Storage accounts should restrict network access

Azure BuiltIn Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Storage/storageAccounts/networkAcls.defaultAction

Microsoft.Storage

storageAccounts

properties.networkAcls.defaultAction

True

Control Domain

Control

Name

MetadataId

Category

Title

Owner

Requirements

Description

Info

Policy#

AU_ISM

1182

AU_ISM_1182

AU ISM 1182

Guidelines for Networking - Network design and configuration

Network access controls - 1182

n/a

Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes.

link

AU_ISM

1546

AU_ISM_1546

AU ISM 1546

Guidelines for System Hardening - Authentication hardening

Authenticating to systems - 1546

n/a

Users are authenticated before they are granted access to a system and its resources.

link

AU_ISM

520

AU_ISM_520

AU ISM 520

Guidelines for Networking - Network design and configuration

Network access controls - 520

n/a

Network access controls are implemented on networks to prevent the connection of unauthorised network devices.

link

Azure_Security_Benchmark_v1.0

1.1

Azure_Security_Benchmark_v1.0_1.1

Azure Security Benchmark 1.1

Network Security

Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

Customer

Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service. Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall. General Information on Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview How to create a Virtual Network: https://docs.microsoft.com/azure/virtual-network/quick-create-portal How to create an NSG with a security configuration: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal

n/a

link

Azure_Security_Benchmark_v2.0

NS-1

Azure_Security_Benchmark_v2.0_NS-1

Azure Security Benchmark NS-1

Network Security

Implement security for internal traffic

Customer

Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall. Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology). Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules. Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Adaptive Network Hardening in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening Azure Sentinel insecure protocols workbook:https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks

n/a

link

Azure_Security_Benchmark_v2.0

NS-4

Azure_Security_Benchmark_v2.0_NS-4

Azure Security Benchmark NS-4

Network Security

Protect applications and services from external network attacks

Customer

Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this: - Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. - Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks. - Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks. - Use Azure Security Center to detect misconfiguration risks related to the above. Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/ How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection

n/a

link

Azure_Security_Benchmark_v3.0

NS-2

Azure_Security_Benchmark_v3.0_NS-2

Microsoft cloud security benchmark NS-2

Network Security

Secure cloud services with network controls

Shared

**Security Principle:** Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. **Azure Guidance:** Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible. For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service. **Implementation and additional context:** Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview

n/a

link

Canada_Federal_PBMM_3-1-2020

AC_2(4)

Canada_Federal_PBMM_3-1-2020_AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

CCCS

AC-17(1)

CCCS_AC-17(1)

CCCS AC-17(1)

Access Control

Remote Access | Automated Monitoring / Control

n/a

The information system monitors and controls remote access methods.

link

CCCS

SC-7

CCCS_SC-7

CCCS SC-7

System and Communications Protection

Boundary Protection

n/a

(A) The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. (B) The information system implements sub-networks for publicly accessible system components that are physically or logically separated from internal organizational networks. (C) The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

link

CIS_Azure_1.1.0

3.7

CIS_Azure_1.1.0_3.7

CIS Microsoft Azure Foundations Benchmark recommendation 3.7

3 Storage Accounts

Ensure default network access rule for Storage Accounts is set to deny

Shared

The customer is responsible for implementing this recommendation.

link

CIS_Azure_1.3.0

3.6

CIS_Azure_1.3.0_3.6

CIS Microsoft Azure Foundations Benchmark recommendation 3.6

3 Storage Accounts

Ensure default network access rule for Storage Accounts is set to deny

Shared

The customer is responsible for implementing this recommendation.

link

CIS_Azure_1.4.0

3.6

CIS_Azure_1.4.0_3.6

CIS Microsoft Azure Foundations Benchmark recommendation 3.6

3 Storage Accounts

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Shared

The customer is responsible for implementing this recommendation.

link

CIS_Azure_2.0.0

3.8

CIS_Azure_2.0.0_3.8

CIS Microsoft Azure Foundations Benchmark recommendation 3.8

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Shared

All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours.

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

link

CIS_Controls_v8.1

12.2

CIS_Controls_v8.1_12.2

CIS Controls v8.1 12.2

Network Infrastructure Management

Establish and maintain a secure network architecture

Shared

1. Establish and maintain a secure network architecture. 2. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.

To ensure appropriate restrictions are placed on network architecture.

CIS_Controls_v8.1

12.3

CIS_Controls_v8.1_12.3

CIS Controls v8.1 12.3

Network Infrastructure Management

Securely manage network infrastructure

Shared

1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS.

To ensure proper management of network infrastructure.

CIS_Controls_v8.1

13.4

CIS_Controls_v8.1_13.4

CIS Controls v8.1 13.4

Network Monitoring and Defense

Perform traffic filtering between network segments

Shared

Perform traffic filtering between network segments, where appropriate.

To improve network security and reduce the risk of security breaches and unauthorized access.

CIS_Controls_v8.1

3.12

CIS_Controls_v8.1_3.12

CIS Controls v8.1 3.12

Data Protection

Segment data processing and storage based on sensitivity

Shared

1. Segment data processing and storage based on the sensitivity of the data. 2. Do not process sensitive data on enterprise assets intended for lower sensitivity data.

To minimise the risk of unauthorized access or exposure to sensitive information and enhance data security measures.

CIS_Controls_v8.1

4.1

CIS_Controls_v8.1_4.1

CIS Controls v8.1 4.1

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process.

Shared

1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure data integrity and safety of enterprise assets.

CMMC_2.0_L2

AC.L1-3.1.1

CMMC_2.0_L2_AC.L1-3.1.1

404 not found

n/a

CMMC_2.0_L2

AC.L2-3.1.12

CMMC_2.0_L2_AC.L2-3.1.12

404 not found

n/a

CMMC_2.0_L2

AC.L2-3.1.13

CMMC_2.0_L2_AC.L2-3.1.13

404 not found

n/a

CMMC_2.0_L2

AC.L2-3.1.14

CMMC_2.0_L2_AC.L2-3.1.14

404 not found

n/a

CMMC_2.0_L2

AC.L2-3.1.3

CMMC_2.0_L2_AC.L2-3.1.3

404 not found

n/a

CMMC_2.0_L2

SC.L1-3.13.1

CMMC_2.0_L2_SC.L1-3.13.1

404 not found

n/a

CMMC_2.0_L2

SC.L1-3.13.5

CMMC_2.0_L2_SC.L1-3.13.5

404 not found

n/a

CMMC_2.0_L2

SC.L2-3.13.2

CMMC_2.0_L2_SC.L2-3.13.2

404 not found

n/a

CMMC_2.0_L2

SC.L2-3.13.6

CMMC_2.0_L2_SC.L2-3.13.6

404 not found

n/a

CMMC_L2_v1.9.0

AC.L2_3.1.3

CMMC_L2_v1.9.0_AC.L2_3.1.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3

Access Control

Control CUI Flow

Shared

Control the flow of CUI in accordance with approved authorizations.

To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations

CMMC_L3

AC.1.001

CMMC_L3_AC.1.001

CMMC L3 AC.1.001

Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002.

link

CMMC_L3

AC.1.002

CMMC_L3_AC.1.002

CMMC L3 AC.1.002

Access Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

link

CMMC_L3

AC.2.013

CMMC_L3_AC.2.013

CMMC L3 AC.2.013

Access Control

Monitor and control remote access sessions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

link

CMMC_L3

AC.2.016

CMMC_L3_AC.2.016

CMMC L3 AC.2.016

Access Control

Control the flow of CUI in accordance with approved authorizations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

link

CMMC_L3

CM.3.068

CMMC_L3_CM.3.068

CMMC L3 CM.3.068

Configuration Management

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.

link

CMMC_L3

SC.1.175

CMMC_L3_SC.1.175

CMMC L3 SC.1.175

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

link

CMMC_L3

SC.1.176

CMMC_L3_SC.1.176

CMMC L3 SC.1.176

System and Communications Protection

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

CMMC_L3

SC.3.183

CMMC_L3_SC.3.183

CMMC L3 SC.3.183

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

link

CMMC_L3

SC.3.185

CMMC_L3_SC.3.185

CMMC L3 SC.3.185

System and Communications Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.

link

CMMC_L3

SC.3.191

CMMC_L3_SC.3.191

CMMC L3 SC.3.191

System and Communications Protection

Protect the confidentiality of CUI at rest.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest.

link

CSA_v4.0.12

DCS_02

CSA_v4.0.12_DCS_02

CSA Cloud Controls Matrix v4.0.12 DCS 02

Datacenter Security

Off-Site Transfer Authorization Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually.

