Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
3.1 |
CIS_Azure_1.1.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.1.0 |
3.5 |
CIS_Azure_1.1.0_3.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.5 |
3 Storage Accounts |
Ensure that shared access signature tokens are allowed only over https |
Shared |
The customer is responsible for implementing this recommendation. |
Shared access signature tokens should be allowed only over HTTPS protocol. |
link |
3 |
CIS_Azure_1.1.0 |
4.11 |
CIS_Azure_1.1.0_4.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.11 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
4 |
CIS_Azure_1.1.0 |
4.13 |
CIS_Azure_1.1.0_4.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.13 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.1.0 |
9.2 |
CIS_Azure_1.1.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
CIS_Azure_1.1.0 |
9.3 |
CIS_Azure_1.1.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
CIS_Azure_1.3.0 |
3.1 |
CIS_Azure_1.3.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.3.0 |
4.3.1 |
CIS_Azure_1.3.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.3.0 |
4.3.2 |
CIS_Azure_1.3.0_4.3.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
4 |
CIS_Azure_1.3.0 |
9.10 |
CIS_Azure_1.3.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 AppService |
Ensure FTP deployments are disabled |
Shared |
The customer is responsible for implementing this recommendation. |
By default, Azure Functions, Web and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions. |
link |
5 |
CIS_Azure_1.3.0 |
9.2 |
CIS_Azure_1.3.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
CIS_Azure_1.3.0 |
9.3 |
CIS_Azure_1.3.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
CIS_Azure_1.4.0 |
3.1 |
CIS_Azure_1.4.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.4.0 |
3.12 |
CIS_Azure_1.4.0_3.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.12 |
3 Storage Accounts |
Ensure the "Minimum TLS version" is set to "Version 1.2" |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. |
link |
3 |
CIS_Azure_1.4.0 |
4.3.1 |
CIS_Azure_1.4.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.4.0 |
4.4.1 |
CIS_Azure_1.4.0_4.4.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
3 |
CIS_Azure_1.4.0 |
4.4.2 |
CIS_Azure_1.4.0_4.4.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 |
4 Database Services |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure 'TLS version' on 'MySQL flexible' servers is set to the default value. |
link |
3 |
CIS_Azure_1.4.0 |
9.10 |
CIS_Azure_1.4.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 AppService |
Ensure FTP deployments are Disabled |
Shared |
The customer is responsible for implementing this recommendation. |
By default, Azure Functions, Web and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions. |
link |
5 |
CIS_Azure_1.4.0 |
9.2 |
CIS_Azure_1.4.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
CIS_Azure_1.4.0 |
9.3 |
CIS_Azure_1.4.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure Web App is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
FedRAMP_High_R4 |
SC-23 |
FedRAMP_High_R4_SC-23 |
FedRAMP High SC-23 |
System And Communications Protection |
Session Authenticity |
Shared |
n/a |
The information system protects the authenticity of communications sessions.
Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11.
References: NIST Special Publications 800-52, 800-77, 800-95. |
link |
2 |
FedRAMP_High_R4 |
SC-8(1) |
FedRAMP_High_R4_SC-8(1) |
FedRAMP High SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
FedRAMP_Moderate_R4 |
SC-23 |
FedRAMP_Moderate_R4_SC-23 |
FedRAMP Moderate SC-23 |
System And Communications Protection |
Session Authenticity |
Shared |
n/a |
The information system protects the authenticity of communications sessions.
Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11.
References: NIST Special Publications 800-52, 800-77, 800-95. |
link |
2 |
FedRAMP_Moderate_R4 |
SC-8(1) |
FedRAMP_Moderate_R4_SC-8(1) |
FedRAMP Moderate SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
17 |
hipaa |
08101.09m2Organizational.14-09.m |
hipaa-08101.09m2Organizational.14-09.m |
08101.09m2Organizational.14-09.m |
08 Network Protection |
08101.09m2Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. |
|
8 |
hipaa |
0862.09m2Organizational.8-09.m |
hipaa-0862.09m2Organizational.8-09.m |
0862.09m2Organizational.8-09.m |
08 Network Protection |
0862.09m2Organizational.8-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. |
|
4 |
hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
hipaa |
0903.10f1Organizational.1-10.f |
hipaa-0903.10f1Organizational.1-10.f |
0903.10f1Organizational.1-10.f |
09 Transmission Protection |
0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls |
Shared |
n/a |
Encryption is used to protect covered information on mobile/removable media and across communication lines based on pre-determined criteria. |
|
3 |
hipaa |
0913.09s1Organizational.5-09.s |
hipaa-0913.09s1Organizational.5-09.s |
0913.09s1Organizational.5-09.s |
09 Transmission Protection |
