Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_14

AC_14

Canada Federal PBMM 3-1-2020 AC 14

Permitted Actions Without Identification or Authentication

Permitted Actions without Identification or Authentication

Shared

1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. 2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

To ensure transparency and accountability in the system's security measures.

Canada_Federal_PBMM_3-1-2020_AC_3

AC_3

Canada Federal PBMM 3-1-2020 AC 3

Access Enforcement

Shared

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

To mitigate the risk of unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_IA_1

IA_1

Canada Federal PBMM 3-1-2020 IA 1

Identification and Authentication Policy and Procedures

Shared

1. The organization Develops, documents, and disseminates to all personnel: a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. 2. The organization Reviews and updates the current: a. Identification and authentication policy at least every 3 years; and b. Identification and authentication procedures at least annually.

To ensure secure access control and compliance with established standards.

Canada_Federal_PBMM_3-1-2020_IA_2

IA_2

Canada Federal PBMM 3-1-2020 IA 2

Identification and Authentication (Organizational Users)

Shared

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

To prevent unauthorized access and maintain system security.

Canada_Federal_PBMM_3-1-2020_SI_3

SI_3

Canada Federal PBMM 3-1-2020 SI 3

Malicious Code Protection

Shared

1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. 2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. 3. The organization configures malicious code protection mechanisms to: a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. 4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

To mitigate potential impacts on system availability.

Canada_Federal_PBMM_3-1-2020_SI_3(1)

SI_3(1)

Canada Federal PBMM 3-1-2020 SI 3(1)

Malicious Code Protection

Malicious Code Protection | Central Management

Shared

The organization centrally manages malicious code protection mechanisms.

To centrally manage malicious code protection mechanisms.

Canada_Federal_PBMM_3-1-2020_SI_3(2)

SI_3(2)

Canada Federal PBMM 3-1-2020 SI 3(2)

Malicious Code Protection

Malicious Code Protection | Automatic Updates

Shared

The information system automatically updates malicious code protection mechanisms.

To ensure automatic updates in malicious code protection mechanisms.

Canada_Federal_PBMM_3-1-2020_SI_3(7)

SI_3(7)

Canada Federal PBMM 3-1-2020 SI 3(7)

Malicious Code Protection

Malicious Code Protection | Non Signature-Based Detection

Shared

The information system implements non-signature-based malicious code detection mechanisms.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(2)

SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_8(1)

SI_8(1)

Canada Federal PBMM 3-1-2020 SI 8(1)

Spam Protection

Spam Protection | Central Management of Protection Mechanisms

Shared

The organization centrally manages spam protection mechanisms.

To enhance overall security posture.

CMMC_L2_v1.9.0

SC.L1_3.13.1

CMMC_L2_v1.9.0_SC.L1_3.13.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1

System and Communications Protection

Boundary Protection

Shared

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

To protect information assets from external attacks and insider threats.

CMMC_L2_v1.9.0

SC.L1_3.13.5

CMMC_L2_v1.9.0_SC.L1_3.13.5

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5

System and Communications Protection

Public Access System Separation

Shared

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources.

CMMC_L2_v1.9.0

SC.L2_3.13.6

CMMC_L2_v1.9.0_SC.L2_3.13.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.6

System and Communications Protection

Network Communication by Exception

Shared

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

To minimise the attack surface and reduce the risk of unauthorized access or malicious activities on their networks.

CCC_03

CSA_v4.0.12_CCC_03

CSA Cloud Controls Matrix v4.0.12 CCC 03

Change Control and Configuration Management

Change Management Technology

Shared

n/a

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

CCC_04

CSA_v4.0.12_CCC_04

CSA Cloud Controls Matrix v4.0.12 CCC 04

Change Control and Configuration Management

Unauthorized Change Protection

Shared

n/a

Restrict the unauthorized addition, removal, update, and management of organization assets.

DSP_05

CSA_v4.0.12_DSP_05

CSA Cloud Controls Matrix v4.0.12 DSP 05

Data Security and Privacy Lifecycle Management

Data Flow Documentation

Shared

n/a

Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.

DSP_10

CSA_v4.0.12_DSP_10

CSA Cloud Controls Matrix v4.0.12 DSP 10

Data Security and Privacy Lifecycle Management

Sensitive Data Transfer

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.