CSA_v4.0.12

DSP_05

CSA_v4.0.12_DSP_05

CSA Cloud Controls Matrix v4.0.12 DSP 05

Data Security and Privacy Lifecycle Management

Data Flow Documentation

Shared

n/a

Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FedRAMP_High_R4

AC-17

FedRAMP_High_R4_AC-17

FedRAMP High AC-17

Access Control

Remote Access

Shared

n/a

The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121.

link

FedRAMP_High_R4

AC-17(1)

FedRAMP_High_R4_AC-17(1)

FedRAMP High AC-17 (1)

Access Control

Automated Monitoring / Control

Shared

n/a

The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12.

link

FedRAMP_High_R4

AC-4

FedRAMP_High_R4_AC-4

FedRAMP High AC-4

Access Control

Information Flow Enforcement

Shared

n/a

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None.

link

FedRAMP_High_R4

SC-7

FedRAMP_High_R4_SC-7

FedRAMP High SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77.

link

FedRAMP_High_R4

SC-7(3)

FedRAMP_High_R4_SC-7(3)

FedRAMP High SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

link

FedRAMP_Moderate_R4

AC-17

FedRAMP_Moderate_R4_AC-17

FedRAMP Moderate AC-17

Access Control

Remote Access

Shared

n/a

link

FedRAMP_Moderate_R4

AC-17(1)

FedRAMP_Moderate_R4_AC-17(1)

FedRAMP Moderate AC-17 (1)

Access Control

Automated Monitoring / Control

Shared

n/a

link

FedRAMP_Moderate_R4

AC-4

FedRAMP_Moderate_R4_AC-4

FedRAMP Moderate AC-4

Access Control

Information Flow Enforcement

Shared

n/a

link

FedRAMP_Moderate_R4

SC-7

FedRAMP_Moderate_R4_SC-7

FedRAMP Moderate SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

link

FedRAMP_Moderate_R4

SC-7(3)

FedRAMP_Moderate_R4_SC-7(3)

FedRAMP Moderate SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

link

hipaa

0866.09m3Organizational.1516-09.m

hipaa-0866.09m3Organizational.1516-09.m

0866.09m3Organizational.1516-09.m

08 Network Protection

0866.09m3Organizational.1516-09.m 09.06 Network Security Management

Shared

n/a

The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure.

HITRUST_CSF_v11.3

01.m

HITRUST_CSF_v11.3_01.m

HITRUST CSF v11.3 01.m

Network Access Control

Ensure segregation in networks.

Shared

Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security.

Groups of information services, users, and information systems should be segregated on networks.

HITRUST_CSF_v11.3

01.o

HITRUST_CSF_v11.3_01.o

HITRUST CSF v11.3 01.o

Network Access Control

Implement network routing controls to prevent breach of the access control policy of business applications.

Shared

Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured.

Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

HITRUST_CSF_v11.3

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

109

HITRUST_CSF_v11.3

09.w

HITRUST_CSF_v11.3_09.w

HITRUST CSF v11.3 09.w

Exchange of Information

Develop and implement policies and procedures, to protect information associated with the interconnection of business information systems.

Shared

1. A security baseline is to be documented and implemented for interconnected systems. 2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements.

Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems.

IRS_1075_9.3

.1.12

IRS_1075_9.3.1.12

IRS 1075 9.3.1.12

Access Control

Remote Access (AC-17)

n/a

The agency must: a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed b. Authorize remote access to the information system prior to allowing such connections c. Authorize and document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only (CE4) The information system must: a. Monitor and control remote access methods (CE1) b. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection and (CE2) c. Route all remote accesses through a limited number of managed network access control points (CE3) Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet. Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication. FTI cannot be accessed remotely by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore.

link

IRS_1075_9.3

.16.5

IRS_1075_9.3.16.5

IRS 1075 9.3.16.5

System and Communications Protection

Boundary Protection (SC-7)

n/a

The information system must: a. Monitor and control communications at the external boundary of the system and at key internal boundaries within the system b. Implement subnetworks for publicly accessible system components that are physically and logically separated from internal agency networks c. Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with agency security architecture requirements Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within the security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). The agency must limit the number of external network connections to the information system. (CE3) The agency must: (CE4) a. Implement a secure managed interface for each external telecommunication service b. Establish a traffic flow policy for each managed interface d. Protect the confidentiality and integrity of the information being transmitted across each interface e. Document each exception to the traffic flow policy with a supporting mission/business need and duration of that need, and accept the associated risk f. Review exceptions to the traffic flow policy at a minimum annually, and remove exceptions that are no longer supported by an explicit mission/business need The information system at managed interfaces must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (CE5) The information system must, in conjunction with a remote device, prevent the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (CE7) Additional requirements for protecting FTI on networks are provided in Section 9.4.10, Network Protections.

link

ISO_IEC_27002_2022

5.14

ISO_IEC_27002_2022_5.14

ISO IEC 27002 2022 5.14

Protection, Preventive Control

Information transfer

Shared

To maintain the security of information transferred within an organization and with any external interested party.

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

ISO27001-2013

A.13.1.1

ISO27001-2013_A.13.1.1

ISO 27001:2013 A.13.1.1

Communications Security

Network controls

Shared

n/a

Networks shall be managed and controlled to protect information in systems and applications.

link

New_Zealand_ISM

18.1.13.C.02

New_Zealand_ISM_18.1.13.C.02

18. Network security

18.1.13.C.02 Limiting network access

n/a

Agencies SHOULD implement network access controls on all networks.

NIS2

PV._Posture_and_Vulnerability_Management_5

NIS2_PV._Posture_and_Vulnerability_Management_5

PV. Posture and Vulnerability Management

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

n/a

missing value

NIST_SP_800-171_R2_3

.1.1

NIST_SP_800-171_R2_3.1.1

NIST SP 800-171 R2 3.1.1

Access Control

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

NIST_SP_800-171_R2_3

.1.12

NIST_SP_800-171_R2_3.1.12

NIST SP 800-171 R2 3.1.12

Access Control

Monitor and control remote access sessions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks.

link

NIST_SP_800-171_R2_3

.1.13

NIST_SP_800-171_R2_3.1.13

NIST SP 800-171 R2 3.1.13

Access Control

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards.

link

NIST_SP_800-171_R2_3

.1.14

NIST_SP_800-171_R2_3.1.14

NIST SP 800-171 R2 3.1.14

Access Control

Route remote access via managed access control points.

Shared

The customer is responsible for implementing this requirement.

Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.

link

NIST_SP_800-171_R2_3

.1.3

NIST_SP_800-171_R2_3.1.3

NIST SP 800-171 R2 3.1.3

Access Control

Control the flow of CUI in accordance with approved authorizations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

link

NIST_SP_800-171_R2_3

.13.1

NIST_SP_800-171_R2_3.13.1

NIST SP 800-171 R2 3.13.1

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

NIST_SP_800-171_R2_3

.13.2

NIST_SP_800-171_R2_3.13.2

NIST SP 800-171 R2 3.13.2

System and Communications Protection

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.

link

NIST_SP_800-171_R2_3

.13.5

NIST_SP_800-171_R2_3.13.5

NIST SP 800-171 R2 3.13.5

System and Communications Protection

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies

link

NIST_SP_800-171_R2_3

.13.6

NIST_SP_800-171_R2_3.13.6

NIST SP 800-171 R2 3.13.6

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

NIST_SP_800-171_R3_3

.1.3

NIST_SP_800-171_R3_3.1.3

NIST 800-171 R3 3.1.3

Access Control

Information Flow Enforcement

Shared

Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems.

NIST_SP_800-53_R4

AC-17

NIST_SP_800-53_R4_AC-17

NIST SP 800-53 Rev. 4 AC-17

Access Control

Remote Access

Shared

n/a

link

NIST_SP_800-53_R4

AC-17(1)

NIST_SP_800-53_R4_AC-17(1)

NIST SP 800-53 Rev. 4 AC-17 (1)

Access Control

Automated Monitoring / Control

Shared

n/a

link

NIST_SP_800-53_R4

AC-4

NIST_SP_800-53_R4_AC-4

NIST SP 800-53 Rev. 4 AC-4

Access Control

Information Flow Enforcement

Shared

n/a

link

NIST_SP_800-53_R4

SC-7

NIST_SP_800-53_R4_SC-7

NIST SP 800-53 Rev. 4 SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

link

NIST_SP_800-53_R4

SC-7(3)

NIST_SP_800-53_R4_SC-7(3)

NIST SP 800-53 Rev. 4 SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

link

NIST_SP_800-53_R5.1.1

AC.4

NIST_SP_800-53_R5.1.1_AC.4

NIST SP 800-53 R5.1.1 AC.4

Access Control

Information Flow Enforcement

Shared

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

NIST_SP_800-53_R5.1.1

AC.4.4

NIST_SP_800-53_R5.1.1_AC.4.4

NIST SP 800-53 R5.1.1 AC.4.4

Access Control

Information Flow Enforcement | Flow Control of Encrypted Information

Shared

Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ].

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

NIST_SP_800-53_R5.1.1

AC.4.6

NIST_SP_800-53_R5.1.1_AC.4.6

NIST SP 800-53 R5.1.1 AC.4.6

Access Control

Information Flow Enforcement | Metadata

Shared

Enforce information flow control based on [Assignment: organization-defined metadata].

Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).

NIST_SP_800-53_R5

AC-17

NIST_SP_800-53_R5_AC-17

NIST SP 800-53 Rev. 5 AC-17

Access Control

Remote Access

Shared

n/a

a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections.

link

NIST_SP_800-53_R5

AC-17(1)

NIST_SP_800-53_R5_AC-17(1)

NIST SP 800-53 Rev. 5 AC-17 (1)

Access Control

Monitoring and Control

Shared

n/a

Employ automated mechanisms to monitor and control remote access methods.

link

NIST_SP_800-53_R5

AC-4

NIST_SP_800-53_R5_AC-4

NIST SP 800-53 Rev. 5 AC-4

Access Control

Information Flow Enforcement

Shared

n/a

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

link

NIST_SP_800-53_R5

SC-7

NIST_SP_800-53_R5_SC-7

NIST SP 800-53 Rev. 5 SC-7

System and Communications Protection

Boundary Protection

Shared

n/a

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

link

NIST_SP_800-53_R5

SC-7(3)

NIST_SP_800-53_R5_SC-7(3)

NIST SP 800-53 Rev. 5 SC-7 (3)

System and Communications Protection

Access Points

Shared

n/a

Limit the number of external network connections to the system.

link

NZ_ISM_v3.5

GS-3

NZ_ISM_v3.5_GS-3

NZISM Security Benchmark GS-3

Gateway security

19.1.12 Configuration of Gateways

Customer

n/a

Gateways are essential in controlling the flow of information between security domains. Any failure, particularly at the higher classifications, may have serious consequences. Hence mechanisms for alerting personnel to situations that may give rise to information security incidents are especially important for gateways.

link

NZISM_Security_Benchmark_v1.1

GS-3

NZISM_Security_Benchmark_v1.1_GS-3

NZISM Security Benchmark GS-3

Gateway security

19.1.12 Configuration of Gateways

Customer

Agencies MUST ensure that gateways: are the only communications paths into and out of internal networks; by default, deny all connections into and out of the network; allow only explicitly authorised connections; are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and provide real-time alerts.

link

NZISM_v3.7

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

NZISM_v3.7

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

NZISM_v3.7

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

NZISM_v3.7

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

NZISM_v3.7

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

NZISM_v3.7

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

NZISM_v3.7

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

NZISM_v3.7

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

NZISM_v3.7

19.2.16.C.02.

NZISM_v3.7_19.2.16.C.02.

NZISM v3.7 19.2.16.C.02.

Cross Domain Solutions (CDS)

19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.

Shared

n/a

Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network.

NZISM_v3.7

19.2.18.C.01.

NZISM_v3.7_19.2.18.C.01.

NZISM v3.7 19.2.18.C.01.

Cross Domain Solutions (CDS)

19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks.

Shared

n/a

Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path.

NZISM_v3.7

19.2.19.C.01.

NZISM_v3.7_19.2.19.C.01.

NZISM v3.7 19.2.19.C.01.

Cross Domain Solutions (CDS)

19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.

Shared

n/a

Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority.

NZISM_v3.7

19.2.19.C.02.

NZISM_v3.7_19.2.19.C.02.

NZISM v3.7 19.2.19.C.02.

Cross Domain Solutions (CDS)

19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches.

Shared

n/a

Trusted sources MUST authorise all data to be exported from a security domain.

NZISM_v3.7

19.3.8.C.01.

NZISM_v3.7_19.3.8.C.01.

NZISM v3.7 19.3.8.C.01.

Firewalls

19.3.8.C.01. - enhance network security.

Shared

n/a

All gateways MUST contain a firewall in both physical and virtual environments.

NZISM_v3.7

19.3.8.C.03.

NZISM_v3.7_19.3.8.C.03.

NZISM v3.7 19.3.8.C.03.

Firewalls

19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains. Your network: Restricted and below Their network: Unclassified You require: EAL4 firewall They require: N/A Your network: Restricted and below Their network: Restricted You require: EAL2 or PP firewall They require:EAL2 or PP firewall Your network: Restricted and below Their network: Confidential You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Secret You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Confidential Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Confidential Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Confidential Their network: Confidential You require: EAL2 or PP firewal They require: EAL2 or PP firewall Your network: Confidential Their network: Secret You require: EAL2 or PP firewal They require: EAL4 firewall Your network: Confidential Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Secret Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Confidential You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Secret You require: EAL2 or PP firewall They require: EAL2 or PP firewall Your network: Secret Their network: Top Secret You require: EAL2 or PP firewall They require: EAL4 firewall Your network: Top Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Top Secret Their network: Restricted You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Confidential You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Secret You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Top Secret Their network: Top Secret You require: EAL4 firewall They require: EAL4 firewall

NZISM_v3.7

19.3.8.C.04.

NZISM_v3.7_19.3.8.C.04.

NZISM v3.7 19.3.8.C.04.

Firewalls

19.3.8.C.04. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments. 2. Shared equipment DOES NOT satisfy the requirements of this control.

NZISM_v3.7

19.3.9.C.01.

NZISM_v3.7_19.3.9.C.01.

NZISM v3.7 19.3.9.C.01.

Firewalls

19.3.9.C.01. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains.

PCI_DSS_V3.2.1

1.3.2

PCI_DSS_v3.2.1_1.3.2

PCI DSS v3.2.1 1.3.2

Requirement 1

PCI DSS requirement 1.3.2

customer

n/a

link

PCI_DSS_V3.2.1

1.3.4

PCI_DSS_v3.2.1_1.3.4

PCI DSS v3.2.1 1.3.4

Requirement 1

PCI DSS requirement 1.3.4

customer

n/a

link

PCI_DSS_v4.0

1.3.2

PCI_DSS_v4.0_1.3.2

PCI DSS v4.0 1.3.2

Requirement 01: Install and Maintain Network Security Controls

Network access to and from the cardholder data environment is restricted

Shared

n/a

Outbound traffic from the CDE is restricted as follows: • To only traffic that is necessary. • All other traffic is specifically denied.

link

PCI_DSS_v4.0

1.4.2

PCI_DSS_v4.0_1.4.2

PCI DSS v4.0 1.4.2

Requirement 01: Install and Maintain Network Security Controls

Network connections between trusted and untrusted networks are controlled

Shared

n/a

Inbound traffic from untrusted networks to trusted networks is restricted to: • Communications with system components that are authorized to provide publicly accessible services, protocols, and ports. • Stateful responses to communications initiated by system components in a trusted network. • All other traffic is denied.

link

RBI_CSF_Banks_v2016

14.1

RBI_CSF_Banks_v2016_14.1

Anti-Phishing

Anti-Phishing-14.1

n/a

Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications.

RBI_CSF_Banks_v2016

15.1

RBI_CSF_Banks_v2016_15.1

Data Leak Prevention Strategy

Data Leak Prevention Strategy-15.1

n/a

Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential)business and customer data/information.

RBI_CSF_Banks_v2016

7.7

RBI_CSF_Banks_v2016_7.7

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.7

n/a

Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between (i) different VLANs in the Data Centre (ii) LAN/WAN interfaces (iii) bank???s network to external network and interconnections with partner, vendor and service provider networks are to be securely configured.

SOC_2023

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

107

SOC_2023

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

127

SOC_2023

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

163

SOC_2023

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

143

SOC_2023

PI1.3

SOC_2023_PI1.3

SOC 2023 PI1.3

Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods)

Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives.

Shared

n/a

The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.

SWIFT_CSCF_2024

1.1

SWIFT_CSCF_2024_1.1

SWIFT Customer Security Controls Framework 2024 1.1

Physical and Environmental Security

Swift Environment Protection

Shared

1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment.

SWIFT_CSCF_v2021

1.1

SWIFT_CSCF_v2021_1.1

SWIFT CSCF v2021 1.1

SWIFT Environment Protection

n/a

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

link

SWIFT_CSCF_v2022

1.1

SWIFT_CSCF_v2022_1.1

SWIFT CSCF v2022 1.1

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

Shared

n/a

A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments.

link

SWIFT_CSCF_v2022

1.5A

SWIFT_CSCF_v2022_1.5A

SWIFT CSCF v2022 1.5A

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

Shared

n/a

A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment.

link

U.07.1 - Isolated

404 not found

n/a

U.12.1 - Network Connections

U.12.1 - Network connections

404 not found

n/a

U.12.2 - Network Connections

U.12.2 - Network connections

404 not found

n/a

UK_NCSC_CSP

UK_NCSC_CSP_11

UK NCSC CSP 11

External interface protection

Shared

n/a

All external or less trusted interfaces of the service should be identified and appropriately defended.

link

UK_NCSC_CSP

5.3

UK_NCSC_CSP_5.3

UK NCSC CSP 5.3

Operational security

Protective Monitoring

Shared

n/a

A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data.

link

Initiative DisplayName

Initiative Id

Initiative Category

State

Type

polSet in AzUSGov

[Deprecated]: Azure Security Benchmark v1

42a694ed-f65e-42b2-aa9e-8052e9740a92

Regulatory Compliance

Deprecated

BuiltIn

true

[Deprecated]: Azure Security Benchmark v2

bb522ac1-bc39-4957-b194-429bcd3bcb0b

Regulatory Compliance

Deprecated

BuiltIn

true

[Deprecated]: DoD Impact Level 4

8d792a84-723c-4d92-a3c3-e4ed16a2d133

Regulatory Compliance

Deprecated

BuiltIn

true

[Deprecated]: New Zealand ISM Restricted

d1a462af-7e6d-4901-98ac-61570b4ed22a

Regulatory Compliance

Deprecated

BuiltIn

unknown

[Deprecated]: New Zealand ISM Restricted v3.5

93d2179e-3068-c82f-2428-d614ae836a04

Regulatory Compliance

Deprecated

BuiltIn

unknown

[Preview]: Australian Government ISM PROTECTED

27272c0b-c225-4cc3-b8b0-f2534b093077

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: CMMC 2.0 Level 2

4e50fd13-098b-3206-61d6-d1d78205cb45

Regulatory Compliance

Preview

BuiltIn

true

[Preview]: Motion Picture Association of America (MPAA)

92646f03-e39d-47a9-9e24-58d60ef49af8

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: NIS2

32ff9e30-4725-4ca7-ba3a-904a7721ee87

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: Reserve Bank of India - IT Framework for Banks

