_2024 1.2 SWIFT_CSCF_2024_1.2 SWIFT Customer Security Controls Framework 2024 1.2 Privileged Account Control Operating System Privileged Account Control Shared Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). To restrict and control the allocation and usage of administrator-level operating system accounts. 53
SWIFT_CSCF_2024 1.3 SWIFT_CSCF_2024_1.3 SWIFT Customer Security Controls Framework 2024 1.3 Cloud Platform Protection Virtualisation or Cloud Platform Protection Shared 1. Security controls that apply to non-virtualised (physical) systems are equally applicable to virtual systems. 2. The additional virtualisation layer needs extra attention from a security perspective. The uncontrolled proliferation of VMs could lead to unaccounted machines with the risk of unmanaged, unpatched systems open to unauthorised access to data. 3. If appropriate controls have been implemented to this underlying layer, then Swift does not limit the use of virtual technology for any component of the user’s Swift infrastructure or the associated supporting infrastructure (for example, virtual firewalls). To secure the virtualisation or cloud platform and virtual machines (VMs) that host Swift-related components to the same level as physical systems. 7
SWIFT_CSCF_2024 1.5 SWIFT_CSCF_2024_1.5 SWIFT Customer Security Controls Framework 2024 1.5 Physical and Environmental Security Customer Environment Protection Shared 1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. 57
SWIFT_CSCF_2024 6.1 SWIFT_CSCF_2024_6.1 SWIFT Customer Security Controls Framework 2024 6.1 Risk Management Malware Protection Shared 1. Malware is a general term that includes many types of intrusive and unwanted software, including viruses. 2. Anti-malware technology (a broader term for anti-virus) is effective in protecting against malicious code that has a known digital or behaviour profile To ensure that the user’s Swift infrastructure is protected against malware and act upon results. 19
SWIFT_CSCF_2024 9.1 SWIFT_CSCF_2024_9.1 404 not found n/a n/a 57
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
ACAT for Microsoft 365 Certification 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5 Regulatory Compliance GA BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Enforce recommended guardrails for Network and Networking services Enforce-Guardrails-Network Network GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-07-08 14:28:08 add 12430be1-6cc8-4527-a9a8-e3d38f250096
JSON compare n/a
JSON
api-version=2021-06-01
EPAC