last sync: 2024-Oct-10 19:12:06 UTC

Develop and maintain baseline configurations | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Develop and maintain baseline configurations
Id 2f20840e-7925-221c-725d-757442753e7c
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0153 - Develop and maintain baseline configurations
Additional metadata Name/Id: CMA_0153 / CMA_0153
Category: Operational
Title: Develop and maintain baseline configurations
Ownership: Customer
Description: Microsoft recommends that your organization document and implement processes for managing and protecting the configuration lifecycle of enterprise systems. It is also recommended that your organization establish baselines to consistently apply configurations for security, as well as implement processes and mechanisms for controlling creation of and changes to configuration baselines produced including the periodic review of changes. Any changes to the baselines are recommended to be appropriately tested, impact determined by analysis, and then incorporated into the standard. Your organization should consider different environments (e.g., test, production, and staging) that are applicable and their parameters. It is recommended that your organization test security configurations in a test environment before implementation as it can help to understand and examine the functional impact on applications. Microsoft recommends that your organization review and update the baseline configuration of the information system when required due to organization-defined circumstances or at the organization-defined frequency. Microsoft also recommends that your organization review and update the baseline configuration as an integral part of information system component installations and upgrades. Your organization should consider retaining previous versions of baseline configurations to support rollback. It is recommended that your organization employ automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. It is recommended that your organization document any deviations from the baseline configurations. The approved deviations are preferred to be added on a periodic basis into the baseline configuration standard. Your organization is encouraged to document the procedures for securing configurations during development and deployment of systems which may include following: - Defining parameters which describe behavior of automated functions (e.g., disabling and enabling functions, automatic updates, defining network protocols and network interface, access and authentications controls etc.) - Remediating flaws for identified vulnerabilities - Establishing and document location where the secure configuration components physically and logically resides - Establishing use of approved and signed software - Implementing safeguards to prevent against attack - Applying network protections - Maintaining and updating technical specification and design documentation. Microsoft recommends that your organization issue information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk. Your organization can also apply security safeguards to the devices when the individuals return.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 37 compliance controls are associated with this Policy definition 'Develop and maintain baseline configurations' (2f20840e-7925-221c-725d-757442753e7c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.3.0 2.12 CIS_Azure_1.3.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Security Center Ensure any of the ASC Default policy setting is not set to "Disabled" Shared The customer is responsible for implementing this recommendation. None of the settings offered by ASC Default policy should be set to effect "Disabled". link 6
CIS_Azure_1.4.0 2.12 CIS_Azure_1.4.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Microsoft Defender for Cloud Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' Shared The customer is responsible for implementing this recommendation. None of the settings offered by ASC Default policy should be set to effect "Disabled". link 6
CIS_Azure_2.0.0 2.1.14 CIS_Azure_2.0.0_2.1.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.1.14 2.1 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' Shared n/a None of the settings offered by ASC Default policy should be set to effect `Disabled`. A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations. link 6
FedRAMP_High_R4 CM-2 FedRAMP_High_R4_CM-2 FedRAMP High CM-2 Configuration Management Baseline Configuration Shared n/a The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. References: NIST Special Publication 800-128. link 6
FedRAMP_High_R4 CM-2(2) FedRAMP_High_R4_CM-2(2) FedRAMP High CM-2 (2) Configuration Management Automation Support For Accuracy / Currency Shared n/a The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. link 6
FedRAMP_High_R4 CM-9 FedRAMP_High_R4_CM-9 FedRAMP High CM-9 Configuration Management Configuration Management Plan Shared n/a The organization develops, documents, and implements a configuration management plan for the information system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the information system and places the configuration items under configuration management; and d. Protects the configuration management plan from unauthorized disclosure and modification. Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. References: NIST Special Publication 800-128. link 6
FedRAMP_Moderate_R4 CM-2 FedRAMP_Moderate_R4_CM-2 FedRAMP Moderate CM-2 Configuration Management Baseline Configuration Shared n/a The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. References: NIST Special Publication 800-128. link 6
FedRAMP_Moderate_R4 CM-2(2) FedRAMP_Moderate_R4_CM-2(2) FedRAMP Moderate CM-2 (2) Configuration Management Automation Support For Accuracy / Currency Shared n/a The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. link 6
FedRAMP_Moderate_R4 CM-9 FedRAMP_Moderate_R4_CM-9 FedRAMP Moderate CM-9 Configuration Management Configuration Management Plan Shared n/a The organization develops, documents, and implements a configuration management plan for the information system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the information system and places the configuration items under configuration management; and d. Protects the configuration management plan from unauthorized disclosure and modification. Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. References: NIST Special Publication 800-128. link 6
hipaa 0627.10h1System.45-10.h hipaa-0627.10h1System.45-10.h 0627.10h1System.45-10.h 06 Configuration Management 0627.10h1System.45-10.h 10.04 Security of System Files Shared n/a The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. 11
hipaa 0636.10k2Organizational.1-10.k hipaa-0636.10k2Organizational.1-10.k 0636.10k2Organizational.1-10.k 06 Configuration Management 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes Shared n/a The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). 8
hipaa 0637.10k2Organizational.2-10.k hipaa-0637.10k2Organizational.2-10.k 0637.10k2Organizational.2-10.k 06 Configuration Management 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes Shared n/a The organization has developed, documented, and implemented a configuration management plan for the information system. 7
hipaa 0639.10k2Organizational.78-10.k hipaa-0639.10k2Organizational.78-10.k 0639.10k2Organizational.78-10.k 06 Configuration Management 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes Shared n/a Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices, and appliances, and ensure the configuration meets minimum standards. 8
hipaa 0642.10k3Organizational.12-10.k hipaa-0642.10k3Organizational.12-10.k 0642.10k3Organizational.12-10.k 06 Configuration Management 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes Shared n/a The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. 7
hipaa 0643.10k3Organizational.3-10.k hipaa-0643.10k3Organizational.3-10.k 0643.10k3Organizational.3-10.k 06 Configuration Management 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes Shared n/a The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and, (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. 17
hipaa 0669.10hCSPSystem.1-10.h hipaa-0669.10hCSPSystem.1-10.h 0669.10hCSPSystem.1-10.h 06 Configuration Management 0669.10hCSPSystem.1-10.h 10.04 Security of System Files Shared n/a Open and published APIs are used by cloud service providers to ensure support for interoperability between components and to facilitate migrating applications. 16
hipaa 0710.10m2Organizational.1-10.m hipaa-0710.10m2Organizational.1-10.m 0710.10m2Organizational.1-10.m 07 Vulnerability Management 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management Shared n/a A hardened configuration standard exists for all system and network components. 9
hipaa 0821.09m2Organizational.2-09.m hipaa-0821.09m2Organizational.2-09.m 0821.09m2Organizational.2-09.m 08 Network Protection 0821.09m2Organizational.2-09.m 09.06 Network Security Management Shared n/a The organization tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. 18
hipaa 0863.09m2Organizational.910-09.m hipaa-0863.09m2Organizational.910-09.m 0863.09m2Organizational.910-09.m 08 Network Protection 0863.09m2Organizational.910-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. 25
hipaa 0869.09m3Organizational.19-09.m hipaa-0869.09m3Organizational.19-09.m 0869.09m3Organizational.19-09.m 08 Network Protection 0869.09m3Organizational.19-09.m 09.06 Network Security Management Shared n/a The router configuration files are secured and synchronized. 11
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
NIST_SP_800-171_R2_3 .4.1 NIST_SP_800-171_R2_3.4.1 NIST SP 800-171 R2 3.4.1 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. link 31
NIST_SP_800-53_R4 CM-2 NIST_SP_800-53_R4_CM-2 NIST SP 800-53 Rev. 4 CM-2 Configuration Management Baseline Configuration Shared n/a The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. References: NIST Special Publication 800-128. link 6
NIST_SP_800-53_R4 CM-2(2) NIST_SP_800-53_R4_CM-2(2) NIST SP 800-53 Rev. 4 CM-2 (2) Configuration Management Automation Support For Accuracy / Currency Shared n/a The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. link 6
NIST_SP_800-53_R4 CM-9 NIST_SP_800-53_R4_CM-9 NIST SP 800-53 Rev. 4 CM-9 Configuration Management Configuration Management Plan Shared n/a The organization develops, documents, and implements a configuration management plan for the information system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the information system and places the configuration items under configuration management; and d. Protects the configuration management plan from unauthorized disclosure and modification. Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. References: NIST Special Publication 800-128. link 6
NIST_SP_800-53_R5 CM-2 NIST_SP_800-53_R5_CM-2 NIST SP 800-53 Rev. 5 CM-2 Configuration Management Baseline Configuration Shared n/a a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded. link 6
NIST_SP_800-53_R5 CM-2(2) NIST_SP_800-53_R5_CM-2(2) NIST SP 800-53 Rev. 5 CM-2 (2) Configuration Management Automation Support for Accuracy and Currency Shared n/a Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. link 6
NIST_SP_800-53_R5 CM-9 NIST_SP_800-53_R5_CM-9 NIST SP 800-53 Rev. 5 CM-9 Configuration Management Configuration Management Plan Shared n/a Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. link 6
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
PCI_DSS_v4.0 1.2.1 PCI_DSS_v4.0_1.2.1 PCI DSS v4.0 1.2.1 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a Configuration standards for NSC rulesets are: • Defined. • Implemented. • Maintained. link 6
PCI_DSS_v4.0 2.2.1 PCI_DSS_v4.0_2.2.1 PCI DSS v4.0 2.2.1 Requirement 02: Apply Secure Configurations to All System Components System components are configured and managed securely Shared n/a Configuration standards are developed, implemented, and maintained to: • Cover all system components. • Address all known security vulnerabilities. • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. link 6
SOC_2 CC7.1 SOC_2_CC7.1 SOC 2 Type 2 CC7.1 System Operations Detection and monitoring of new vulnerabilities Shared The customer is responsible for implementing this recommendation. • Uses Defined Configuration Standards — Management has defined configuration standards. • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. • Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. • Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components. • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis 15
SOC_2 CC8.1 SOC_2_CC8.1 SOC 2 Type 2 CC8.1 Change Management Changes to infrastructure, data, and software Shared The customer is responsible for implementing this recommendation. Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. 52
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 2.3 SWIFT_CSCF_v2022_2.3 SWIFT CSCF v2022 2.3 2. Reduce Attack Surface and Vulnerabilities Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Shared n/a Security hardening is conducted and maintained on all in-scope components. link 25
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 2f20840e-7925-221c-725d-757442753e7c
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC