compliance controls are associated with this Policy definition 'VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users' (21a6bc25-125e-4d13-b82d-2e19b7208ab7)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v3.0 |
IM-1 |
Azure_Security_Benchmark_v3.0_IM-1 |
Microsoft cloud security benchmark IM-1 |
Identity Management |
Use centralized identity and authentication system |
Shared |
**Security Principle:**
Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources.
**Azure Guidance:**
Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in:
- Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications.
- Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy.
Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration.
**Implementation and additional context:**
Tenancy in Microsoft Entra ID:
https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps
How to create and configure a Microsoft Entra instance:
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
Define Microsoft Entra ID tenants:
https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/
Use external identity providers for an application:
https://docs.microsoft.com/azure/active-directory/b2b/identity-providers
|
n/a |
link |
15 |
Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
33 |
Canada_Federal_PBMM_3-1-2020 |
CM_8 |
Canada_Federal_PBMM_3-1-2020_CM_8 |
Canada Federal PBMM 3-1-2020 CM 8 |
Information System Component Inventory |
Information System Component Inventory |
Shared |
1. The organization develops and documents an inventory of information system components that accurately reflects the current information system.
2. The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system.
3. The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
4. The organization develops and documents an inventory of information system components that includes unique asset identifier, NetBIOS name, baseline configuration name, OS Name, OS Version, system owner information.
5. The organization reviews and updates the information system component inventory at least monthly. |
To enable efficient decision-making and risk mitigation strategies. |
|
12 |
Canada_Federal_PBMM_3-1-2020 |
CM_8(1) |
Canada_Federal_PBMM_3-1-2020_CM_8(1) |
Canada Federal PBMM 3-1-2020 CM 8(1) |
Information System Component Inventory |
Information System Component Inventory | Updates During Installations / Removals |
Shared |
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
To facilitate accurate asset management and effective security control implementation. |
|
9 |
Canada_Federal_PBMM_3-1-2020 |
CM_8(2) |
Canada_Federal_PBMM_3-1-2020_CM_8(2) |
Canada Federal PBMM 3-1-2020 CM 8(2) |
Information System Component Inventory |
Information System Component Inventory | Automated Maintenance |
Shared |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
To facilitate accurate asset management and effective security control implementation. |
|
9 |
Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
CMMC_L2_v1.9.0 |
IA.L1_3.5.1 |
CMMC_L2_v1.9.0_IA.L1_3.5.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L1 3.5.1 |
Identification and Authentication |
Identification |
Shared |
Identify information system users, processes acting on behalf of users, or devices. |
To enable effective monitoring, authentication, and access control measures to be implemented within the system. |
|
23 |
CMMC_L2_v1.9.0 |
IA.L2_3.5.3 |
CMMC_L2_v1.9.0_IA.L2_3.5.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.3 |
Identification and Authentication |
Multifactor Authentication |
Shared |
Use multifactor authentication for local and network access to privileged accounts and for network access to non privileged accounts. |
To enhance security by requiring multiple forms of verification before granting access to sensitive systems or data. |
|
1 |
CMMC_L2_v1.9.0 |
MA.L2_3.7.5 |
CMMC_L2_v1.9.0_MA.L2_3.7.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MA.L2 3.7.5 |
Maintenance |
Nonlocal Maintenance |
Shared |
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
To mitigate the risk of unauthorized access or lingering security threats. |
|
1 |
CMMC_L2_v1.9.0 |
PE.L2_3.10.6 |
CMMC_L2_v1.9.0_PE.L2_3.10.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6 |
Physical Protection |
Alternative Work Sites |
Shared |
Enforce safeguarding measures for CUI at alternate work sites. |
To ensure that sensitive information is protected even when employees are working remotely or at off site locations. |
|
11 |
CSA_v4.0.12 |
IAM_02 |
CSA_v4.0.12_IAM_02 |
CSA Cloud Controls Matrix v4.0.12 IAM 02 |
Identity & Access Management |
Strong Password Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually. |
|
52 |
CSA_v4.0.12 |
IAM_11 |
CSA_v4.0.12_IAM_11 |
CSA Cloud Controls Matrix v4.0.12 IAM 11 |
Identity & Access Management |
CSCs Approval for Agreed Privileged Access Roles |
Shared |
n/a |
Define, implement and evaluate processes and procedures for customers
to participate, where applicable, in the granting of access for agreed, high
risk (as defined by the organizational risk assessment) privileged access roles. |
|
8 |
CSA_v4.0.12 |
IAM_13 |
CSA_v4.0.12_IAM_13 |
CSA Cloud Controls Matrix v4.0.12 IAM 13 |
Identity & Access Management |
Uniquely Identifiable Users |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs. |
|
49 |
CSA_v4.0.12 |
IAM_14 |
CSA_v4.0.12_IAM_14 |
CSA Cloud Controls Matrix v4.0.12 IAM 14 |
Identity & Access Management |
Strong Authentication |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities. |
|
32 |
Cyber_Essentials_v3.1 |
1 |
Cyber_Essentials_v3.1_1 |
Cyber Essentials v3.1 1 |
Cyber Essentials |
Firewalls |
Shared |
n/a |
Aim: to make sure that only secure and necessary network services can be accessed from the internet. |
|
37 |
Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.6 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.6 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6 |
Policy and Implementation - Identification And Authentication |
Identification And Authentication |
Shared |
Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft. |
1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity.
2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources. |
|
19 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
FFIEC_CAT_2017 |
3.1.2 |
FFIEC_CAT_2017_3.1.2 |
FFIEC CAT 2017 3.1.2 |
Cybersecurity Controls |
Access and Data Management |
Shared |
n/a |
Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8
- Employee access to systems and confidential data provides for separation of duties.
- Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls).
- User access reviews are performed periodically for all systems and applications based on the risk to the application or system.
- Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel.
- Identification and authentication are required and managed for access to systems, applications, and hardware.
- Access controls include password complexity and limits to password attempts and reuse.
- All default passwords and unnecessary default accounts are changed before system implementation.
- Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk.
- Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.)
- Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems.
- All passwords are encrypted in storage and in transit.
- Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet).
- Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.)
- Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.
- Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software.
- Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request.
- Data is disposed of or destroyed according to documented requirements and within expected time frames. |
|
59 |
HITRUST_CSF_v11.3 |
01.i |
HITRUST_CSF_v11.3_01.i |
HITRUST CSF v11.3 01.i |
Network Access Control |
To implement role based access to internal and external network services. |
Shared |
1. It is to be determined who is allowed access to which network and what networked services.
2. The networks and network services to which users have authorized access is to be specified. |
Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment. |
|
11 |
HITRUST_CSF_v11.3 |
01.j |
HITRUST_CSF_v11.3_01.j |
HITRUST CSF v11.3 01.j |
Network Access Control |
To prevent unauthorized access to networked services. |
Shared |
1.External access to systems to be strictly regulated and tightly controlled.
2. External access to sensitive systems to be automatically deactivated immediately after use.
3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents.
4. Dial-up connections to be encrypted. |
Appropriate authentication methods shall be used to control access by remote users. |
|
16 |
HITRUST_CSF_v11.3 |
01.q |
HITRUST_CSF_v11.3_01.q |
HITRUST CSF v11.3 01.q |
Operating System Access Control |
To prevent unauthorized access to operating systems and implement authentication technique to verify user. |
Shared |
1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability.
2. Multi-factor authentication to be implemented for network and local access to privileged accounts.
3. Users to be uniquely identified and authenticated for local access and remote access.
4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts. |
All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user. |
|
30 |
ISO_IEC_27002_2022 |
6.7 |
ISO_IEC_27002_2022_6.7 |
ISO IEC 27002 2022 6.7 |
Protection,
Preventive, Control |
Remote working |
Shared |
Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
|
To ensure the security of information when personnel are working remotely. |
|
11 |
ISO_IEC_27002_2022 |
8.9 |
ISO_IEC_27002_2022_8.9 |
ISO IEC 27002 2022 8.9 |
Protection,
Preventive Control |
Configuration management |
Shared |
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
|
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. |
|
21 |
ISO_IEC_27017_2015 |
9.2.3 |
ISO_IEC_27017_2015_9.2.3 |
ISO IEC 27017 2015 9.2.3 |
Access Control |
Management of privileged access rights |
Shared |
For Cloud Service Customer:
The cloud service customer should use sufficient authentication techniques (e.g., multi-factor authentication) for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service according to the identified risks.
For Cloud Service Provider:
The cloud service provider should provide sufficient authentication techniques for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service, according to the identified risks. For example, the cloud service provider can provide multi-factor authentication capabilities or enable the use of third-party multi-factor authentication mechanisms. |
To ensure only authorized users, software components and services are provided with privileged access rights. |
|
1 |
NIST_SP_800-171_R3_3 |
.1.12 |
NIST_SP_800-171_R3_3.1.12 |
NIST 800-171 R3 3.1.12 |
Access Control |
Remote Access |
Shared |
Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. |
a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.
b. Authorize each type of remote system access prior to establishing such connections.
c. Route remote access to the system through authorized and managed access control points.
d. Authorize remote execution of privileged commands and remote access to security-relevant information. |
|
15 |
NIST_SP_800-171_R3_3 |
.1.5 |
NIST_SP_800-171_R3_3.1.5 |
NIST 800-171 R3 3.1.5 |
Access Control |
Least Privilege |
Shared |
Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, and establishing intrusion detection parameters. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, and access control lists. |
a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.
b. Authorize access to [Assignment: organization-defined security functions and security-relevant information].
c. Review the privileges assigned to roles or classes of users periodically to validate the need for such privileges.
d. Reassign or remove privileges, as necessary. |
|
24 |
NIST_SP_800-171_R3_3 |
.5.1 |
NIST_SP_800-171_R3_3.5.1 |
404 not found |
|
|
|
n/a |
n/a |
|
10 |
NIST_SP_800-171_R3_3 |
.5.3 |
NIST_SP_800-171_R3_3.5.3 |
404 not found |
|
|
|
n/a |
n/a |
|
1 |
NIST_SP_800-171_R3_3 |
.5.5 |
NIST_SP_800-171_R3_3.5.5 |
404 not found |
|
|
|
n/a |
n/a |
|
43 |
NIST_SP_800-53_R5.1.1 |
AC.17 |
NIST_SP_800-53_R5.1.1_AC.17 |
NIST SP 800-53 R5.1.1 AC.17 |
Access Control |
Remote Access |
Shared |
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections. |
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3. |
|
11 |
NIST_SP_800-53_R5.1.1 |
IA.2 |
NIST_SP_800-53_R5.1.1_IA.2 |
NIST SP 800-53 R5.1.1 IA.2 |
Identification and Authentication Control |
Identification and Authentication (organizational Users) |
Shared |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.
Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.
The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8. |
|
8 |
NIST_SP_800-53_R5.1.1 |
IA.2.1 |
NIST_SP_800-53_R5.1.1_IA.2.1 |
NIST SP 800-53 R5.1.1 IA.2.1 |
Identification and Authentication Control |
Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts |
Shared |
Implement multi-factor authentication for access to privileged accounts. |
Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. |
|
1 |
NIST_SP_800-53_R5.1.1 |
IA.2.2 |
NIST_SP_800-53_R5.1.1_IA.2.2 |
NIST SP 800-53 R5.1.1 IA.2.2 |
Identification and Authentication Control |
Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts |
Shared |
Implement multi-factor authentication for access to non-privileged accounts. |
Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access. |
|
1 |
NL_BIO_Cloud_Theme |
U.07.3(2) |
NL_BIO_Cloud_Theme_U.07.3(2) |
NL_BIO_Cloud_Theme_U.07.3(2) |
U.07 Data separation |
Management features |
|
n/a |
Isolation of CSC data is ensured by separating it at least logically from the data of other CSCs under all operating conditions. |
|
19 |
NL_BIO_Cloud_Theme |
U.10.2(2) |
NL_BIO_Cloud_Theme_U.10.2(2) |
NL_BIO_Cloud_Theme_U.10.2(2) |
U.10 Access to IT services and data |
Users |
|
n/a |
Under the responsibility of the CSP, administrators shall be granted access: to data with the least privilege principle; to data with the need-to-know principle; with multi-factor authentication; to data and application functions via technical measures. |
|
22 |
NL_BIO_Cloud_Theme |
U.10.3(2) |
NL_BIO_Cloud_Theme_U.10.3(2) |
NL_BIO_Cloud_Theme_U.10.3(2) |
U.10 Access to IT services and data |
Users |
|
n/a |
Only users with authenticated equipment can access IT services and data. |
|
29 |
NL_BIO_Cloud_Theme |
U.10.5(2) |
NL_BIO_Cloud_Theme_U.10.5(2) |
NL_BIO_Cloud_Theme_U.10.5(2) |
U.10 Access to IT services and data |
Competent |
|
n/a |
Under the responsibility of the CSP, privileges (system authorisations) for users are granted through formal procedures. |
|
22 |
NZISM_v3.7 |
16.5.10.C.01. |
NZISM_v3.7_16.5.10.C.01. |
NZISM v3.7 16.5.10.C.01. |
Remote Access |
16.5.10.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system. |
|
11 |
NZISM_v3.7 |
16.5.10.C.02. |
NZISM_v3.7_16.5.10.C.02. |
NZISM v3.7 16.5.10.C.02. |
Remote Access |
16.5.10.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD authenticate both the remote system user and device during the authentication process. |
|
21 |
NZISM_v3.7 |
16.5.11.C.01. |
NZISM_v3.7_16.5.11.C.01. |
NZISM v3.7 16.5.11.C.01. |
Remote Access |
16.5.11.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. |
|
11 |
NZISM_v3.7 |
16.5.11.C.02. |
NZISM_v3.7_16.5.11.C.02. |
NZISM v3.7 16.5.11.C.02. |
Remote Access |
16.5.11.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. |
|
11 |
NZISM_v3.7 |
16.5.12.C.01. |
NZISM_v3.7_16.5.12.C.01. |
NZISM v3.7 16.5.12.C.01. |
Remote Access |
16.5.12.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD establish VPN connections for all remote access connections. |
|
11 |
NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
NZISM_v3.7 |
19.1.20.C.01. |
NZISM_v3.7_19.1.20.C.01. |
NZISM v3.7 19.1.20.C.01. |
Gateways |
19.1.20.C.01. - To reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST authenticate system users to all classified networks accessed through gateways. |
|
24 |
NZISM_v3.7 |
19.1.20.C.02. |
NZISM_v3.7_19.1.20.C.02. |
NZISM v3.7 19.1.20.C.02. |
Gateways |
19.1.20.C.02. - To reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST ensure that only authenticated and authorised system users can use the gateway. |
|
15 |
NZISM_v3.7 |
19.1.20.C.03. |
NZISM_v3.7_19.1.20.C.03. |
NZISM v3.7 19.1.20.C.03. |
Gateways |
19.1.20.C.03. - To reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD use multi-factor authentication for access to networks and gateways. |
|
9 |
PCI_DSS_v4.0.1 |
1.2.1 |
PCI_DSS_v4.0.1_1.2.1 |
PCI DSS v4.0.1 1.2.1 |
Install and Maintain Network Security Controls |
Configuration standards for NSC rulesets are defined, implemented, and maintained |
Shared |
n/a |
Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards |
|
11 |
PCI_DSS_v4.0.1 |
1.2.7 |
PCI_DSS_v4.0.1_1.2.7 |
PCI DSS v4.0.1 1.2.7 |
Install and Maintain Network Security Controls |
Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective |
Shared |
n/a |
Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated |
|
11 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
SOC_2023 |
C1.1 |
SOC_2023_C1.1 |
SOC 2023 C1.1 |
Additional Criteria for Confidentiality |
To preserve trust, compliance, and competitive advantage. |
Shared |
n/a |
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. |
|
11 |
SOC_2023 |
CC1.3 |
SOC_2023_CC1.3 |
SOC 2023 CC1.3 |
Control Environment |
To enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. |
Shared |
n/a |
1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers.
2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. |
|
13 |
SOC_2023 |
CC2.2 |
SOC_2023_CC2.2 |
SOC 2023 CC2.2 |
Information and Communication |
To facilitate effective internal communication, including objectives and responsibilities for internal control. |
Shared |
n/a |
Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information |
|
28 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
219 |
SOC_2023 |
CC5.2 |
SOC_2023_CC5.2 |
SOC 2023 CC5.2 |
Control Activities |
To mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations. |
Shared |
n/a |
Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities. |
|
15 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
230 |
SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
129 |
SOC_2023 |
CC7.1 |
SOC_2023_CC7.1 |
SOC 2023 CC7.1 |
Systems Operations |
To maintain a proactive approach to cybersecurity and mitigate risks effectively. |
Shared |
n/a |
To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. |
|
11 |
SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
To maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
168 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
214 |
SOC_2023 |
CC7.5 |
SOC_2023_CC7.5 |
SOC 2023 CC7.5 |
Systems Operations |
To ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents. |
Shared |
n/a |
The entity identifies, develops, and implements activities to recover from identified security incidents. |
|
12 |
SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
148 |
SOC_2023 |
CC9.2 |
SOC_2023_CC9.2 |
SOC 2023 CC9.2 |
Risk Mitigation |
To ensure effective risk management throughout the supply chain and business ecosystem. |
Shared |
n/a |
Entity assesses and manages risks associated with vendors and business partners. |
|
43 |
SOC_2023 |
PI1.3 |
SOC_2023_PI1.3 |
SOC 2023 PI1.3 |
Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) |
To enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. |
Shared |
n/a |
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. |
|
50 |
SWIFT_CSCF_2024 |
4.2 |
SWIFT_CSCF_2024_4.2 |
SWIFT Customer Security Controls Framework 2024 4.2 |
Access Control |
Multi-Factor Authentication |
Shared |
1. Multi-factor authentication requires the presentation of two or more of the following common authentication factors:
(A). Knowledge factor: something the operator knows (for example, a password)
(B). Possession factor: something the operator has (for example, connected USB tokens or smart cards, or disconnected tokens such as a (time based) one-time password- (T)OTP- generator or application storing a cryptographic private key that runs on another device like operator’s mobile phone considered as a software token, RSA token, 3-Skey Digital and its mobile version considered as a software token, or Digipass)
(C). Inherence factor: something the operator is (for example, biometrics such as fingerprints, retina scans, or voice recognition) Implementing multi-factor authentication provides an additional layer of protection against common authentication attacks (for example, shoulder surfing, password re-use, or weak passwords) and provides further protection from account compromises for malicious transaction processing. Attackers often use the privileges of a compromised
account to move laterally within an environment and to progress an attack. |
To prevent that a compromise of a single authentication factor allows access into Swift-related systems or applications by implementing multi-factor authentication. |
|
11 |
|
U.07.3 - Management features |
U.07.3 - Management features |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
|
U.10.2 - Users |
U.10.2 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
22 |
|
U.10.3 - Users |
U.10.3 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
U.10.5 - Competent |
U.10.5 - Competent |
404 not found |
|
|
|
n/a |
n/a |
|
21 |
UK_NCSC_CAF_v3.2 |
B2.a |
UK_NCSC_CAF_v3.2_B2.a |
NCSC Cyber Assurance Framework (CAF) v3.2 B2.a |
Identity and Access Control |
Identity Verification, Authentication and Authorisation |
Shared |
1. The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to networks and information systems that support the essential function.
2. Only authorised and individually authenticated users can physically access and logically connect to the networks or information systems on which that essential function depends.
3. The number of authorised users and systems that have access to all the networks and information systems supporting the essential function is limited to the minimum necessary.
4. Use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all systems that operate or support the essential function.
5. Use additional authentication mechanisms, such as multi-factor (MFA), when there is individual authentication and authorisation of all remote user access to all the networks and information systems that support the essential function.
6. The list of users and systems with access to networks and systems supporting and delivering the essential functions reviewed on a regular basis, at least every six months. |
The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. Robustly verify, authenticate and authorise access to the networks and information systems supporting the essential function. |
|
32 |