Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_1

AC_1

Canada Federal PBMM 3-1-2020 AC 1

Access Control Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with access control responsibilities: a. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the access control policy and associated access controls. 2. The organization reviews and updates the current: a. Access control policy at least every 3 years; and b. Access control procedures at least annually.

To establish and maintain effective access control measures.

Canada_Federal_PBMM_3-1-2020_AC_14

AC_14

Canada Federal PBMM 3-1-2020 AC 14

Permitted Actions Without Identification or Authentication

Permitted Actions without Identification or Authentication

Shared

1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. 2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

To ensure transparency and accountability in the system's security measures.

Canada_Federal_PBMM_3-1-2020_AC_17(100)

AC_17(100)

Canada Federal PBMM 3-1-2020 AC 17(100)

Remote Access

Remote Access | Remote Access to Privileged Accounts using Dedicated Management Console

Shared

Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed).

To reduce the risk of unauthorized access or compromise of privileged accounts.

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_AC_2(7)

AC_2(7)

Canada Federal PBMM 3-1-2020 AC 2(7)

Account Management

Account Management | Role-Based Schemes

Shared

1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; 2. The organization monitors privileged role assignments; and 3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate.

To strengthen the security posture and safeguard sensitive data and critical resources.

Canada_Federal_PBMM_3-1-2020_AC_3

AC_3

Canada Federal PBMM 3-1-2020 AC 3

Access Enforcement

Shared

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

To mitigate the risk of unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_IA_1

IA_1

Canada Federal PBMM 3-1-2020 IA 1

Identification and Authentication Policy and Procedures

Shared

1. The organization Develops, documents, and disseminates to all personnel: a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. 2. The organization Reviews and updates the current: a. Identification and authentication policy at least every 3 years; and b. Identification and authentication procedures at least annually.

To ensure secure access control and compliance with established standards.

Canada_Federal_PBMM_3-1-2020_IA_2

IA_2

Canada Federal PBMM 3-1-2020 IA 2

Identification and Authentication (Organizational Users)

Shared

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

To prevent unauthorized access and maintain system security.

Canada_Federal_PBMM_3-1-2020_IA_4(2)

IA_4(2)

Canada Federal PBMM 3-1-2020 IA 4(2)

Identifier Management

Identifier Management | Supervisor Authorization

Shared

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers.

Canada_Federal_PBMM_3-1-2020_IA_4(3)

IA_4(3)

Canada Federal PBMM 3-1-2020 IA 4(3)

Identifier Management

Identifier Management | Multiple Forms of Certification

Shared

The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.

To enhance the reliability and accuracy of individual identification.

Canada_Federal_PBMM_3-1-2020_IA_5(3)

IA_5(3)

Canada Federal PBMM 3-1-2020 IA 5(3)

Authenticator Management

Authenticator Management | In-Person or Trusted Third-Party Registration

Shared

The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles.

To enhance security and accountability within the organization's registration procedures.

Canada_Federal_PBMM_3-1-2020_IA_8

IA_8

Canada Federal PBMM 3-1-2020 IA 8

Identification and Authentication (Non-Organizational Users)

Shared

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

To ensure secure access and accountability.

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(2)

SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

101

13.11

CIS_Controls_v8.1_13.11

CIS Controls v8.1 13.11

Network Monitoring and Defense

Tune security event alerting thresholds

Shared

Tune security event alerting thresholds monthly, or more frequently.

To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

3.14

CIS_Controls_v8.1_3.14

CIS Controls v8.1 3.14

Data Protection

Log sensitive data access

Shared

Log sensitive data access, including modification and disposal.

To enhance accountability, traceability, and security measures within the enterprise.

4.1

CIS_Controls_v8.1_4.1

CIS Controls v8.1 4.1

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process.

Shared

1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure data integrity and safety of enterprise assets.

8.1

CIS_Controls_v8.1_8.1

CIS Controls v8.1 8.1

Audit Log Management

Establish and maintain an audit log management process

Shared

1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. 2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. 3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure appropriate management of audit log systems.