IAM_07

CSA_v4.0.12_IAM_07

CSA Cloud Controls Matrix v4.0.12 IAM 07

Identity & Access Management

User Access Changes and Revocation

Shared

n/a

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

TVM_04

CSA_v4.0.12_TVM_04

CSA Cloud Controls Matrix v4.0.12 TVM 04

Threat & Vulnerability Management

Detection Updates

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_1

Cyber Essentials v3.1 1

Cyber Essentials

Firewalls

Shared

n/a

Aim: to make sure that only secure and necessary network services can be accessed from the internet.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_3

Cyber Essentials v3.1 3

Cyber Essentials

Security Update Management

Shared

n/a

Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_5

Cyber Essentials v3.1 5

Cyber Essentials

Malware protection

Shared

n/a

Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

FFIEC_CAT_2017

4.1.1

FFIEC_CAT_2017_4.1.1

FFIEC CAT 2017 4.1.1

External Dependency Management

Connections

Shared

n/a

- The critical business processes that are dependent on external connectivity have been identified. - The institution ensures that third-party connections are authorized. - A network diagram is in place and identifies all external connections. - Data flow diagrams are in place and document information flow to external parties.

hipaa

0858.09m1Organizational.4-09.m

hipaa-0858.09m1Organizational.4-09.m

0858.09m1Organizational.4-09.m

08 Network Protection

0858.09m1Organizational.4-09.m 09.06 Network Security Management

Shared

n/a

The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative.

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

01.m

HITRUST_CSF_v11.3_01.m

HITRUST CSF v11.3 01.m

Network Access Control

Ensure segregation in networks.

Shared

Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security.

Groups of information services, users, and information systems should be segregated on networks.

01.n

HITRUST_CSF_v11.3_01.n

HITRUST CSF v11.3 01.n

Network Access Control

Prevent unauthorised access to shared networks.

Shared

Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security.

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.

01.o

HITRUST_CSF_v11.3_01.o

HITRUST CSF v11.3 01.o

Network Access Control

Implement network routing controls to prevent breach of the access control policy of business applications.

Shared

Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured.

Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

09.j

HITRUST_CSF_v11.3_09.j

HITRUST CSF v11.3 09.j

Protection Against Malicious and Mobile Code

Ensure that integrity of information and software is protected from malicious or unauthorized code

Shared

1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures. 2. Automatic periodic scans of information systems is to be implemented. 3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented. 4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use. 5. Anti-malware audit logs checks to be performed. 6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls.

Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

09.m

HITRUST_CSF_v11.3_09.m

HITRUST CSF v11.3 09.m

Network Security Management

Ensure the protection of information in networks and protection of the supporting network infrastructure.

Shared

1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points. 2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes. 3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized.

Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit.

NIST_SP_800-171_R3_3.13.1

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

mp.com.1 Secure perimeter

404 not found

n/a

NIST_SP_800-171_R3_3

.13.1

NIST 800-171 R3 3.13.1

System and Communications Protection Control

Boundary Protection

Shared

Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

NIST_SP_800-171_R3_3

.13.6

NIST_SP_800-171_R3_3.13.6

NIST 800-171 R3 3.13.6

System and Communications Protection Control

Network Communications – Deny by Default – Allow by Exception

Shared

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed.

Deny network communications traffic by default and allow network communications traffic by exception.

NIST_SP_800-171_R3_3

.4.6

NIST_SP_800-171_R3_3.4.6

404 not found

n/a

NIST_SP_800-53_R5.1.1

CM.7

NIST_SP_800-53_R5.1.1_CM.7

NIST SP 800-53 R5.1.1 CM.7

Configuration Management Control

Least Functionality

Shared

a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

NIST_SP_800-53_R5.1.1

SC.7

NIST_SP_800-53_R5.1.1_SC.7

NIST SP 800-53 R5.1.1 SC.7

System and Communications Protection

Boundary Protection

Shared

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

NIST_SP_800-53_R5.1.1

SC.7.5

NIST_SP_800-53_R5.1.1_SC.7.5

NIST SP 800-53 R5.1.1 SC.7.5

System and Communications Protection

Boundary Protection | Deny by Default — Allow by Exception

Shared

Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems] ].

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

14.1.8.C.01.

NZISM_v3.7_14.1.8.C.01.

NZISM v3.7 14.1.8.C.01.

Standard Operating Environments

14.1.8.C.01. - minimise vulnerabilities and enhance system security

Shared

n/a

Agencies SHOULD develop a hardened SOE for workstations and servers, covering: 1. removal of unneeded software and operating system components; 2. removal or disabling of unneeded services, ports and BIOS settings; 3. disabling of unused or undesired functionality in software and operating systems; 4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required; 5. installation of antivirus and anti-malware software; 6. installation of software-based firewalls limiting inbound and outbound network connections; 7. configuration of either remote logging or the transfer of local event logs to a central server; and 8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records.

14.3.10.C.01.

NZISM_v3.7_14.3.10.C.01.

NZISM v3.7 14.3.10.C.01.

Web Applications

14.3.10.C.01. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways.

14.3.10.C.02.

NZISM_v3.7_14.3.10.C.02.

NZISM v3.7 14.3.10.C.02.

Web Applications

14.3.10.C.02. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address.

14.3.10.C.03.

NZISM_v3.7_14.3.10.C.03.

NZISM v3.7 14.3.10.C.03.

Web Applications

14.3.10.C.03. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites.

14.3.10.C.04.

NZISM_v3.7_14.3.10.C.04.

NZISM v3.7 14.3.10.C.04.

Web Applications

14.3.10.C.04. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective.

17.8.10.C.01.

NZISM_v3.7_17.8.10.C.01.

NZISM v3.7 17.8.10.C.01.

Internet Protocol Security (IPSec)

17.8.10.C.01. - enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use tunnel mode for IPSec connections.

17.8.10.C.02.

NZISM_v3.7_17.8.10.C.02.

NZISM v3.7 17.8.10.C.02.

Internet Protocol Security (IPSec)

17.8.10.C.02. - enhance overall cybersecurity posture.

Shared

n/a

Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections.

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

22.3.11.C.01.

NZISM_v3.7_22.3.11.C.01.

NZISM v3.7 22.3.11.C.01.

Virtual Local Area Networks

22.3.11.C.01. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches MUST be disabled.

22.3.11.C.02.

NZISM_v3.7_22.3.11.C.02.

NZISM v3.7 22.3.11.C.02.

Virtual Local Area Networks

22.3.11.C.02. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches SHOULD be disabled.

1.2.5

PCI_DSS_v4.0.1_1.2.5

PCI DSS v4.0.1 1.2.5

Install and Maintain Network Security Controls

All services, protocols, and ports allowed are identified, approved, and have a defined business need

Shared

n/a

Examine documentation to verify that a list exists of all allowed services, protocols, and ports, including business justification and approval for each. Examine configuration settings for NSCs to verify that only approved services, protocols, and ports are in use

1.3.1

PCI_DSS_v4.0.1_1.3.1

PCI DSS v4.0.1 1.3.1

Install and Maintain Network Security Controls

Inbound traffic to the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied

Shared

n/a

Examine configuration standards for NSCs to verify that they define restricting inbound traffic to the CDE is in accordance with all elements specified in this requirement. Examine configurations of NSCs to verify that inbound traffic to the CDE is restricted in accordance with all elements specified in this requirement

1.3.2

PCI_DSS_v4.0.1_1.3.2

PCI DSS v4.0.1 1.3.2

Install and Maintain Network Security Controls

Outbound traffic from the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied

Shared

n/a

Examine configuration standards for NSCs to verify that they define restricting outbound traffic from the CDE in accordance with all elements specified in this requirement. Examine configurations of NSCs to verify that outbound traffic from the CDE is restricted in accordance with all elements specified in this requirement

1.4.1

PCI_DSS_v4.0.1_1.4.1

PCI DSS v4.0.1 1.4.1

Install and Maintain Network Security Controls

NSCs are implemented between trusted and untrusted networks

Shared

n/a

Examine configuration standards and network diagrams to verify that NSCs are defined between trusted and untrusted networks. Examine network configurations to verify that NSCs are in place between trusted and untrusted networks, in accordance with the documented configuration standards and network diagrams

1.4.2

PCI_DSS_v4.0.1_1.4.2

PCI DSS v4.0.1 1.4.2

Install and Maintain Network Security Controls

Inbound traffic from untrusted networks to trusted networks is restricted to communications with system components that are authorized to provide publicly accessible services, protocols, and ports, stateful responses to communications initiated by system components in a trusted network, and all other traffic is denied

Shared

n/a

Examine vendor documentation and configurations of NSCs to verify that inbound traffic from untrusted networks to trusted networks is restricted in accordance with all elements specified in this requirement

1.4.4

PCI_DSS_v4.0.1_1.4.4

PCI DSS v4.0.1 1.4.4

Install and Maintain Network Security Controls

System components that store cardholder data are not directly accessible from untrusted networks

Shared

n/a

Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks