Az Policy Advertizer

Azure_Security_Benchmark_v3.0_IR-3

IR-3

Microsoft cloud security benchmark IR-3

Incident Response

Detection and analysis - create incidents based on high-quality alerts

Shared

**Security Principle:** Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. **Azure Guidance:** Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. **Implementation and additional context:** How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center

n/a

Azure_Security_Benchmark_v3.0_IR-5

IR-5

AMicrosoft cloud security benchmark IR-5

Incident Response

Detection and analysis - prioritize incidents

Shared

**Security Principle:** Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. **Azure Guidance:** Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. **Implementation and additional context:** Security alerts in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags

n/a

Azure_Security_Benchmark_v3.0_LT-1

LT-1

Microsoft cloud security benchmark LT-1

Logging and Threat Detection

Enable threat detection capabilities

Shared

**Security Principle:** To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. **Azure Guidance:** Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure services. For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monitor or Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and vulnerabilities. For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Azure Sentinel. **Implementation and additional context:** Introduction to Azure Defender: https://docs.microsoft.com/azure/security-center/azure-defender Microsoft Defender for Cloud security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence

n/a

Azure_Security_Benchmark_v3.0_LT-2

LT-2

Microsoft cloud security benchmark LT-2

Logging and Threat Detection

Enable threat detection for identity and access management

Shared

**Security Principle:** Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. **Azure Guidance:** Microsoft Entra ID provides the following logs that can be viewed in Microsoft Entra reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. - Audit logs: Provides traceability through logs for all changes done by various features within Microsoft Entra ID. Examples of audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles and policies. - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. Microsoft Entra ID also provides an Identity Protection module to detect, and remediate risks related to user accounts and sign-in behaviors. Examples risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in the Microsoft Entra Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. **Implementation and additional context:** Audit activity reports in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection Threat protection in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/threat-protection

n/a

C.04.6 - Technical vulnerabilities

404 not found

n/a

C.04.7 - Evaluated

404 not found

n/a

C.04.8 - Evaluated

404 not found

n/a

Canada_Federal_PBMM_3-1-2020_CM_8(3)

CM_8(3)

Canada Federal PBMM 3-1-2020 CM 8(3)

Information System Component Inventory

Information System Component Inventory | Automated Unauthorized Component Detection

Shared

1. The organization employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection to detect the presence of unauthorized hardware, software, and firmware components within the information system; and 2. The organization takes the organization-defined actions when unauthorized components are detected such as disables network access by such components; isolates the components; notifies organization-defined personnel or roles.

To employ automated mechanisms for timely detection of unauthorized hardware, software, and firmware components in the information system.

Canada_Federal_PBMM_3-1-2020_CM_8(5)

CM_8(5)

Canada Federal PBMM 3-1-2020 CM 8(5)

Information System Component Inventory

Information System Component Inventory | No Duplicate Accounting of Components

Shared

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

To ensure that all components within the authorization boundary of the information system are uniquely identified and not duplicated in other information system component inventories.

Canada_Federal_PBMM_3-1-2020_SC_2

SC_2

Canada Federal PBMM 3-1-2020 SC 2

Application Partitioning

Shared

The information system separates user functionality (including user interface services) from information system management functionality.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_5

SC_5

Canada Federal PBMM 3-1-2020 SC 5

Denial of Service Protection

Shared

The information system protects against or limits the effects of the following denial of service attempts that attack bandwidth, transactional capacity and storage by employing geo-replication, IP address blocking, and network-based DDoS protections.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_6

SC_6

Canada Federal PBMM 3-1-2020 SC 6

Resource Availability

Shared

The information system protects the availability of resources by allocating organization-defined resources by priority; quota, or organization-defined security safeguards.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7

SC_7

Canada Federal PBMM 3-1-2020 SC 7

Boundary Protection

Shared

1. The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. 2. The information system implements sub-networks for publicly accessible system components that are physically or logically separated from internal organizational networks. 3. The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(12)

SC_7(12)

Canada Federal PBMM 3-1-2020 SC 7(12)

Boundary Protection

Boundary Protection | Host-Based Protection

Shared

The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(3)

SC_7(3)

Canada Federal PBMM 3-1-2020 SC 7(3)

Boundary Protection

Boundary Protection | Access Points

Shared

The organization limits the number of external network connections to the information system.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(5)

SC_7(5)

Canada Federal PBMM 3-1-2020 SC 7(5)

Boundary Protection

Boundary Protection | Deny by Default / Allow by Exception

Shared

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(7)

SC_7(7)

Canada Federal PBMM 3-1-2020 SC 7(7)

Boundary Protection

Boundary Protection | Prevent Split Tunneling for Remote Devices

Shared

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(8)

SC_7(8)

Canada Federal PBMM 3-1-2020 SC 7(8)

Boundary Protection

Boundary Protection | Route Traffic to Authenticated Proxy Servers

Shared

The information system routes organization-defined internal communications traffic to all untrusted networks outside the control of the organization through authenticated proxy servers at managed interfaces.

To strengthen security posture and mitigate potential security vulnerabilities.

CIS_Controls_v8.1

16.06

CIS_Controls_v8.1_16.06

404 not found

n/a

CIS_Controls_v8.1

16.1

CIS_Controls_v8.1_16.1

CIS Controls v8.1 16.1

Application Software Security

Establish and maintain a secure application development process

Shared

1. Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To establish and maintain a secure application development process encompassing secure design standards, coding practices, developer training, vulnerability management, third-party code security, and testing procedures.

CMMC_L2_v1.9.0

AU.L2_3.3.1

CMMC_L2_v1.9.0_AU.L2_3.3.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1

Audit and Accountability

System Auditing

Shared

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

To enhance security and accountability measures.

CMMC_L2_v1.9.0

CA.L2_3.12.2

CMMC_L2_v1.9.0_CA.L2_3.12.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CA.L2 3.12.2

Security Assessment

Plan of Action

Shared

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

To enhance the resilience to cyber threats and protect systems and data from potential exploitation or compromise.

CPS_234_(APRA)_2019

CPS_234_(APRA)_2019_27

APRA CPS 234 2019 27

Testing control effectiveness

Ensure that an APRA-regulated entity systematically tests the effectiveness of its information security controls.

Shared

n/a

An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with: 1. the rate at which the vulnerabilities and threats change; 2. the criticality and sensitivity of the information asset; 3. the consequences of an information security incident; 4. the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies; 5. the materiality and frequency of change to information assets.

CSA_v4.0.12

AIS_04

CSA_v4.0.12_AIS_04

CSA Cloud Controls Matrix v4.0.12 AIS 04

Application & Interface Security

Secure Application Design and Development

Shared

n/a

Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization.

CSA_v4.0.12

CCC_04

CSA_v4.0.12_CCC_04

CSA Cloud Controls Matrix v4.0.12 CCC 04

Change Control and Configuration Management

Unauthorized Change Protection

Shared

n/a

Restrict the unauthorized addition, removal, update, and management of organization assets.

CSA_v4.0.12

IVS_04

CSA_v4.0.12_IVS_04

CSA Cloud Controls Matrix v4.0.12 IVS 04

Infrastructure & Virtualization Security

OS Hardening and Base Controls

Shared

n/a

Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

3.2.2

FFIEC_CAT_2017_3.2.2

FFIEC CAT 2017 3.2.2

Cybersecurity Controls

Anomalous Activity Detection

Shared

n/a

- The institution is able to detect anomalous activities through monitoring across the environment. - Customer transactions generating anomalous activity alerts are monitored and reviewed. - Logs of physical and/or logical access are reviewed following events. - Access to critical systems by third parties is monitored for unauthorized or unusual activity. - Elevated privileges are monitored.

HITRUST_CSF_v11.3

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

ISO_IEC_27001_2022

10.2

ISO_IEC_27001_2022_10.2

ISO IEC 27001 2022 10.2

Improvement

Nonconformity and corrective action

Shared

1. When a nonconformity occurs, the organization shall: a. react to the nonconformity, and as applicable: i. take action to control and correct it; ii. deal with the consequences; b. evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: i. reviewing the nonconformity; ii. determining the causes of the nonconformity; and iii. determining if similar nonconformities exist, or could potentially occur; c. implement any action needed; d. review the effectiveness of any corrective action taken; and e. make changes to the information security management system, if necessary. 2. Corrective actions shall be appropriate to the effects of the nonconformities encountered. 3. Documented information shall be available as evidence of: a. the nature of the nonconformities and any subsequent actions taken, b. the results of any corrective action.

Specifies the actions that the organisation shall take in cases of nonconformity.

ISO_IEC_27001_2022

9.1

ISO_IEC_27001_2022_9.1

ISO IEC 27001 2022 9.1

Performance Evaluation

Monitoring, measurement, analysis and evaluation

Shared

1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results.

Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system.

NIST_CSF_v2.0

GV.SC_07

NIST_CSF_v2.0_GV.SC_07

NIST CSF v2.0 GV.SC 07

GOVERN-Cybersecurity Supply Chain Risk Management

The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship.

Shared

n/a

To establish, communicate, and monitor the risk management strategy, expectations, and policy.

NIST_SP_800-171_R3_3

.1.16

NIST_SP_800-171_R3_3.1.16

NIST 800-171 R3 3.1.16

Access Control

Wireless Access

Shared

Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential missions or business functions can help reduce susceptibility to threats by adversaries involving wireless technologies.

a. Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system. b. Authorize each type of wireless access to the system prior to establishing such connections. c. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment.

NIST_SP_800-171_R3_3

.12.3

NIST_SP_800-171_R3_3.12.3

NIST 800-171 R3 3.12.3

Security Assessment Control

Continuous Monitoring

Shared

Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk based decisions. Different types of security requirements may require different monitoring frequencies.

NIST_SP_800-171_R3_3

.4.4

NIST_SP_800-171_R3_3.4.4

404 not found

n/a

NIST_SP_800-53_R5.1.1_CA.7

CA.7

NIST SP 800-53 R5.1.1 CA.7

Assessment, Authorization and Monitoring Control

Continuous Monitoring

Shared

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms “continuous” and “ongoing” imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, and SI-4.

NIST_SP_800-53_R5.1.1_CM.4.2

CM.4.2

NIST SP 800-53 R5.1.1 CM.4.2

Configuration Management Control

Impact Analyses | Verification of Controls

Shared

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

NIST_SP_800-53_R5.1.1_CM.6.1

CM.6.1

NIST SP 800-53 R5.1.1 CM.6.1

Configuration Management Control

Configuration Settings | Automated Management, Application, and Verification

Shared

Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].

Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization.

NIST_SP_800-53_R5.1.1_SA.4.8

SA.4.8

NIST SP 800-53 R5.1.1 SA.4.8

System and Services Acquisition Control

Acquisition Process | Continuous Monitoring Plan for Controls

Shared

Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.

The objective of continuous monitoring plans is to determine if the planned, required, and deployed controls within the system, system component, or system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into continuous monitoring programs implemented by organizations. Continuous monitoring plans can include the types of control assessment and monitoring activities planned, frequency of control monitoring, and actions to be taken when controls fail or become ineffective.

14.2.4.C.01.

NZISM_v3.7_14.2.4.C.01.

NZISM v3.7 14.2.4.C.01.

Application Allow listing

14.2.4.C.01. - mitigate security risks, and ensure compliance with security policies and standards.

Shared

n/a

Agencies SHOULD implement application allow listing as part of the SOE for workstations, servers and any other network device.

16.3.5.C.01.

NZISM_v3.7_16.3.5.C.01.

NZISM v3.7 16.3.5.C.01.

Privileged User Access

16.3.5.C.01. - enhance overall security posture.

Shared

n/a

Agencies MUST: 1. ensure strong change management practices are implemented; 2. ensure that the use of privileged accounts is controlled and accountable; 3. ensure that system administrators are assigned and consistently use, an individual account for the performance of their administration tasks; 4. keep privileged accounts to a minimum; and 5. allow the use of privileged accounts for administrative work only.

16.3.5.C.02.

NZISM_v3.7_16.3.5.C.02.

NZISM v3.7 16.3.5.C.02.

Privileged User Access

16.3.5.C.02. - enhance overall security posture.

Shared

n/a

Agencies SHOULD: 1. ensure strong change management practices are implemented; 2. ensure that the use of privileged accounts is controlled and accountable; 3. ensure that system administrators are assigned an individual account for the performance of their administration tasks; 4. keep privileged accounts to a minimum; and 5. allow the use of privileged accounts for administrative work only.

18.4.10.C.01.

NZISM_v3.7_18.4.10.C.01.

NZISM v3.7 18.4.10.C.01.

Intrusion Detection and Prevention

18.4.10.C.01. - ensure user awareness of the policies, and handling outbreaks according to established procedures.

Shared

n/a

Agencies MUST: 1. develop and maintain a set of policies and procedures covering how to: a.minimise the likelihood of malicious code being introduced into a system; b. prevent all unauthorised code from executing on an agency network; c. detect any malicious code installed on a system; d. make their system users aware of the agency's policies and procedures; and e. ensure that all instances of detected malicious code outbreaks are handled according to established procedures.

19.1.22.C.02.

NZISM_v3.7_19.1.22.C.02.

NZISM v3.7 19.1.22.C.02.

Gateways

19.1.22.C.02. - ensure transparency, accountability, and adherence to established procedures for maintaining network security and integrity.

Shared

n/a

Agencies MUST document any changes to gateways in accordance with the agency's Change Management Policy.

3.3.6.C.05.

NZISM_v3.7_3.3.6.C.05.

NZISM v3.7 3.3.6.C.05.

Information Technology Security Managers

3.3.6.C.05. - enhance the integrity and security of agency IT operations.

Shared

n/a

ITSMs SHOULD be included in the agency's change management and change control processes to ensure that risks are properly identified and controls are properly applied to manage those risks.

6.1.9.C.01.

NZISM_v3.7_6.1.9.C.01.

NZISM v3.7 6.1.9.C.01.

Information Security Reviews

6.1.9.C.01. - ensure alignment with the vulnerability disclosure policy, and implement adjustments and changes consistent with the findings of vulnerability analysis

Shared

n/a

Agencies SHOULD review the components detailed below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy. 1. Information security documentation - The SecPol, Systems Architecture, SRMPs, SSPs, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports. 2. Dispensations - Prior to the identified expiry date. 3. Operating environment - When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment. 4. Procedures - After an information security incident or test exercise. 5. System security - Items that could affect the security of the system on a regular basis. 6. Threats - Changes in threat environment and risk profile. 7. NZISM - Changes to baseline or other controls, any new controls and guidance.

6.3.6.C.01.

NZISM_v3.7_6.3.6.C.01.

NZISM v3.7 6.3.6.C.01.

Change Management

6.3.6.C.01. - maintain the integrity and security of systems.

Shared

n/a

Agencies MUST ensure that for routine and urgent changes: 1. the change management process, as defined in the relevant information security documentation, is followed; 2. the proposed change is approved by the relevant authority; 3. any proposed change that could impact the security or accreditation status of a system is submitted to the Accreditation Authority for approval; and 4. all associated information security documentation is updated to reflect the change.

Sarbanes_Oxley_Act_(1)_2022_1

6.3.6.C.02.

NZISM_v3.7_6.3.6.C.02.

NZISM v3.7 6.3.6.C.02.

Change Management

6.3.6.C.02. - maintain operational integrity and security posture.

Shared

n/a

Agencies SHOULD ensure that for routine and urgent changes: 1. the change management process, as defined in the relevant information security documentation, is followed; 2. the proposed change is approved by the relevant authority; 3. any proposed change that could impact the security of a system or accreditation status is submitted to the Accreditation Authority for approval; and 4. all associated information security documentation is updated to reflect the change.

op.exp.6 Protection against harmful code

404 not found

n/a

op.pl.1 Risk analysis

404 not found

n/a

PCI_DSS_v4.0.1

12.4.1

PCI_DSS_v4.0.1_12.4.1

PCI DSS v4.0.1 12.4.1

Support Information Security with Organizational Policies and Programs

Executive Management Responsibility for PCI DSS

Shared

n/a

Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: • Overall accountability for maintaining PCI DSS compliance. • Defining a charter for a PCI DSS compliance program and communication to executive management.

PCI_DSS_v4.0.1

6.5.2

PCI_DSS_v4.0.1_6.5.2

PCI DSS v4.0.1 6.5.2

Develop and Maintain Secure Systems and Software

Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable

Shared

n/a

Examine documentation for significant changes, interview personnel, and observe the affected systems/networks to verify that the entity confirmed applicable PCI DSS requirements were in place on all new or changed systems and networks and that documentation was updated as applicable

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

CC9.2

SOC_2023_CC9.2

SOC 2023 CC9.2

Risk Mitigation

Ensure effective risk management throughout the supply chain and business ecosystem.

Shared

n/a

Entity assesses and manages risks associated with vendors and business partners.

2.1

SWIFT_CSCF_2024_2.1

SWIFT Customer Security Controls Framework 2024 2.1

Risk Management

Internal Data Flow Security

Shared

The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit.

To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components.

2.3

SWIFT_CSCF_2024_2.3

SWIFT Customer Security Controls Framework 2024 2.3

Risk Management

System Hardening

Shared

1. System hardening applies the security concept of “least privilege” to a system by disabling features and services that are not required for normal system operations. 2. This process reduces the system capabilities, features, and protocols that a malicious person may use during an attack.

To reduce the cyber-attack surface of Swift-related components by performing system hardening.

8.1

SWIFT_CSCF_2024_8.1

404 not found

n/a