compliance controls are associated with this Policy definition '[Preview]: Linux virtual machines should use only signed and trusted boot components' (13a6c84f-49a5-410a-b5df-5b880c3fe009)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
PV-4 |
Azure_Security_Benchmark_v3.0_PV-4 |
Microsoft cloud security benchmark PV-4 |
Posture and Vulnerability Management |
Audit and enforce secure configurations for compute resources |
Shared |
**Security Principle:**
Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration in compute resources.
**Azure Guidance:**
Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.
Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
**Implementation and additional context:**
How to implement Microsoft Defender for Cloud vulnerability assessment recommendations:
https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
How to create an Azure virtual machine from an ARM template:
https://docs.microsoft.com/azure/virtual-machines/windows/ps-template
Azure Automation State Configuration overview:
https://docs.microsoft.com/azure/automation/automation-dsc-overview
Create a Windows virtual machine in the Azure portal:
https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Container security in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/container-security |
n/a |
link |
13 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3 |
Canada_Federal_PBMM_3-1-2020_SI_3 |
Canada Federal PBMM 3-1-2020 SI 3 |
Malicious Code Protection |
Malicious Code Protection |
Shared |
1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.
2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
3. The organization configures malicious code protection mechanisms to:
a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and
b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection.
4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
To mitigate potential impacts on system availability. |
|
52 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3(1) |
Canada_Federal_PBMM_3-1-2020_SI_3(1) |
Canada Federal PBMM 3-1-2020 SI 3(1) |
Malicious Code Protection |
Malicious Code Protection | Central Management |
Shared |
The organization centrally manages malicious code protection mechanisms. |
To centrally manage malicious code protection mechanisms. |
|
51 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3(2) |
Canada_Federal_PBMM_3-1-2020_SI_3(2) |
Canada Federal PBMM 3-1-2020 SI 3(2) |
Malicious Code Protection |
Malicious Code Protection | Automatic Updates |
Shared |
The information system automatically updates malicious code protection mechanisms. |
To ensure automatic updates in malicious code protection mechanisms. |
|
51 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3(7) |
Canada_Federal_PBMM_3-1-2020_SI_3(7) |
Canada Federal PBMM 3-1-2020 SI 3(7) |
Malicious Code Protection |
Malicious Code Protection | Non Signature-Based Detection |
Shared |
The information system implements non-signature-based malicious code detection mechanisms. |
To enhance overall security posture.
|
|
51 |
| Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
87 |
| CIS_Controls_v8.1 |
12.5 |
CIS_Controls_v8.1_12.5 |
CIS Controls v8.1 12.5 |
Network Infrastructure Management |
Centralize network authentication, authorization and auditing (AAA) |
Shared |
Centralize network AAA. |
To ensure that all network AAA is centralized to maintain standardisation and integrity of AAA. |
|
22 |
| CIS_Controls_v8.1 |
4.2 |
CIS_Controls_v8.1_4.2 |
CIS Controls v8.1 4.2 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process for network infrastructure. |
Shared |
1. Establish and maintain a secure configuration process for network devices.
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.
|
To ensure integrity of network devices and that they are up to date with the latest security updates. |
|
3 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
68 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
66 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
66 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
64 |
| HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
113 |
| NIS2 |
PV._Posture_and_Vulnerability_Management_5 |
NIS2_PV._Posture_and_Vulnerability_Management_5 |
NIS2_PV._Posture_and_Vulnerability_Management_5 |
PV. Posture and Vulnerability Management |
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure |
|
n/a |
missing value |
|
47 |
| NIST_CSF_v2.0 |
PR.PS_04 |
NIST_CSF_v2.0_PR.PS_04 |
NIST CSF v2.0 PR.PS 04 |
PROTECT-Platform Security |
Log records are generated and made available for continuous monitoring. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
SI.7.8 |
NIST_SP_800-53_R5.1.1_SI.7.8 |
NIST SP 800-53 R5.1.1 SI.7.8 |
System and Information Integrity Control |
Software, Firmware, and Information Integrity | Auditing Capability for Significant Events |
Shared |
Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]
;
[Assignment: organization-defined other actions]
]. |
Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations. |
|
2 |
| PCI_DSS_v4.0.1 |
10.2.1.2 |
PCI_DSS_v4.0.1_10.2.1.2 |
PCI DSS v4.0.1 10.2.1.2 |
Log and Monitor All Access to System Components and Cardholder Data |
Administrative Actions Logging |
Shared |
n/a |
Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. |
|
25 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
111 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
| SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
| SWIFT_CSCF_2024 |
6.2 |
SWIFT_CSCF_2024_6.2 |
SWIFT Customer Security Controls Framework 2024 6.2 |
Risk Management |
Software Integrity |
Shared |
Software integrity checks provide a detective control against unexpected modification to operational software. |
To ensure the software integrity of the Swift-related components and act upon results. |
|
16 |
| SWIFT_CSCF_2024 |
6.3 |
SWIFT_CSCF_2024_6.3 |
SWIFT Customer Security Controls Framework 2024 6.3 |
Risk Management |
Database Integrity |
Shared |
Database integrity checks allow unexpected modification to records stored within the database to be detected. |
To ensure the integrity of the database records for the Swift messaging interface or the customer connector and act upon results. |
|
16 |
| UK_NCSC_CAF_v3.2 |
B2.a |
UK_NCSC_CAF_v3.2_B2.a |
NCSC Cyber Assurance Framework (CAF) v3.2 B2.a |
Identity and Access Control |
Identity Verification, Authentication and Authorisation |
Shared |
1. The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to networks and information systems that support the essential function.
2. Only authorised and individually authenticated users can physically access and logically connect to the networks or information systems on which that essential function depends.
3. The number of authorised users and systems that have access to all the networks and information systems supporting the essential function is limited to the minimum necessary.
4. Use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all systems that operate or support the essential function.
5. Use additional authentication mechanisms, such as multi-factor (MFA), when there is individual authentication and authorisation of all remote user access to all the networks and information systems that support the essential function.
6. The list of users and systems with access to networks and systems supporting and delivering the essential functions reviewed on a regular basis, at least every six months. |
The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. Robustly verify, authenticate and authorise access to the networks and information systems supporting the essential function. |
|
32 |