8.11

CIS_Controls_v8.1_8.11

CIS Controls v8.1 8.11

Audit Log Management

Conduct audit log reviews

Shared

1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis.

To ensure the integrity of the data in audit logs.

8.2

CIS_Controls_v8.1_8.2

CIS Controls v8.1 8.2

Audit Log Management

Collect audit logs.

Shared

1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

To assist in troubleshooting of system issues and ensure integrity of data systems.

8.3

CIS_Controls_v8.1_8.3

CIS Controls v8.1 8.3

Audit Log Management

Ensure adequate audit log storage

Shared

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.

To ensure all important and required logs can be stored for retrieval as and when required.

8.5

CIS_Controls_v8.1_8.5

CIS Controls v8.1 8.5

Audit Log Management

Collect detailed audit logs.

Shared

1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

To ensure that audit logs contain all pertinent information that might be required in a forensic investigation.

8.7

CIS_Controls_v8.1_8.7

CIS Controls v8.1 8.7

Audit Log Management

Collect URL request audit logs

Shared

Collect URL request audit logs on enterprise assets, where appropriate and supported.

To maintain an audit trail of all URL requests made.

8.8

CIS_Controls_v8.1_8.8

CIS Controls v8.1 8.8

Audit Log Management

Collect command-line audit logs

Shared

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals.

To ensure recording of the commands and arguments used by a process.

8.9

CIS_Controls_v8.1_8.9

CIS Controls v8.1 8.9

Audit Log Management

Centralize audit logs

Shared

Centralize, to the extent possible, audit log collection and retention across enterprise assets.

To optimize and simply the process of audit log management.

9.3

CIS_Controls_v8.1_9.3

CIS Controls v8.1 9.3

Email and Web Browser Protections

Maintain and enforce network-based URL filters

Shared

1. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. 2. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. 3. Enforce filters for all enterprise assets.

To prevent users from connecting to unsafe websites.

CMMC_L2_v1.9.0_AU.L2_3.3.1

AU.L2_3.3.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1

Audit and Accountability

System Auditing

Shared

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

To enhance security and accountability measures.

CMMC_L2_v1.9.0_AU.L2_3.3.2

AU.L2_3.3.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.2

Audit and Accountability

User Accountability

Shared

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

To ensure that the actions of individual system users can be uniquely traced back to them.

CMMC_L2_v1.9.0_AU.L2_3.3.3

AU.L2_3.3.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3

Audit and Accountability

Event Review

Shared

Review and update logged events.

To enhance the effectiveness of security measures.

CMMC_L2_v1.9.0_AU.L2_3.3.4

AU.L2_3.3.4

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.4

Audit and Accountability

Audit Failure Alerting

Shared

Alert in the event of an audit logging process failure.

To maintain the integrity and effectiveness of the security monitoring system.

CMMC_L2_v1.9.0_AU.L2_3.3.7

AU.L2_3.3.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.7

Audit and Accountability

Authoritative Time Source

Shared

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

To ensure accurate time stamping of audit records for reliable monitoring, analysis, and reporting of system activity.

IAM_01

CSA_v4.0.12_IAM_01

CSA Cloud Controls Matrix v4.0.12 IAM 01

Identity & Access Management

Identity and Access Management Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.

IAM_02

CSA_v4.0.12_IAM_02

CSA Cloud Controls Matrix v4.0.12 IAM 02

Identity & Access Management

Strong Password Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

IAM_04

CSA_v4.0.12_IAM_04

CSA Cloud Controls Matrix v4.0.12 IAM 04

Identity & Access Management

Separation of Duties

Shared

n/a

Employ the separation of duties principle when implementing information system access.

IAM_07

CSA_v4.0.12_IAM_07

CSA Cloud Controls Matrix v4.0.12 IAM 07

Identity & Access Management

User Access Changes and Revocation

Shared

n/a

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

IAM_10

CSA_v4.0.12_IAM_10

CSA Cloud Controls Matrix v4.0.12 IAM 10

Identity & Access Management

Management of Privileged Access Roles

Shared

n/a

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

IAM_12

CSA_v4.0.12_IAM_12

CSA Cloud Controls Matrix v4.0.12 IAM 12

Identity & Access Management

Safeguard Logs Integrity

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

IAM_13

CSA_v4.0.12_IAM_13

CSA Cloud Controls Matrix v4.0.12 IAM 13

Identity & Access Management

Uniquely Identifiable Users

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.

IAM_14

CSA_v4.0.12_IAM_14

CSA Cloud Controls Matrix v4.0.12 IAM 14

Identity & Access Management

Strong Authentication

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

IAM_15

CSA_v4.0.12_IAM_15

CSA Cloud Controls Matrix v4.0.12 IAM 15

Identity & Access Management

Passwords Management

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.

IAM_16

CSA_v4.0.12_IAM_16

CSA Cloud Controls Matrix v4.0.12 IAM 16

Identity & Access Management

Authorization Mechanisms

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.

LOG_05

CSA_v4.0.12_LOG_05

CSA Cloud Controls Matrix v4.0.12 LOG 05

Logging and Monitoring

Audit Logs Monitoring and Response

Shared

n/a

Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.

LOG_07

CSA_v4.0.12_LOG_07

CSA Cloud Controls Matrix v4.0.12 LOG 07

Logging and Monitoring

Logging Scope

Shared

n/a

Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.

LOG_08

CSA_v4.0.12_LOG_08

CSA Cloud Controls Matrix v4.0.12 LOG 08

Logging and Monitoring

Log Records

Shared

n/a

Generate audit records containing relevant security information.

LOG_10

CSA_v4.0.12_LOG_10

CSA Cloud Controls Matrix v4.0.12 LOG 10

Logging and Monitoring

Encryption Monitoring and Reporting

Shared

n/a

Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.

LOG_11

CSA_v4.0.12_LOG_11

CSA Cloud Controls Matrix v4.0.12 LOG 11

Logging and Monitoring

Transaction/Activity Logging

Shared

n/a

Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.

LOG_13

CSA_v4.0.12_LOG_13

CSA Cloud Controls Matrix v4.0.12 LOG 13

Logging and Monitoring

Failures and Anomalies Reporting

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for the reporting of anomalies and failures of the monitoring system and provide immediate notification to the accountable party.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_2

Cyber Essentials v3.1 2

Cyber Essentials

Secure Configuration

Shared

n/a

Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.4

404 not found

n/a

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

2.2.1

FFIEC_CAT_2017_2.2.1

FFIEC CAT 2017 2.2.1

Threat Intelligence and Collaboration

Monitoring and Analyzing

Shared

n/a

- Audit log records and other security event logs are reviewed and retained in a secure manner. - Computer event logs are used for investigations once an event has occurred.

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

3.1.2

FFIEC_CAT_2017_3.1.2

FFIEC CAT 2017 3.1.2

Cybersecurity Controls

Access and Data Management

Shared

n/a

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames.

hipaa-0605.10h1System.12-10.h

3.2.2

FFIEC_CAT_2017_3.2.2

FFIEC CAT 2017 3.2.2

Cybersecurity Controls

Anomalous Activity Detection

Shared

n/a

- The institution is able to detect anomalous activities through monitoring across the environment. - Customer transactions generating anomalous activity alerts are monitored and reviewed. - Logs of physical and/or logical access are reviewed following events. - Access to critical systems by third parties is monitored for unauthorized or unusual activity. - Elevated privileges are monitored.

hipaa

0605.10h1System.12-10.h

0605.10h1System.12-10.h

06 Configuration Management

0605.10h1System.12-10.h 10.04 Security of System Files

Shared

n/a

Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release.

09.aa

HITRUST_CSF_v11.3_09.aa

HITRUST CSF v11.3 09.aa

Monitoring

Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements.

Shared

1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information.

Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

113

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

ISO_IEC_27017_2015_12.4.1

11.a

HITRUST_CSF_v11.3_11.a

HITRUST CSF v11.3 11.a

Reporting Information Security Incidents and Weaknesses

Ensure information security events and weaknesses associated with information systems are handled in a manner allowing timely corrective action to be taken.