0913.09s1Organizational.5-09.s 09.08 Exchange of Information |
Shared |
n/a |
Strong cryptography protocols are used to safeguard covered information during transmission over less trusted/open public networks. |
|
5 |
hipaa |
0926.09v1Organizational.2-09.v |
hipaa-0926.09v1Organizational.2-09.v |
0926.09v1Organizational.2-09.v |
09 Transmission Protection |
0926.09v1Organizational.2-09.v 09.08 Exchange of Information |
Shared |
n/a |
Approvals are obtained prior to using external public services, including instant messaging or file sharing. |
|
5 |
hipaa |
0928.09v1Organizational.45-09.v |
hipaa-0928.09v1Organizational.45-09.v |
0928.09v1Organizational.45-09.v |
09 Transmission Protection |
0928.09v1Organizational.45-09.v 09.08 Exchange of Information |
Shared |
n/a |
Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. |
|
9 |
hipaa |
0929.09v1Organizational.6-09.v |
hipaa-0929.09v1Organizational.6-09.v |
0929.09v1Organizational.6-09.v |
09 Transmission Protection |
0929.09v1Organizational.6-09.v 09.08 Exchange of Information |
Shared |
n/a |
The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). |
|
9 |
hipaa |
0943.09y1Organizational.1-09.y |
hipaa-0943.09y1Organizational.1-09.y |
0943.09y1Organizational.1-09.y |
09 Transmission Protection |
0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. |
|
4 |
hipaa |
0944.09y1Organizational.2-09.y |
hipaa-0944.09y1Organizational.2-09.y |
0944.09y1Organizational.2-09.y |
09 Transmission Protection |
0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Security is maintained through all aspects of the transaction. |
|
8 |
hipaa |
0945.09y1Organizational.3-09.y |
hipaa-0945.09y1Organizational.3-09.y |
0945.09y1Organizational.3-09.y |
09 Transmission Protection |
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). |
|
6 |
hipaa |
0948.09y2Organizational.3-09.y |
hipaa-0948.09y2Organizational.3-09.y |
0948.09y2Organizational.3-09.y |
09 Transmission Protection |
0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. |
|
6 |
hipaa |
099.09m2Organizational.11-09.m |
hipaa-099.09m2Organizational.11-09.m |
099.09m2Organizational.11-09.m |
09 Transmission Protection |
099.09m2Organizational.11-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. |
|
3 |
ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
ISO27001-2013 |
A.13.2.3 |
ISO27001-2013_A.13.2.3 |
ISO 27001:2013 A.13.2.3 |
Communications Security |
Electronic messaging |
Shared |
n/a |
Information involved in electronic messaging shall be appropriately protected. |
link |
10 |
ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
NIST_SP_800-171_R2_3 |
.13.15 |
NIST_SP_800-171_R2_3.13.15 |
NIST SP 800-171 R2 3.13.15 |
System and Communications Protection |
Protect the authenticity of communications sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions. |
link |
2 |
NIST_SP_800-171_R2_3 |
.13.8 |
NIST_SP_800-171_R2_3.13.8 |
NIST SP 800-171 R2 3.13.8 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. |
link |
16 |
NIST_SP_800-53_R4 |
SC-23 |
NIST_SP_800-53_R4_SC-23 |
NIST SP 800-53 Rev. 4 SC-23 |
System And Communications Protection |
Session Authenticity |
Shared |
n/a |
The information system protects the authenticity of communications sessions.
Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11.
References: NIST Special Publications 800-52, 800-77, 800-95. |
link |
2 |
NIST_SP_800-53_R4 |
SC-8(1) |
NIST_SP_800-53_R4_SC-8(1) |
NIST SP 800-53 Rev. 4 SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
NIST_SP_800-53_R5 |
SC-23 |
NIST_SP_800-53_R5_SC-23 |
NIST SP 800-53 Rev. 5 SC-23 |
System and Communications Protection |
Session Authenticity |
Shared |
n/a |
Protect the authenticity of communications sessions. |
link |
2 |
NIST_SP_800-53_R5 |
SC-8(1) |
NIST_SP_800-53_R5_SC-8(1) |
NIST SP 800-53 Rev. 5 SC-8 (1) |
System and Communications Protection |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. |
link |
14 |
PCI_DSS_v4.0 |
4.2.1 |
PCI_DSS_v4.0_4.2.1 |
PCI DSS v4.0 4.2.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use. |
link |
12 |
PCI_DSS_v4.0 |
4.2.2 |
PCI_DSS_v4.0_4.2.2 |
PCI DSS v4.0 4.2.2 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. |
link |
3 |
SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
30 |
SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
SWIFT_CSCF_v2022 |
2.4 |
SWIFT_CSCF_v2022_2.4 |
SWIFT CSCF v2022 2.4 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. |
link |
7 |
SWIFT_CSCF_v2022 |
2.5 |
SWIFT_CSCF_v2022_2.5 |
SWIFT CSCF v2022 2.5 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
Shared |
n/a |
Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. |
link |
7 |
SWIFT_CSCF_v2022 |
2.6 |
SWIFT_CSCF_v2022_2.6 |
SWIFT CSCF v2022 2.6 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications |
Shared |
n/a |
The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. |
link |
17 |
SWIFT_CSCF_v2022 |
6.2 |
SWIFT_CSCF_v2022_6.2 |
SWIFT CSCF v2022 6.2 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure the software integrity of the SWIFT-related components and act upon results. |
Shared |
n/a |
A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. |
link |
6 |