Az Policy Advertizer

Azure_Security_Benchmark_v2.0

PV-2

Azure_Security_Benchmark_v2.0_PV-2

Azure Security Benchmark PV-2

Posture and Vulnerability Management

Sustain secure configurations for Azure services

Customer

Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others. Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage

n/a

Azure_Security_Benchmark_v3.0

PV-2

Azure_Security_Benchmark_v3.0_PV-2

Microsoft cloud security benchmark PV-2

Posture and Vulnerability Management

Audit and enforce secure configurations

Shared

**Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration. **Azure Guidance:** Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement. **Implementation and additional context:** Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Get compliance data of Azure resources: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data

n/a

CIS_Azure_1.1.0

9.4

CIS_Azure_1.1.0_9.4

CIS Microsoft Azure Foundations Benchmark recommendation 9.4

9 AppService

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

CIS_Azure_1.3.0

9.4

CIS_Azure_1.3.0_9.4

CIS Microsoft Azure Foundations Benchmark recommendation 9.4

9 AppService

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

CIS_Azure_1.4.0

9.4

CIS_Azure_1.4.0_9.4

CIS Microsoft Azure Foundations Benchmark recommendation 9.4

9 AppService

Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

CMMC_2.0_L2

CM.L2-3.4.1

CMMC_2.0_L2_CM.L2-3.4.1

404 not found

n/a

CMMC_2.0_L2

CM.L2-3.4.2

CMMC_2.0_L2_CM.L2-3.4.2

404 not found

n/a

CMMC_L2_v1.9.0_IA.L2_3.5.10

IA.L2_3.5.10

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.10

Identification and Authentication

Cryptographically Protected Passwords

Shared

Store and transmit only cryptographically protected passwords.

To enhance the overall security of the authentication process.

CMMC_L2_v1.9.0_IA.L2_3.5.7

IA.L2_3.5.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.7

Identification and Authentication

Password Complexity

Shared

Enforce a minimum password complexity and change of characters when new passwords are created.

To reduce the risk of unauthorized access through password guessing or brute force attacks.

CMMC_L2_v1.9.0_IA.L2_3.5.9

IA.L2_3.5.9

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.9

Identification and Authentication

Temporary Passwords

Shared

Allow temporary password use for system logons with an immediate change to a permanent password.

To ensure that temporary passwords are quickly replaced with more secure, permanent ones.

CMMC_L2_v1.9.0_SC.L2_3.13.8

SC.L2_3.13.8

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.8

System and Communications Protection

Data in Transit

Shared

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

To maintain the confidentiality and integrity of CUI.

IAM_02

CSA_v4.0.12_IAM_02

CSA Cloud Controls Matrix v4.0.12 IAM 02

Identity & Access Management

Strong Password Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

IAM_03

CSA_v4.0.12_IAM_03

CSA Cloud Controls Matrix v4.0.12 IAM 03

Identity & Access Management

Identity Inventory

Shared

n/a

Manage, store, and review the information of system identities, and level of access.

IAM_14

CSA_v4.0.12_IAM_14

CSA Cloud Controls Matrix v4.0.12 IAM 14

Identity & Access Management

Strong Authentication

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

IAM_15

CSA_v4.0.12_IAM_15

CSA Cloud Controls Matrix v4.0.12 IAM 15

Identity & Access Management

Passwords Management

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.

IAM_16

CSA_v4.0.12_IAM_16

CSA Cloud Controls Matrix v4.0.12 IAM 16

Identity & Access Management

Authorization Mechanisms

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.6

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6

Policy and Implementation - Identification And Authentication

Identification And Authentication

Shared

Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft.

1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity. 2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources.

FedRAMP_High_R4

CM-6

FedRAMP_High_R4_CM-6

FedRAMP High CM-6

Configuration Management

Configuration Settings

Shared

n/a

The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov.

FedRAMP_Moderate_R4

CM-6

FedRAMP_Moderate_R4_CM-6

FedRAMP Moderate CM-6

Configuration Management

Configuration Settings

Shared

n/a

hipaa-0662.09sCSPOrganizational.2-09.s

hipaa

0662.09sCSPOrganizational.2-09.s

0662.09sCSPOrganizational.2-09.s

06 Configuration Management

0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information

Shared

n/a

Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review.

hipaa

0915.09s2Organizational.2-09.s

hipaa-0915.09s2Organizational.2-09.s

0915.09s2Organizational.2-09.s

09 Transmission Protection

0915.09s2Organizational.2-09.s 09.08 Exchange of Information

Shared

n/a

The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems.

ISO_IEC_27017_2015

9.2.4

ISO_IEC_27017_2015_9.2.4

ISO IEC 27017 2015 9.2.4

Access Control

Management of secret authentication information of users

Shared

For Cloud Service Customer: The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements. For Cloud Service Provider: The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication.

To ensure proper entity authentication and prevent failures of authentication processes.

New_Zealand_ISM

14.5.8.C.01

New_Zealand_ISM_14.5.8.C.01

14. Software security

14.5.8.C.01 Web applications

n/a

Agencies SHOULD follow the documentation provided in the Open Web Application Security Project guide to building secure Web applications and Web services.

NIST_CSF_v2.0

PR.DS_02

NIST_CSF_v2.0_PR.DS_02

NIST CSF v2.0 PR.DS 02

PROTECT-Data Security

The confidentiality, integrity, and availability of data-in-transit are protected.

Shared

n/a

To implement safeguards for managing organization’s cybersecurity risks.

NIST_SP_800-171_R2_3

.4.1

NIST_SP_800-171_R2_3.4.1

NIST SP 800-171 R2 3.4.1

Configuration Management

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management.

NIST_SP_800-171_R2_3

.4.2

NIST_SP_800-171_R2_3.4.2

NIST SP 800-171 R2 3.4.2

Configuration Management

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings.

NIST_SP_800-171_R3_3.5.12

NIST_SP_800-171_R3_3

.5.12

NIST 800-171 R3 3.5.12

Identification and Authentication Control

Authenticator Management

Shared

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication). The requirement to protect individual authenticators may be implemented by 03.15.03 for authenticators in the possession of individuals and by 03.01.01, 03.01.02, 03.01.05, and 03.13.08 for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators.

a. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution. b. Establish initial authenticator content for any authenticators issued by the organization. c. Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators. d. Change default authenticators at first use. e. Change or refresh authenticators periodically or when the following events occur:[Assignment: organization-defined events]. f. Protect authenticator content from unauthorized disclosure and modification.

NIST_SP_800-171_R3_3

.5.7

NIST_SP_800-171_R3_3.5.7

404 not found

n/a

NIST_SP_800-53_R4

CM-6

NIST_SP_800-53_R4_CM-6

NIST SP 800-53 Rev. 4 CM-6

Configuration Management

Configuration Settings

Shared

n/a

NIST_SP_800-53_R5.1.1_IA.5.1

NIST_SP_800-53_R5.1.1

IA.5.1

NIST SP 800-53 R5.1.1 IA.5.1

Identification and Authentication Control

Authenticator Management | Password-based Authentication

Shared

For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

NIST_SP_800-53_R5

CM-6

NIST_SP_800-53_R5_CM-6

NIST SP 800-53 Rev. 5 CM-6

Configuration Management

Configuration Settings

Shared

n/a

a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

NZ_ISM_v3.5

SS-9

NZ_ISM_v3.5_SS-9

NZISM Security Benchmark SS-9

Software security

14.5.8 Web applications

Customer

n/a

The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications.

3.3.2

PCI_DSS_v4.0.1_3.3.2

PCI DSS v4.0.1 3.3.2

Protect Stored Account Data

SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography

Shared

n/a

Examine data stores, system configurations, and/or vendor documentation to verify that all SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography

3.3.3

PCI_DSS_v4.0.1_3.3.3

PCI DSS v4.0.1 3.3.3

Protect Stored Account Data

Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need and is secured. Encrypted using strong cryptography

Shared

n/a

Additional testing procedure for issuers and companies that support issuing services and store sensitive authentication data: Examine documented policies and interview personnel to verify there is a documented business justification for the storage of sensitive authentication data. Examine data stores and system configurations to verify that the sensitive authentication data is stored securely

4.2.1.2

PCI_DSS_v4.0.1_4.2.1.2

PCI DSS v4.0.1 4.2.1.2

Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission

Shared

n/a

Examine system configurations to verify that wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission

4.2.2

PCI_DSS_v4.0.1_4.2.2

PCI DSS v4.0.1 4.2.2

Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies

Shared

n/a

Examine documented policies and procedures to verify that processes are defined to secure PAN with strong cryptography whenever sent over end-user messaging technologies. Examine system configurations and vendor documentation to verify that PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies

RBI_CSF_Banks_v2016

13.1

RBI_CSF_Banks_v2016_13.1

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.1

n/a

Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise.

RBI_CSF_Banks_v2016

4.3

RBI_CSF_Banks_v2016_4.3

Network Management And Security

Network Device Configuration Management-4.3

n/a

Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security.

RBI_ITF_NBFC_v2017

3.8

RBI_ITF_NBFC_v2017_3.8

RBI IT Framework 3.8

Information and Cyber Security

Digital Signatures-3.8

n/a

A Digital Signature Certificate authenticates entity???s identity electronically. It also provides a high level of security for online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. NBFCs may consider use of Digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer.

RMiT_v1.0

10.20

RMiT_v1.0_10.20

RMiT 10.20

Cryptography

Cryptography - 10.20

Shared

n/a

A financial institution shall store public cryptographic keys in a certificate issued by a certificate authority as appropriate to the level of risk. Such certificates associated with customers shall be issued by recognised certificate authorities. The financial institution must ensure that the implementation of authentication and signature protocols using such certificates are subject to strong protection to ensure that the use of private cryptographic keys corresponding to the user certificates are legally binding and irrefutable. The initial issuance and subsequent renewal of such certificates must be consistent with industry best practices and applicable legal/regulatory specifications.

Sarbanes_Oxley_Act_(1)_2022_1

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

SOC_2

CC6.8

SOC_2_CC6.8

SOC 2 Type 2 CC6.8

Logical and Physical Access Controls

Prevent or detect against unauthorized or malicious software

Shared

The customer is responsible for implementing this recommendation.

Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.

SOC_2

CC8.1

SOC_2_CC8.1

SOC 2 Type 2 CC8.1

Change Management

Changes to infrastructure, data, and software

Shared

The customer is responsible for implementing this recommendation.

Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.

SOC_2023

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

SOC_2023

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

SOC_2023

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

SWIFT_CSCF_2024

4.1

SWIFT_CSCF_2024_4.1

SWIFT Customer Security Controls Framework 2024 4.1

Password Management

Password Policy

Shared

1. Implementing a password policy that protects against common password attacks (for example, guessing and brute force) is effective for protecting against account compromise. Attackers often use the privileges of a compromised account to move laterally within an environment and progress the attack. 2. Another risk is the compromise of local authentication keys to tamper with the integrity of transactions. However, it is important to recognise that passwords alone are generally not sufficient in the current cyber-threat landscape. Users should consider this control in close relationship with the multi-factor authentication requirement.

To ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.

SWIFT_CSCF_2024

5.2

SWIFT_CSCF_2024_5.2

SWIFT Customer Security Controls Framework 2024 5.2

Access Control

Token Management

Shared

1. The protection of connected and disconnected hardware authentication, personal tokens or software tokens is essential to safeguard the related operator or system account. 2. It also reinforces good security practice by providing an additional layer of protection from attackers.

To ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal and software tokens (when tokens are used).

SWIFT_CSCF_2024

5.4

SWIFT_CSCF_2024_5.4

SWIFT Customer Security Controls Framework 2024 5.4

Password Management

Password Repository Protection

Shared

1. The secure storage of recorded passwords (repository) makes sure that passwords are not easily accessible to others, thereby protecting against simple password theft. 2. Common unsecure methods include, but are not limited to: recording passwords in a spreadsheet or a text document saved in cleartext on a desktop, or in a shared directory, or a server, saved on a mobile phone, written/printed on a post-it or a leaflet. 3. This control covers the storage of emergency, privileged or any other account passwords. 4. All accounts have to be considered because (i) combination of compromised, not-privileged, accounts, such as transaction creator account and approver account can be damageable, and (ii) even monitoring accounts provide valuable information during the reconnaissance time.

To protect physically and logically the repository of recorded passwords.

SWIFT_CSCF_v2021

2.1

SWIFT_CSCF_v2021_2.1

SWIFT CSCF v2021 2.1

Reduce Attack Surface and Vulnerabilities

Internal Data Flow Security

n/a

Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications.

SWIFT_CSCF_v2021

2.4A

SWIFT_CSCF_v2021_2.4A

SWIFT CSCF v2021 2.4A

Reduce Attack Surface and Vulnerabilities

Back-office Data Flow Security

n/a

Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back office first hops they connect to.