d0d5578d-cc08-2b22-31e3-f525374f235a

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: SWIFT CSP-CSCF v2020

3e0c67fc-8c7c-406c-89bd-6b6bdc986a22

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: SWIFT CSP-CSCF v2021

abf84fac-f817-a70c-14b5-47eec767458a

Regulatory Compliance

Preview

BuiltIn

unknown

Canada Federal PBMM

4c4a5f27-de81-430b-b4e5-9cbd50595a87

Regulatory Compliance

BuiltIn

unknown

Canada Federal PBMM 3-1-2020

f8f5293d-df94-484a-a3e7-6b422a999d91

Regulatory Compliance

BuiltIn

unknown

CIS Controls v8.1

046796ef-e8a7-4398-bbe9-cce970b1a3ae

Regulatory Compliance

BuiltIn

unknown

CIS Microsoft Azure Foundations Benchmark v1.1.0

1a5bb27d-173f-493e-9568-eb56638dde4d

Regulatory Compliance

BuiltIn

true

CIS Microsoft Azure Foundations Benchmark v1.3.0

612b5213-9160-4969-8578-1518bd2a000c

Regulatory Compliance

BuiltIn

true

CIS Microsoft Azure Foundations Benchmark v1.4.0

c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5

Regulatory Compliance

BuiltIn

unknown

CIS Microsoft Azure Foundations Benchmark v2.0.0

06f19060-9e68-4070-92ca-f15cc126059e

Regulatory Compliance

BuiltIn

unknown

CMMC Level 3

b5629c75-5c77-4422-87b9-2509e680f8de

Regulatory Compliance

BuiltIn

true

CSA CSA Cloud Controls Matrix v4.0.12

8791506a-dec4-497a-a83f-3abfde37c400

Regulatory Compliance

BuiltIn

unknown

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0

a4087154-2edb-4329-b56a-1cc986807f3c

Regulatory Compliance

BuiltIn

unknown

Enforce recommended guardrails for Storage Account

Enforce-Guardrails-Storage

Storage

ALZ

EU General Data Protection Regulation (GDPR) 2016/679

7326812a-86a4-40c8-af7c-8945de9c4913

Regulatory Compliance

BuiltIn

unknown

FBI Criminal Justice Information Services (CJIS) v5.9.5

4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721

Regulatory Compliance

BuiltIn

unknown

FedRAMP High

d5264498-16f4-418a-b659-fa7ef418175f

Regulatory Compliance

BuiltIn

true

FedRAMP Moderate

e95f5a9f-57ad-4d03-bb0b-b1d16db93693

Regulatory Compliance

BuiltIn

true

HITRUST CSF v11.3

e0d47b75-5d99-442a-9d60-07f2595ab095

Regulatory Compliance

BuiltIn

unknown

HITRUST/HIPAA

a169a624-5599-4385-a696-c8d643089fab

Regulatory Compliance

BuiltIn

unknown

IRS1075 September 2016

105e0327-6175-4eb2-9af4-1fba43bdb39d

Regulatory Compliance

BuiltIn

true

ISO 27001:2013

89c6cddc-1c73-4ac1-b19c-54d1a15a42f2

Regulatory Compliance

BuiltIn

true

ISO/IEC 27002 2022

e3030e83-88d5-4f23-8734-6577a2c97a32

Regulatory Compliance

BuiltIn

unknown

Microsoft cloud security benchmark

1f3afdf9-d0c9-4c3d-847f-89da613e70a8

Security Center

BuiltIn

true

New Zealand ISM

4f5b1359-4f8e-4d7c-9733-ea47fcde891e

Regulatory Compliance

BuiltIn

unknown

NIST 800-171 R3

38916c43-6876-4971-a4b1-806aa7e55ccc

Regulatory Compliance

BuiltIn

unknown

NIST SP 800-171 Rev. 2

03055927-78bd-4236-86c0-f36125a10dc9

Regulatory Compliance

BuiltIn

true

NIST SP 800-53 R5.1.1

60205a79-6280-4e20-a147-e2011e09dc78

Regulatory Compliance

BuiltIn

unknown

NIST SP 800-53 Rev. 4

cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f

Regulatory Compliance

BuiltIn

true

NIST SP 800-53 Rev. 5

179d1daa-458f-4e47-8086-2a68d0d6c38f

Regulatory Compliance

BuiltIn

true

NL BIO Cloud Theme

6ce73208-883e-490f-a2ac-44aac3b3687f

Regulatory Compliance

BuiltIn

unknown

NL BIO Cloud Theme V2

d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee

Regulatory Compliance

BuiltIn

unknown

NZISM v3.7

4476df0a-18ab-4bfe-b6ad-cccae1cf320f

Regulatory Compliance

BuiltIn

unknown

PCI DSS v4

c676748e-3af9-4e22-bc28-50feed564afb

Regulatory Compliance

BuiltIn

true

PCI v3.2.1:2018

496eeda9-8f2f-4d5e-8dfd-204f0a92ed41

Regulatory Compliance

BuiltIn

unknown

SOC 2023

53ad89f5-8542-49e9-ba81-1cbd686e0d52

Regulatory Compliance

BuiltIn

unknown

SWIFT CSP-CSCF v2022

7bc7cd6c-4114-ff31-3cac-59be3157596d

Regulatory Compliance

BuiltIn

unknown

SWIFT Customer Security Controls Framework 2024

7499005e-df5a-45d9-810f-041cf346678c

Regulatory Compliance

BuiltIn

unknown

UK OFFICIAL and UK NHS

3937f550-eedd-4639-9c5e-294358be442e

Regulatory Compliance

BuiltIn

unknown

Date/Time (UTC ymd) (i)

Change type

Change detail

2021-02-10 14:43:58

change

Patch (1.1.0 > 1.1.1)

2020-05-09 14:57:51

change

Previous DisplayName: Audit unrestricted network access to storage accounts