Shared

A designated and widely known point of contact is to be established within the organization to promptly report information security events, ensuring availability and timely responses; additionally, a maintained list of third-party contacts, such as information security officers' email addresses, facilitates for the reporting of security incidents.

Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible.

ISO_IEC_27001_2022

9.1

ISO_IEC_27001_2022_9.1

ISO IEC 27001 2022 9.1

Performance Evaluation

Monitoring, measurement, analysis and evaluation

Shared

1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results.

Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system.

ISO_IEC_27002_2022

8.15

ISO_IEC_27002_2022_8.15

ISO IEC 27002 2022 8.15

Detection Control

Logging

Shared

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations.

ISO_IEC_27017_2015

12.4.1

ISO IEC 27017 2015 12.4.1

Operations Security

Event Logging

Shared

For Cloud Service Customer: The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. For Cloud Service Provider: The cloud service provider should provide logging capabilities to the cloud service customer.

ISO_IEC_27017_2015

Annex_A:_CLD.6.3.1

ISO_IEC_27017_2015_Annex_A:_CLD.6.3.1

404 not found

n/a

NIST_CSF_v2.0

DE.AE_03

NIST_CSF_v2.0_DE.AE_03

NIST CSF v2.0 DE.AE 03

DETECT-Adverse Event Analysis

Information is correlated from multiple sources.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_SP_800-171_R3_3.15.3

.15.3

NIST 800-171 R3 3.15.3

Planning Control

Rules of Behavior

Shared

Rules of behavior represent a type of access agreement for system users. Organizations consider rules of behavior for the handling of CUI based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.

a. Establish and provide to individuals requiring access to the system, rules that describe their responsibilities and expected behavior for handling CUI and system usage. b. Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system. c. Review and update the rules of behavior periodically.

.3.1

NIST_SP_800-171_R3_3.3.1

404 not found

n/a

.3.2

NIST_SP_800-171_R3_3.3.2

404 not found

n/a

.3.4

NIST_SP_800-171_R3_3.3.4

404 not found

n/a

.3.5

NIST_SP_800-171_R3_3.3.5

404 not found

n/a

.3.7

NIST_SP_800-171_R3_3.3.7

404 not found

n/a

.4.2

NIST_SP_800-171_R3_3.4.2

404 not found

n/a

NIST_SP_800-53_R5.1.1_AC.2.4

AC.2.4

NIST SP 800-53 R5.1.1 AC.2.4

Access Control

Account Management | Automated Audit Actions

Shared

Automatically audit account creation, modification, enabling, disabling, and removal actions.

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

NIST_SP_800-53_R5.1.1_AU.12

AU.12

NIST SP 800-53 R5.1.1 AU.12

Audit and Accountability Control

Audit Record Generation

Shared

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

NIST_SP_800-53_R5.1.1_AU.2

AU.2

NIST SP 800-53 R5.1.1 AU.2

Audit and Accountability Control

Event Logging

Shared

a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency].

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

NIST_SP_800-53_R5.1.1_AU.3

AU.3

NIST SP 800-53 R5.1.1 AU.3

Audit and Accountability Control

Content of Audit Records

Shared

Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

NIST_SP_800-53_R5.1.1_AU.5

AU.5

NIST SP 800-53 R5.1.1 AU.5

Audit and Accountability Control

Response to Audit Logging Process Failures

Shared

a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and b. Take the following additional actions: [Assignment: organization-defined additional actions].

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

NIST_SP_800-53_R5.1.1_AU.6

AU.6

NIST SP 800-53 R5.1.1 AU.6

Audit and Accountability Control

Audit Record Review, Analysis, and Reporting

Shared

a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

NIST_SP_800-53_R5.1.1_CM.6

CM.6

NIST SP 800-53 R5.1.1 CM.6

Configuration Management Control

Configuration Settings

Shared

a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

NIST_SP_800-53_R5.1.1_MA.4.1

MA.4.1

NIST SP 800-53 R5.1.1 MA.4.1

Maintenance Control

Nonlocal Maintenance | Logging and Review

Shared

(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and (b) Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

Audit logging for nonlocal maintenance is enforced by AU-2. Audit events are defined in AU-2a.

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

19.2.16.C.02.

NZISM_v3.7_19.2.16.C.02.

NZISM v3.7 19.2.16.C.02.

Cross Domain Solutions (CDS)

19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.

Shared

n/a

Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network.

19.2.18.C.01.

NZISM_v3.7_19.2.18.C.01.

NZISM v3.7 19.2.18.C.01.

Cross Domain Solutions (CDS)

19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks.

Shared

n/a

Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path.

19.2.19.C.01.

NZISM_v3.7_19.2.19.C.01.

NZISM v3.7 19.2.19.C.01.

Cross Domain Solutions (CDS)

19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.

Shared

n/a

Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority.

19.2.19.C.02.

NZISM_v3.7_19.2.19.C.02.

NZISM v3.7 19.2.19.C.02.

Cross Domain Solutions (CDS)

19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches.

Shared

n/a

Trusted sources MUST authorise all data to be exported from a security domain.

19.3.8.C.03.

NZISM_v3.7_19.3.8.C.03.

NZISM v3.7 19.3.8.C.03.

Firewalls

19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains. Your network: Restricted and below Their network: Unclassified You require: EAL4 firewall They require: N/A Your network: Restricted and below Their network: Restricted You require: EAL2 or PP firewall They require:EAL2 or PP firewall Your network: Restricted and below Their network: Confidential You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Secret You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Confidential Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Confidential Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Confidential Their network: Confidential You require: EAL2 or PP firewal They require: EAL2 or PP firewall Your network: Confidential Their network: Secret You require: EAL2 or PP firewal They require: EAL4 firewall Your network: Confidential Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Secret Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Confidential You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Secret You require: EAL2 or PP firewall They require: EAL2 or PP firewall Your network: Secret Their network: Top Secret You require: EAL2 or PP firewall They require: EAL4 firewall Your network: Top Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Top Secret Their network: Restricted You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Confidential You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Secret You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Top Secret Their network: Top Secret You require: EAL4 firewall They require: EAL4 firewall

19.3.8.C.04.

NZISM_v3.7_19.3.8.C.04.

NZISM v3.7 19.3.8.C.04.

Firewalls

19.3.8.C.04. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments. 2. Shared equipment DOES NOT satisfy the requirements of this control.

19.3.9.C.01.

NZISM_v3.7_19.3.9.C.01.

NZISM v3.7 19.3.9.C.01.

Firewalls

19.3.9.C.01. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains.

19.3.9.C.02.

NZISM_v3.7_19.3.9.C.02.

NZISM v3.7 19.3.9.C.02.

Firewalls

19.3.9.C.02. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

In all other circumstances the table at 19.3.8.C.03 MUST apply.

19.3.9.C.03.

NZISM_v3.7_19.3.9.C.03.

NZISM v3.7 19.3.9.C.03.

Firewalls

19.3.9.C.03. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

Agencies SHOULD use a firewall of at least an EAL2 assurance level or a Protection Profile between an NZEO network and another New Zealand controlled network within a single security domain.

10.2.1.2

PCI_DSS_v4.0.1_10.2.1.2

PCI DSS v4.0.1 10.2.1.2

Log and Monitor All Access to System Components and Cardholder Data

Administrative Actions Logging

Shared

n/a

Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

10.2.1.5

PCI_DSS_v4.0.1_10.2.1.5

PCI DSS v4.0.1 10.2.1.5

Log and Monitor All Access to System Components and Cardholder Data

Credential Changes Audit Logging

Shared

n/a

Audit logs capture all changes to identification and authentication credentials including, but not limited to: • Creation of new accounts. • Elevation of privileges. • All changes, additions, or deletions to accounts with administrative access.

