compliance controls are associated with this Policy definition 'Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs' (331e8ea8-378a-410f-a2e5-ae22f38bb0da)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| ACAT_Security_Policies |
|
ACAT_Security_Policies |
ACAT Security Policies |
Guidelines for M365 Certification |
Protecting systems and resources
|
Shared |
n/a |
Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. |
link |
16 |
| AU_ISM |
1546 |
AU_ISM_1546 |
AU ISM 1546 |
Guidelines for System Hardening - Authentication hardening |
Authenticating to systems - 1546 |
|
n/a |
Users are authenticated before they are granted access to a system and its resources. |
link |
7 |
| CCCS |
AC-17(1) |
CCCS_AC-17(1) |
CCCS AC-17(1) |
Access Control |
Remote Access | Automated Monitoring / Control |
|
n/a |
The information system monitors and controls remote access methods. |
link |
7 |
| CCCS |
IA-5 |
CCCS_IA-5 |
CCCS IA-5 |
Identification and Authentication |
Authenticator Management |
|
n/a |
(A) The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
(B) The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization.
(C) The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.
(D) The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators.
(E) The organization manages information system authenticators by changing the default content of authenticators prior to information system installation.
(F) The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators.
(G) The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031.
(H) The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification.
(I) The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators.
(J) The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. |
link |
5 |
| CMMC_2.0_L2 |
AC.L1-3.1.1 |
CMMC_2.0_L2_AC.L1-3.1.1 |
404 not found |
|
|
|
n/a |
n/a |
|
54 |
| CMMC_2.0_L2 |
AC.L2-3.1.12 |
CMMC_2.0_L2_AC.L2-3.1.12 |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
| CMMC_2.0_L2 |
CM.L2-3.4.1 |
CMMC_2.0_L2_CM.L2-3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
25 |
| CMMC_2.0_L2 |
CM.L2-3.4.2 |
CMMC_2.0_L2_CM.L2-3.4.2 |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| CMMC_2.0_L2 |
IA.L1-3.5.2 |
CMMC_2.0_L2_IA.L1-3.5.2 |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
| CMMC_2.0_L2 |
IA.L2-3.5.10 |
CMMC_2.0_L2_IA.L2-3.5.10 |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
15 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.2 |
CMMC_L2_v1.9.0_CM.L2_3.4.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 |
Configuration Management |
Security Configuration Enforcement |
Shared |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
To mitigate vulnerabilities and enhance overall security posture. |
|
10 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.6 |
CMMC_L2_v1.9.0_CM.L2_3.4.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 |
Configuration Management |
Least Functionality |
Shared |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
To reduce the risk of unauthorized access or exploitation of system vulnerabilities. |
|
10 |
| CMMC_L3 |
AC.3.021 |
CMMC_L3_AC.3.021 |
CMMC L3 AC.3.021 |
Access Control |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Securityrelevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. |
link |
10 |
| CSA_v4.0.12 |
AIS_02 |
CSA_v4.0.12_AIS_02 |
CSA Cloud Controls Matrix v4.0.12 AIS 02 |
Application & Interface Security |
Application Security Baseline Requirements |
Shared |
n/a |
Establish, document and maintain baseline requirements for securing
different applications. |
|
10 |
| CSA_v4.0.12 |
CCC_02 |
CSA_v4.0.12_CCC_02 |
CSA Cloud Controls Matrix v4.0.12 CCC 02 |
Change Control and Configuration Management |
Quality Testing |
Shared |
n/a |
Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards. |
|
11 |
| CSA_v4.0.12 |
CCC_03 |
CSA_v4.0.12_CCC_03 |
CSA Cloud Controls Matrix v4.0.12 CCC 03 |
Change Control and Configuration Management |
Change Management Technology |
Shared |
n/a |
Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced). |
|
30 |
| CSA_v4.0.12 |
CCC_04 |
CSA_v4.0.12_CCC_04 |
CSA Cloud Controls Matrix v4.0.12 CCC 04 |
Change Control and Configuration Management |
Unauthorized Change Protection |
Shared |
n/a |
Restrict the unauthorized addition, removal, update, and management
of organization assets. |
|
25 |
| CSA_v4.0.12 |
CCC_09 |
CSA_v4.0.12_CCC_09 |
CSA Cloud Controls Matrix v4.0.12 CCC 09 |
Change Control and Configuration Management |
Change Restoration |
Shared |
n/a |
Define and implement a process to proactively roll back changes to
a previous known good state in case of errors or security concerns. |
|
10 |
| CSA_v4.0.12 |
IAM_07 |
CSA_v4.0.12_IAM_07 |
CSA Cloud Controls Matrix v4.0.12 IAM 07 |
Identity & Access Management |
User Access Changes and Revocation |
Shared |
n/a |
De-provision or respectively modify access of movers / leavers or
system identity changes in a timely manner in order to effectively adopt and
communicate identity and access management policies. |
|
56 |
| CSA_v4.0.12 |
TVM_04 |
CSA_v4.0.12_TVM_04 |
CSA Cloud Controls Matrix v4.0.12 TVM 04 |
Threat & Vulnerability Management |
Detection Updates |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to update detection tools, threat signatures, and indicators of compromise
on a weekly, or more frequent basis. |
|
46 |
| CSA_v4.0.12 |
UEM_03 |
CSA_v4.0.12_UEM_03 |
CSA Cloud Controls Matrix v4.0.12 UEM 03 |
Universal Endpoint Management |
Compatibility |
Shared |
n/a |
Define and implement a process for the validation of the endpoint
device's compatibility with operating systems and applications. |
|
10 |
| CSA_v4.0.12 |
UEM_05 |
CSA_v4.0.12_UEM_05 |
CSA Cloud Controls Matrix v4.0.12 UEM 05 |
Universal Endpoint Management |
Endpoint Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data. |
|
10 |
| Cyber_Essentials_v3.1 |
1 |
Cyber_Essentials_v3.1_1 |
Cyber Essentials v3.1 1 |
Cyber Essentials |
Firewalls |
Shared |
n/a |
Aim: to make sure that only secure and necessary network services can be accessed from the internet. |
|
37 |
| Cyber_Essentials_v3.1 |
3 |
Cyber_Essentials_v3.1_3 |
Cyber Essentials v3.1 3 |
Cyber Essentials |
Security Update Management |
Shared |
n/a |
Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available. |
|
38 |
| Cyber_Essentials_v3.1 |
5 |
Cyber_Essentials_v3.1_5 |
Cyber Essentials v3.1 5 |
Cyber Essentials |
Malware protection |
Shared |
n/a |
Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. |
|
60 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
| FedRAMP_High_R4 |
AC-17 |
FedRAMP_High_R4_AC-17 |
FedRAMP High AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
| FedRAMP_High_R4 |
AC-17(1) |
FedRAMP_High_R4_AC-17(1) |
FedRAMP High AC-17 (1) |
Access Control |
Automated Monitoring / Control |
Shared |
n/a |
The information system monitors and controls remote access methods.
Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
link |
37 |
| FedRAMP_High_R4 |
AC-3 |
FedRAMP_High_R4_AC-3 |
FedRAMP High AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| FedRAMP_High_R4 |
IA-5 |
FedRAMP_High_R4_IA-5 |
FedRAMP High IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| FedRAMP_High_R4 |
IA-5(1) |
FedRAMP_High_R4_IA-5(1) |
FedRAMP High IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| FedRAMP_Moderate_R4 |
AC-17 |
FedRAMP_Moderate_R4_AC-17 |
FedRAMP Moderate AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
| FedRAMP_Moderate_R4 |
AC-17(1) |
FedRAMP_Moderate_R4_AC-17(1) |
FedRAMP Moderate AC-17 (1) |
Access Control |
Automated Monitoring / Control |
Shared |
n/a |
The information system monitors and controls remote access methods.
Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
link |
37 |
| FedRAMP_Moderate_R4 |
AC-3 |
FedRAMP_Moderate_R4_AC-3 |
FedRAMP Moderate AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| FedRAMP_Moderate_R4 |
IA-5 |
FedRAMP_Moderate_R4_IA-5 |
FedRAMP Moderate IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| FedRAMP_Moderate_R4 |
IA-5(1) |
FedRAMP_Moderate_R4_IA-5(1) |
FedRAMP Moderate IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| HITRUST_CSF_v11.3 |
01.l |
HITRUST_CSF_v11.3_01.l |
HITRUST CSF v11.3 01.l |
Network Access Control |
Prevent unauthorized access to networked services. |
Shared |
Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed. |
Physical and logical access to diagnostic and configuration ports shall be controlled. |
|
26 |
| HITRUST_CSF_v11.3 |
09.j |
HITRUST_CSF_v11.3_09.j |
HITRUST CSF v11.3 09.j |
Protection Against Malicious and Mobile Code |
Ensure that integrity of information and software is protected from malicious or unauthorized code |
Shared |
1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures.
2. Automatic periodic scans of information systems is to be implemented.
3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented.
4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use.
5. Anti-malware audit logs checks to be performed.
6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls. |
Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. |
|
37 |
| HITRUST_CSF_v11.3 |
09.m |
HITRUST_CSF_v11.3_09.m |
HITRUST CSF v11.3 09.m |
Network Security Management |
Ensure the protection of information in networks and protection of the supporting network infrastructure. |
Shared |
1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points.
2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes.
3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized. |
Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
|
24 |
| HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
33 |
| HITRUST_CSF_v11.3 |
10.m |
HITRUST_CSF_v11.3_10.m |
HITRUST CSF v11.3 10.m |
Technical Vulnerability Management |
Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. |
Shared |
1. The necessary secure services, protocols required for the function of the system are to be enabled.
2. Security features to be implemented for any required services that are considered to be insecure.
3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media.
4. Configuration standards to be consistent with industry-accepted system hardening standards.
5. An enterprise security posture review within every 365 days is to be conducted.
6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. |
Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. |
|
46 |
| IRS_1075_9.3 |
.1.12 |
IRS_1075_9.3.1.12 |
IRS 1075 9.3.1.12 |
Access Control |
Remote Access (AC-17) |
|
n/a |
The agency must:
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed
b. Authorize remote access to the information system prior to allowing such connections
c. Authorize and document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only (CE4)
The information system must:
a. Monitor and control remote access methods (CE1)
b. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection and (CE2)
c. Route all remote accesses through a limited number of managed network access control points (CE3)
Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet.
Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication.
FTI cannot be accessed remotely by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore. |
link |
7 |
| IRS_1075_9.3 |
.7.5 |
IRS_1075_9.3.7.5 |
IRS 1075 9.3.7.5 |
Identification and Authentication |
Authenticator Management (IA-5) |
|
n/a |
The agency must manage information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator
b. Establishing initial authenticator content for authenticators defined by the agency
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators
e. Changing default content of authenticators prior to information system installation
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators
g. Changing/refreshing authenticators
h. Protecting authenticator content from unauthorized disclosure and modification
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators
j. Changing authenticators for group/role accounts when membership to those accounts changes
The information system must, for password-based authentication:
a. Enforce minimum password complexity of:
1. Eight characters
2. At least one numeric and at least one special character
3. A mixture of at least one uppercase and at least one lowercase letter
4. Storing and transmitting only encrypted representations of passwords
b. Enforce password minimum lifetime restriction of one day
c. Enforce non-privileged account passwords to be changed at least every 90 days
d. Enforce privileged account passwords to be changed at least every 60 days
e. Prohibit password reuse for 24 generations
f. Allow the use of a temporary password for system logon requiring an immediate change to a permanent password
g. Password-protect system initialization (boot) settings |
link |
12 |
| ISO_IEC_27002_2022 |
8.9 |
ISO_IEC_27002_2022_8.9 |
ISO IEC 27002 2022 8.9 |
Protection,
Preventive Control |
Configuration management |
Shared |
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
|
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. |
|
20 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| ISO27001-2013 |
A.9.2.4 |
ISO27001-2013_A.9.2.4 |
ISO 27001:2013 A.9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
n/a |
The allocation of secret authentication information shall be controlled through a formal management process. |
link |
18 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
431 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.1.1 |
NIST_SP_800-171_R2_3.1.1 |
NIST SP 800-171 R2 3.1.1 |
Access Control |
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. |
link |
52 |
| NIST_SP_800-171_R2_3 |
.1.12 |
NIST_SP_800-171_R2_3.1.12 |
NIST SP 800-171 R2 3.1.12 |
Access Control |
Monitor and control remote access sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks. |
link |
36 |
| NIST_SP_800-171_R2_3 |
.5.10 |
NIST_SP_800-171_R2_3.5.10 |
NIST SP 800-171 R2 3.5.10 |
Identification and Authentication |
Store and transmit only cryptographically-protected passwords. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]. |
link |
9 |
| NIST_SP_800-171_R2_3 |
.5.2 |
NIST_SP_800-171_R2_3.5.2 |
NIST SP 800-171 R2 3.5.2 |
Identification and Authentication |
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities. |
link |
21 |
| NIST_SP_800-171_R3_3 |
.4.1 |
NIST_SP_800-171_R3_3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
9 |
| NIST_SP_800-171_R3_3 |
.4.6 |
NIST_SP_800-171_R3_3.4.6 |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| NIST_SP_800-53_R4 |
AC-17 |
NIST_SP_800-53_R4_AC-17 |
NIST SP 800-53 Rev. 4 AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
| NIST_SP_800-53_R4 |
AC-17(1) |
NIST_SP_800-53_R4_AC-17(1) |
NIST SP 800-53 Rev. 4 AC-17 (1) |
Access Control |
Automated Monitoring / Control |
Shared |
n/a |
The information system monitors and controls remote access methods.
Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
link |
37 |
| NIST_SP_800-53_R4 |
AC-3 |
NIST_SP_800-53_R4_AC-3 |
NIST SP 800-53 Rev. 4 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| NIST_SP_800-53_R4 |
IA-5 |
NIST_SP_800-53_R4_IA-5 |
NIST SP 800-53 Rev. 4 IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| NIST_SP_800-53_R4 |
IA-5(1) |
NIST_SP_800-53_R4_IA-5(1) |
NIST SP 800-53 Rev. 4 IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| NIST_SP_800-53_R5.1.1 |
CM.2 |
NIST_SP_800-53_R5.1.1_CM.2 |
NIST SP 800-53 R5.1.1 CM.2 |
Configuration Management Control |
Baseline Configuration |
Shared |
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system:
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: Assignment organization-defined circumstances]; and
3. When system components are installed or upgraded. |
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. |
|
9 |
| NIST_SP_800-53_R5.1.1 |
CM.7 |
NIST_SP_800-53_R5.1.1_CM.7 |
NIST SP 800-53 R5.1.1 CM.7 |
Configuration Management Control |
Least Functionality |
Shared |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3). |
|
17 |
| NIST_SP_800-53_R5 |
AC-17 |
NIST_SP_800-53_R5_AC-17 |
NIST SP 800-53 Rev. 5 AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections. |
link |
41 |
| NIST_SP_800-53_R5 |
AC-17(1) |
NIST_SP_800-53_R5_AC-17(1) |
NIST SP 800-53 Rev. 5 AC-17 (1) |
Access Control |
Monitoring and Control |
Shared |
n/a |
Employ automated mechanisms to monitor and control remote access methods. |
link |
37 |
| NIST_SP_800-53_R5 |
AC-3 |
NIST_SP_800-53_R5_AC-3 |
NIST SP 800-53 Rev. 5 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
link |
18 |
| NIST_SP_800-53_R5 |
IA-5 |
NIST_SP_800-53_R5_IA-5 |
NIST SP 800-53 Rev. 5 IA-5 |
Identification and Authentication |
Authenticator Management |
Shared |
n/a |
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes. |
link |
18 |
| NIST_SP_800-53_R5 |
IA-5(1) |
NIST_SP_800-53_R5_IA-5(1) |
NIST SP 800-53 Rev. 5 IA-5 (1) |
Identification and Authentication |
Password-based Authentication |
Shared |
n/a |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
link |
15 |
| NZISM_Security_Benchmark_v1.1 |
SS-3 |
NZISM_Security_Benchmark_v1.1_SS-3 |
NZISM Security Benchmark SS-3 |
Software security |
14.1.9 Maintaining hardened SOEs |
Customer |
Agencies SHOULD ensure that for all servers and workstations:
malware detection heuristics are set to a high level;
malware pattern signatures are checked for updates on at least a daily basis;
malware pattern signatures are updated as soon as possible after vendors make them available;
all disks and systems are regularly scanned for malicious code; and
the use of End Point Agents is considered. |
Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates.
End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation.
End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. |
link |
11 |
| NZISM_v3.7 |
12.4.4.C.02. |
NZISM_v3.7_12.4.4.C.02. |
NZISM v3.7 12.4.4.C.02. |
Product Patching and Updating |
12.4.4.C.02. - minimise the risk of disruptions or vulnerabilities introduced by the patches. |
Shared |
n/a |
Agencies MUST implement a patch management strategy, including an evaluation or testing process. |
|
28 |
| NZISM_v3.7 |
12.4.4.C.04. |
NZISM_v3.7_12.4.4.C.04. |
NZISM v3.7 12.4.4.C.04. |
Product Patching and Updating |
12.4.4.C.04. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data. |
Shared |
n/a |
Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update. |
|
28 |
| NZISM_v3.7 |
12.4.4.C.05. |
NZISM_v3.7_12.4.4.C.05. |
NZISM v3.7 12.4.4.C.05. |
Product Patching and Updating |
12.4.4.C.05. - reduce the potential attack surface for malicious actors. |
Shared |
n/a |
Agencies SHOULD apply all non-critical security patches as soon as possible. |
|
26 |
| NZISM_v3.7 |
12.4.4.C.06. |
NZISM_v3.7_12.4.4.C.06. |
NZISM v3.7 12.4.4.C.06. |
Product Patching and Updating |
12.4.4.C.06. - maintain the integrity and effectiveness of the patching process. |
Shared |
n/a |
Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process. |
|
25 |
| NZISM_v3.7 |
14.1.8.C.01. |
NZISM_v3.7_14.1.8.C.01. |
NZISM v3.7 14.1.8.C.01. |
Standard Operating Environments |
14.1.8.C.01. - minimise vulnerabilities and enhance system security |
Shared |
n/a |
Agencies SHOULD develop a hardened SOE for workstations and servers, covering:
1. removal of unneeded software and operating system components;
2. removal or disabling of unneeded services, ports and BIOS settings;
3. disabling of unused or undesired functionality in software and operating systems;
4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required;
5. installation of antivirus and anti-malware software;
6. installation of software-based firewalls limiting inbound and outbound network connections;
7. configuration of either remote logging or the transfer of local event logs to a central server; and
8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. |
|
30 |
| NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
| NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
| NZISM_v3.7 |
22.3.11.C.01. |
NZISM_v3.7_22.3.11.C.01. |
NZISM v3.7 22.3.11.C.01. |
Virtual Local Area Networks |
22.3.11.C.01. - ensure data security and integrity. |
Shared |
n/a |
Unused ports on the switches MUST be disabled. |
|
18 |
| NZISM_v3.7 |
22.3.11.C.02. |
NZISM_v3.7_22.3.11.C.02. |
NZISM v3.7 22.3.11.C.02. |
Virtual Local Area Networks |
22.3.11.C.02. - ensure data security and integrity. |
Shared |
n/a |
Unused ports on the switches SHOULD be disabled. |
|
18 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
63 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
69 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
| PCI_DSS_v4.0.1 |
1.2.5 |
PCI_DSS_v4.0.1_1.2.5 |
PCI DSS v4.0.1 1.2.5 |
Install and Maintain Network Security Controls |
All services, protocols, and ports allowed are identified, approved, and have a defined business need |
Shared |
n/a |
Examine documentation to verify that a list exists of all allowed services, protocols, and ports, including business justification and approval for each. Examine configuration settings for NSCs to verify that only approved services, protocols, and ports are in use |
|
19 |
| PCI_DSS_v4.0.1 |
2.2.4 |
PCI_DSS_v4.0.1_2.2.4 |
PCI DSS v4.0.1 2.2.4 |
Apply Secure Configurations to All System Components |
Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled |
Shared |
n/a |
Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled |
|
25 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
127 |
| SOC_2023 |
CC6.7 |
SOC_2023_CC6.7 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
| SOC_2023 |
CC6.8 |
SOC_2023_CC6.8 |
SOC 2023 CC6.8 |
Logical and Physical Access Controls |
Mitigate the risk of cybersecurity threats, safeguard critical systems and data, and maintain operational continuity and integrity. |
Shared |
n/a |
Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
|
33 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
143 |
| SWIFT_CSCF_v2021 |
6.4 |
SWIFT_CSCF_v2021_6.4 |
SWIFT CSCF v2021 6.4 |
Detect Anomalous Activity to Systems or Transaction Records |
Logging and Monitoring |
|
n/a |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
link |
29 |
| SWIFT_CSCF_v2022 |
2.3 |
SWIFT_CSCF_v2022_2.3 |
SWIFT CSCF v2022 2.3 |
2. Reduce Attack Surface and Vulnerabilities |
Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. |
Shared |
n/a |
Security hardening is conducted and maintained on all in-scope components. |
link |
25 |
| SWIFT_CSCF_v2022 |
4.1 |
SWIFT_CSCF_v2022_4.1 |
SWIFT CSCF v2022 4.1 |
4. Prevent Compromise of Credentials |
Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. |
Shared |
n/a |
All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. |
link |
17 |
| UK_NCSC_CSP |
10 |
UK_NCSC_CSP_10 |
UK NCSC CSP 10 |
Identity and authentication |
Identity and authentication |
Shared |
n/a |
All access to service interfaces should be constrained to authenticated and authorised individuals. |
link |
22 |