10.2.2

PCI_DSS_v4.0.1_10.2.2

PCI DSS v4.0.1 10.2.2

Log and Monitor All Access to System Components and Cardholder Data

Details for Auditable Events

Shared

n/a

Audit logs record the following details for each auditable event: • User identification. • Type of event. • Date and time. • Success and failure indication. • Origination of event. • Identity or name of affected data, system component, resource, or service (for example, name and protocol).

10.4.1

PCI_DSS_v4.0.1_10.4.1

PCI DSS v4.0.1 10.4.1

Log and Monitor All Access to System Components and Cardholder Data

Daily Audit Log Review

Shared

n/a

The following audit logs are reviewed at least once daily: • All security events. • Logs of all system components that store, process, or transmit CHD and/or SAD. • Logs of all critical system components. • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).

10.4.1.1

PCI_DSS_v4.0.1_10.4.1.1

PCI DSS v4.0.1 10.4.1.1

Log and Monitor All Access to System Components and Cardholder Data

Automated Log Review Mechanisms

Shared

n/a

Automated mechanisms are used to perform audit log reviews.

10.4.2

PCI_DSS_v4.0.1_10.4.2

PCI DSS v4.0.1 10.4.2

Log and Monitor All Access to System Components and Cardholder Data

Periodic Review of Other Logs

Shared

n/a

Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.

10.4.2.1

PCI_DSS_v4.0.1_10.4.2.1

PCI DSS v4.0.1 10.4.2.1

Log and Monitor All Access to System Components and Cardholder Data

Frequency of Log Reviews

Shared

n/a

The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1

10.4.3

PCI_DSS_v4.0.1_10.4.3

PCI DSS v4.0.1 10.4.3

Log and Monitor All Access to System Components and Cardholder Data

Addressing Log Anomalies

Shared

n/a

Exceptions and anomalies identified during the review process are addressed.

12.2.1

PCI_DSS_v4.0.1_12.2.1

PCI DSS v4.0.1 12.2.1

Support Information Security with Organizational Policies and Programs

Documented Acceptable Use Policies

Shared

n/a

Acceptable use policies for end-user technologies are documented and implemented, including: • Explicit approval by authorized parties. • Acceptable uses of the technology. • List of products approved by the company for employee use, including hardware and software.

2.2.1

PCI_DSS_v4.0.1_2.2.1

PCI DSS v4.0.1 2.2.1

Apply Secure Configurations to All System Components

Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment

Shared

n/a

Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

CC.5.3

SOC_2023_CC.5.3

404 not found

n/a

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC4.1

SOC_2023_CC4.1

SOC 2023 CC4.1

Monitoring Activities

Enhance the ability to manage risks and achieve objectives.

Shared

n/a

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.2

SOC_2023_CC4.2

SOC 2023 CC4.2

Monitoring Activities

Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives.

Shared

n/a

The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors.

CC5.2

SOC_2023_CC5.2

SOC 2023 CC5.2

Control Activities

Mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations.

Shared

n/a

Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities.

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC6.2

SOC_2023_CC6.2

SOC 2023 CC6.2

Logical and Physical Access Controls

Ensure effective access control and ensuring the security of the organization's systems and data.

Shared

n/a

1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3

SOC_2023_CC6.3

404 not found

n/a

CC6.7

SOC_2023_CC6.7

404 not found

n/a

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

1.2

SWIFT_CSCF_2024_1.2

SWIFT Customer Security Controls Framework 2024 1.2

Privileged Account Control

Operating System Privileged Account Control

Shared

Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence).

To restrict and control the allocation and usage of administrator-level operating system accounts.

11.2

SWIFT_CSCF_2024_11.2

404 not found

n/a

5.1

SWIFT_CSCF_2024_5.1

SWIFT Customer Security Controls Framework 2024 5.1

Access Control

Logical Access Control

Shared

1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure. 2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack.

To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts.

6.4

SWIFT_CSCF_2024_6.4

SWIFT Customer Security Controls Framework 2024 6.4

Access Control

Logging and Monitoring

Shared

1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring.

To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment.