compliance controls are associated with this Policy definition 'Perform vulnerability scans' (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
2.1 |
CIS_Azure_1.1.0_2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1 |
2 Security Center |
Ensure that standard pricing tier is selected |
Shared |
The customer is responsible for implementing this recommendation. |
The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
15 |
| CIS_Azure_1.1.0 |
2.4 |
CIS_Azure_1.1.0_2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.4 |
2 Security Center |
Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Monitor OS vulnerability recommendations for virtual machines. |
link |
3 |
| CIS_Azure_1.1.0 |
2.5 |
CIS_Azure_1.1.0_2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.5 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Endpoint protection recommendations for virtual machines. |
link |
8 |
| CIS_Azure_1.1.0 |
7.6 |
CIS_Azure_1.1.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_1.3.0 |
2.1 |
CIS_Azure_1.3.0_2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1 |
2 Security Center |
Ensure that Azure Defender is set to On for Servers |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.10 |
CIS_Azure_1.3.0_2.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.10 |
2 Security Center |
Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center. |
link |
8 |
| CIS_Azure_1.3.0 |
2.2 |
CIS_Azure_1.3.0_2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.2 |
2 Security Center |
Ensure that Azure Defender is set to On for App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.3 |
CIS_Azure_1.3.0_2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.3 |
2 Security Center |
Ensure that Azure Defender is set to On for Azure SQL database servers |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.4 |
CIS_Azure_1.3.0_2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.4 |
2 Security Center |
Ensure that Azure Defender is set to On for SQL servers on machines |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.5 |
CIS_Azure_1.3.0_2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.5 |
2 Security Center |
Ensure that Azure Defender is set to On for Storage |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.6 |
CIS_Azure_1.3.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Security Center |
Ensure that Azure Defender is set to On for Kubernetes |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.7 |
CIS_Azure_1.3.0_2.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.7 |
2 Security Center |
Ensure that Azure Defender is set to On for Container Registries |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.8 |
CIS_Azure_1.3.0_2.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.8 |
2 Security Center |
Ensure that Azure Defender is set to On for Key Vault |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.9 |
CIS_Azure_1.3.0_2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.9 |
2 Security Center |
Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Windows Defender ATP (WDATP) integration with Security Center. |
link |
8 |
| CIS_Azure_1.3.0 |
4.2.2 |
CIS_Azure_1.3.0_4.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 |
4 Database Services |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases. |
link |
4 |
| CIS_Azure_1.3.0 |
4.2.3 |
CIS_Azure_1.3.0_4.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 |
4 Database Services |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases. |
link |
2 |
| CIS_Azure_1.3.0 |
4.2.4 |
CIS_Azure_1.3.0_4.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 |
4 Database Services |
Ensure that VA setting Send scan reports to is configured for a SQL server |
Shared |
The customer is responsible for implementing this recommendation. |
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers. |
link |
3 |
| CIS_Azure_1.3.0 |
4.2.5 |
CIS_Azure_1.3.0_4.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 |
4 Database Services |
Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. |
link |
3 |
| CIS_Azure_1.3.0 |
7.6 |
CIS_Azure_1.3.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_1.4.0 |
2.1 |
CIS_Azure_1.4.0_2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Servers is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.10 |
CIS_Azure_1.4.0_2.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.10 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. |
link |
8 |
| CIS_Azure_1.4.0 |
2.2 |
CIS_Azure_1.4.0_2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.2 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for App Service is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.3 |
CIS_Azure_1.4.0_2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.3 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.4 |
CIS_Azure_1.4.0_2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.4 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for SQL servers on machines is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.5 |
CIS_Azure_1.4.0_2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.5 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Storage is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.6 |
CIS_Azure_1.4.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Kubernetes is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.7 |
CIS_Azure_1.4.0_2.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.7 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Container Registries is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.8 |
CIS_Azure_1.4.0_2.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.8 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Key Vault is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.9 |
CIS_Azure_1.4.0_2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.9 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud. |
link |
8 |
| CIS_Azure_1.4.0 |
4.2.2 |
CIS_Azure_1.4.0_4.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 |
4 Database Services |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases. |
link |
4 |
| CIS_Azure_1.4.0 |
4.2.3 |
CIS_Azure_1.4.0_4.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 |
4 Database Services |
Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases. |
link |
2 |
| CIS_Azure_1.4.0 |
4.2.4 |
CIS_Azure_1.4.0_4.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 |
4 Database Services |
Ensure that VA setting 'Send scan reports to' is configured for a SQL server |
Shared |
The customer is responsible for implementing this recommendation. |
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers. |
link |
3 |
| CIS_Azure_1.4.0 |
4.2.5 |
CIS_Azure_1.4.0_4.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 |
4 Database Services |
Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. |
link |
3 |
| CIS_Azure_1.4.0 |
7.6 |
CIS_Azure_1.4.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_2.0.0 |
2.1.1 |
CIS_Azure_2.0.0_2.1.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.1 |
2.1 |
Ensure That Microsoft Defender for Servers Is Set to 'On' |
Shared |
Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource. |
Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.10 |
CIS_Azure_2.0.0_2.1.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.10 |
2.1 |
Ensure That Microsoft Defender for Key Vault Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Key Vault incurs an additional cost per resource. |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.17 |
CIS_Azure_2.0.0_2.1.17 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.17 |
2.1 |
Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' |
Shared |
Microsoft Defender for Containers will require additional licensing. |
Enable automatic provisioning of the Microsoft Defender for Containers components.
As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities. |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.2 |
CIS_Azure_2.0.0_2.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.2 |
2.1 |
Ensure That Microsoft Defender for App Services Is Set To 'On' |
Shared |
Turning on Microsoft Defender for App Service incurs an additional cost per resource. |
Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.21 |
CIS_Azure_2.0.0_2.1.21 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.21 |
2.1 |
Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected |
Shared |
Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource. |
This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.
Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment.
Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.
Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions. |
link |
8 |
| CIS_Azure_2.0.0 |
2.1.22 |
CIS_Azure_2.0.0_2.1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.22 |
2.1 |
Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected |
Shared |
Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource. |
This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.
**IMPORTANT:** When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.
1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
1. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.
Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.
MDE works only with Standard Tier subscriptions. |
link |
8 |
| CIS_Azure_2.0.0 |
2.1.4 |
CIS_Azure_2.0.0_2.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.4 |
2.1 |
Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per resource. |
Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.5 |
CIS_Azure_2.0.0_2.1.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.5 |
2.1 |
Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' |
Shared |
Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource. |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.7 |
CIS_Azure_2.0.0_2.1.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.7 |
2.1 |
Ensure That Microsoft Defender for Storage Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Storage incurs an additional cost per resource. |
Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.8 |
CIS_Azure_2.0.0_2.1.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.8 |
2.1 |
Ensure That Microsoft Defender for Containers Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Containers incurs an additional cost per resource. |
Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
4.2.2 |
CIS_Azure_2.0.0_4.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 |
4.2 |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Shared |
Enabling the `Microsoft Defender for SQL` features will incur additional costs for each SQL server. |
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.
Enabling Microsoft Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.
The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings. |
link |
4 |
| CIS_Azure_2.0.0 |
4.2.3 |
CIS_Azure_2.0.0_4.2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 |
4.2 |
Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server |
Shared |
Enabling the `Azure Defender for SQL` feature will incur additional costs for each SQL server. |
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases.
Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices. |
link |
3 |
| CIS_Azure_2.0.0 |
4.2.4 |
CIS_Azure_2.0.0_4.2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 |
4.2 |
Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server |
Shared |
Enabling the `Microsoft Defender for SQL` features will incur additional costs for each SQL server. |
Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.
Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures. |
link |
4 |
| CIS_Azure_2.0.0 |
4.2.5 |
CIS_Azure_2.0.0_4.2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 |
4.2 |
Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server |
Shared |
Enabling the `Microsoft Defender for SQL` features will incur additional costs for each SQL server. |
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.
VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures. |
link |
5 |
| CIS_Azure_2.0.0 |
7.6 |
CIS_Azure_2.0.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 |
Ensure that Endpoint Protection for all Virtual Machines is installed |
Shared |
Endpoint protection will incur an additional cost to you. |
Install endpoint protection for all virtual machines.
Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems. |
link |
11 |
| FedRAMP_High_R4 |
RA-5 |
FedRAMP_High_R4_RA-5 |
FedRAMP High RA-5 |
Risk Assessment |
Vulnerability Scanning |
Shared |
n/a |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the
Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. |
link |
21 |
| FedRAMP_High_R4 |
RA-5(1) |
FedRAMP_High_R4_RA-5(1) |
FedRAMP High RA-5 (1) |
Risk Assessment |
Update Tool Capability |
Shared |
n/a |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
Supplemental Guidance: The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible. Related controls: SI-3, SI-7. |
link |
2 |
| FedRAMP_High_R4 |
RA-5(2) |
FedRAMP_High_R4_RA-5(2) |
FedRAMP High RA-5 (2) |
Risk Assessment |
Update By Frequency / Prior To New Scan / When Identified |
Shared |
n/a |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
Supplemental Guidance: Related controls: SI-3, SI-5. |
link |
2 |
| FedRAMP_High_R4 |
RA-5(3) |
FedRAMP_High_R4_RA-5(3) |
FedRAMP High RA-5 (3) |
Risk Assessment |
Breadth / Depth Of Coverage |
Shared |
n/a |
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
link |
2 |
| FedRAMP_High_R4 |
RA-5(6) |
FedRAMP_High_R4_RA-5(6) |
FedRAMP High RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. |
link |
5 |
| FedRAMP_High_R4 |
SA-10 |
FedRAMP_High_R4_SA-10 |
FedRAMP High SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
| FedRAMP_High_R4 |
SA-11 |
FedRAMP_High_R4_SA-11 |
FedRAMP High SA-11 |
System And Services Acquisition |
Developer Security Testing And Evaluation |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
Supplemental Guidance: Developmental security testing/evaluation occurs at all post‐design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2.
References: ISO/IEC 15408; NIST Special Publication 800-53A; Web: http://nvd.nist.gov, http://cwe.mitre.org, http://cve.mitre.org, http://capec.mitre.org. |
link |
3 |
| FedRAMP_High_R4 |
SI-3 |
FedRAMP_High_R4_SI-3 |
FedRAMP High SI-3 |
System And Information Integrity |
Malicious Code Protection |
Shared |
n/a |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.
References: NIST Special Publication 800-83. |
link |
11 |
| FedRAMP_High_R4 |
SI-3(1) |
FedRAMP_High_R4_SI-3(1) |
FedRAMP High SI-3 (1) |
System And Information Integrity |
Central Management |
Shared |
n/a |
The organization centrally manages malicious code protection mechanisms.
Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
link |
10 |
| FedRAMP_High_R4 |
SI-3(2) |
FedRAMP_High_R4_SI-3(2) |
FedRAMP High SI-3 (2) |
System And Information Integrity |
Automatic Updates |
Shared |
n/a |
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
link |
6 |
| FedRAMP_High_R4 |
SI-3(7) |
FedRAMP_High_R4_SI-3(7) |
FedRAMP High SI-3 (7) |
System And Information Integrity |
Nonsignature-Based Detection |
Shared |
n/a |
The information system implements nonsignature-based malicious code detection mechanisms.
Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
link |
6 |
| FedRAMP_Moderate_R4 |
RA-5 |
FedRAMP_Moderate_R4_RA-5 |
FedRAMP Moderate RA-5 |
Risk Assessment |
Vulnerability Scanning |
Shared |
n/a |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the
Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. |
link |
21 |
| FedRAMP_Moderate_R4 |
RA-5(1) |
FedRAMP_Moderate_R4_RA-5(1) |
FedRAMP Moderate RA-5 (1) |
Risk Assessment |
Update Tool Capability |
Shared |
n/a |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
Supplemental Guidance: The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible. Related controls: SI-3, SI-7. |
link |
2 |
| FedRAMP_Moderate_R4 |
RA-5(2) |
FedRAMP_Moderate_R4_RA-5(2) |
FedRAMP Moderate RA-5 (2) |
Risk Assessment |
Update By Frequency / Prior To New Scan / When Identified |
Shared |
n/a |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
Supplemental Guidance: Related controls: SI-3, SI-5. |
link |
2 |
| FedRAMP_Moderate_R4 |
RA-5(3) |
FedRAMP_Moderate_R4_RA-5(3) |
FedRAMP Moderate RA-5 (3) |
Risk Assessment |
Breadth / Depth Of Coverage |
Shared |
n/a |
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
link |
2 |
| FedRAMP_Moderate_R4 |
RA-5(6) |
FedRAMP_Moderate_R4_RA-5(6) |
FedRAMP Moderate RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. |
link |
5 |
| FedRAMP_Moderate_R4 |
SA-10 |
FedRAMP_Moderate_R4_SA-10 |
FedRAMP Moderate SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
| FedRAMP_Moderate_R4 |
SA-11 |
FedRAMP_Moderate_R4_SA-11 |
FedRAMP Moderate SA-11 |
System And Services Acquisition |
Developer Security Testing And Evaluation |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
Supplemental Guidance: Developmental security testing/evaluation occurs at all post‐design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2.
References: ISO/IEC 15408; NIST Special Publication 800-53A; Web: http://nvd.nist.gov, http://cwe.mitre.org, http://cve.mitre.org, http://capec.mitre.org. |
link |
3 |
| FedRAMP_Moderate_R4 |
SI-3 |
FedRAMP_Moderate_R4_SI-3 |
FedRAMP Moderate SI-3 |
System And Information Integrity |
Malicious Code Protection |
Shared |
n/a |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.
References: NIST Special Publication 800-83. |
link |
11 |
| FedRAMP_Moderate_R4 |
SI-3(1) |
FedRAMP_Moderate_R4_SI-3(1) |
FedRAMP Moderate SI-3 (1) |
System And Information Integrity |
Central Management |
Shared |
n/a |
The organization centrally manages malicious code protection mechanisms.
Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
link |
10 |
| FedRAMP_Moderate_R4 |
SI-3(2) |
FedRAMP_Moderate_R4_SI-3(2) |
FedRAMP Moderate SI-3 (2) |
System And Information Integrity |
Automatic Updates |
Shared |
n/a |
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
link |
6 |
| FedRAMP_Moderate_R4 |
SI-3(7) |
FedRAMP_Moderate_R4_SI-3(7) |
FedRAMP Moderate SI-3 (7) |
System And Information Integrity |
Nonsignature-Based Detection |
Shared |
n/a |
The information system implements nonsignature-based malicious code detection mechanisms.
Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
link |
6 |
| hipaa |
0201.09j1Organizational.124-09.j |
hipaa-0201.09j1Organizational.124-09.j |
0201.09j1Organizational.124-09.j |
02 Endpoint Protection |
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. |
|
18 |
| hipaa |
0204.09j2Organizational.1-09.j |
hipaa-0204.09j2Organizational.1-09.j |
0204.09j2Organizational.1-09.j |
02 Endpoint Protection |
0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Scans for malicious software are performed on boot and every 12 hours. |
|
11 |
| hipaa |
0205.09j2Organizational.2-09.j |
hipaa-0205.09j2Organizational.2-09.j |
0205.09j2Organizational.2-09.j |
02 Endpoint Protection |
0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Malicious code that is identified is blocked, quarantined, and an alert is sent to the administrators. |
|
10 |
| hipaa |
0206.09j2Organizational.34-09.j |
hipaa-0206.09j2Organizational.34-09.j |
0206.09j2Organizational.34-09.j |
02 Endpoint Protection |
0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Anti-malware is centrally managed and cannot be disabled by the users. |
|
6 |
| hipaa |
0207.09j2Organizational.56-09.j |
hipaa-0207.09j2Organizational.56-09.j |
0207.09j2Organizational.56-09.j |
02 Endpoint Protection |
0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Centrally-managed, up-to-date anti-spam and anti-malware protection is implemented at information system entry/exit points for the network and on all devices. |
|
7 |
| hipaa |
0214.09j1Organizational.6-09.j |
hipaa-0214.09j1Organizational.6-09.j |
0214.09j1Organizational.6-09.j |
02 Endpoint Protection |
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. |
|
13 |
| hipaa |
0215.09j2Organizational.8-09.j |
hipaa-0215.09j2Organizational.8-09.j |
0215.09j2Organizational.8-09.j |
02 Endpoint Protection |
0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system. |
|
7 |
| hipaa |
0216.09j2Organizational.9-09.j |
hipaa-0216.09j2Organizational.9-09.j |
0216.09j2Organizational.9-09.j |
02 Endpoint Protection |
0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
For systems considered not commonly affected by malicious software, the organization performs periodic assessments to identify and evaluate evolving malware threats to confirm whether such systems continue to not require anti-virus software. |
|
13 |
| hipaa |
0217.09j2Organizational.10-09.j |
hipaa-0217.09j2Organizational.10-09.j |
0217.09j2Organizational.10-09.j |
02 Endpoint Protection |
0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization configures malicious code and spam protection mechanisms to (i) perform periodic scans of the information system according to organization guidelines; (ii) perform real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and, (iii) block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection. |
|
25 |
| hipaa |
0219.09j2Organizational.12-09.j |
hipaa-0219.09j2Organizational.12-09.j |
0219.09j2Organizational.12-09.j |
02 Endpoint Protection |
0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization has implemented safeguards to protect its information system's memory from unauthorized code execution. |
|
7 |
| hipaa |
0225.09k1Organizational.1-09.k |
hipaa-0225.09k1Organizational.1-09.k |
0225.09k1Organizational.1-09.k |
02 Endpoint Protection |
0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations). |
|
10 |
| hipaa |
0226.09k1Organizational.2-09.k |
hipaa-0226.09k1Organizational.2-09.k |
0226.09k1Organizational.2-09.k |
02 Endpoint Protection |
0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware. |
|
9 |
| hipaa |
0227.09k2Organizational.12-09.k |
hipaa-0227.09k2Organizational.12-09.k |
0227.09k2Organizational.12-09.k |
02 Endpoint Protection |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization takes specific actions to protect against mobile code performing unauthorized actions. |
|
18 |
| hipaa |
0228.09k2Organizational.3-09.k |
hipaa-0228.09k2Organizational.3-09.k |
0228.09k2Organizational.3-09.k |
02 Endpoint Protection |
0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Rules for the migration of software from development to operational status are defined and documented by the organization hosting the affected application(s), including that development, test, and operational systems are separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system. |
|
11 |
| hipaa |
0603.06g2Organizational.1-06.g |
hipaa-0603.06g2Organizational.1-06.g |
0603.06g2Organizational.1-06.g |
06 Configuration Management |
0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Automated compliance tools are used when possible. |
|
6 |
| hipaa |
0613.06h1Organizational.12-06.h |
hipaa-0613.06h1Organizational.12-06.h |
0613.06h1Organizational.12-06.h |
06 Configuration Management |
0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The organization performs annual checks on the technical security configuration of systems, either manually by an individual with experience with the systems and/or with the assistance of automated software tools, and takes appropriate action if non-compliance is found. |
|
2 |
| ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
| ISO27001-2013 |
A.12.1.4 |
ISO27001-2013_A.12.1.4 |
ISO 27001:2013 A.12.1.4 |
Operations Security |
Separation of development, testing and operational environments |
Shared |
n/a |
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. |
link |
10 |
| ISO27001-2013 |
A.12.2.1 |
ISO27001-2013_A.12.2.1 |
ISO 27001:2013 A.12.2.1 |
Operations Security |
Controls against malware |
Shared |
n/a |
Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. |
link |
12 |
| ISO27001-2013 |
A.12.6.1 |
ISO27001-2013_A.12.6.1 |
ISO 27001:2013 A.12.6.1 |
Operations Security |
Management of technical vulnerabilities |
Shared |
n/a |
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
link |
13 |
| ISO27001-2013 |
A.14.2.2 |
ISO27001-2013_A.14.2.2 |
ISO 27001:2013 A.14.2.2 |
System Acquisition, Development And Maintenance |
System change control procedures |
Shared |
n/a |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
link |
25 |
| ISO27001-2013 |
A.14.2.3 |
ISO27001-2013_A.14.2.3 |
ISO 27001:2013 A.14.2.3 |
System Acquisition, Development And Maintenance |
Technical review of applications after operating platform changes |
Shared |
n/a |
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
link |
18 |
| ISO27001-2013 |
A.14.2.4 |
ISO27001-2013_A.14.2.4 |
ISO 27001:2013 A.14.2.4 |
System Acquisition, Development And Maintenance |
Restrictions on changes to software packages |
Shared |
n/a |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
link |
24 |
| ISO27001-2013 |
A.14.2.6 |
ISO27001-2013_A.14.2.6 |
ISO 27001:2013 A.14.2.6 |
System Acquisition, Development And Maintenance |
Secure development environment |
Shared |
n/a |
Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. |
link |
10 |
| ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
| ISO27001-2013 |
A.14.2.8 |
ISO27001-2013_A.14.2.8 |
ISO 27001:2013 A.14.2.8 |
System Acquisition, Development And Maintenance |
System security testing |
Shared |
n/a |
Testing of security functionality shall be carried out during development. |
link |
8 |
| ISO27001-2013 |
A.14.3.1 |
ISO27001-2013_A.14.3.1 |
ISO 27001:2013 A.14.3.1 |
System Acquisition, Development And Maintenance |
Protection of test data |
Shared |
n/a |
Test data shall be selected carefully, protected and controlled. |
link |
11 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
| NIST_SP_800-171_R2_3 |
.11.2 |
NIST_SP_800-171_R2_3.11.2 |
NIST SP 800-171 R2 3.11.2 |
Risk Assessment |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. [SP 800-40] provides guidance on vulnerability management. |
link |
22 |
| NIST_SP_800-171_R2_3 |
.11.3 |
NIST_SP_800-171_R2_3.11.3 |
NIST SP 800-171 R2 3.11.3 |
Risk Assessment |
Remediate vulnerabilities in accordance with risk assessments. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. |
link |
21 |
| NIST_SP_800-171_R2_3 |
.14.1 |
NIST_SP_800-171_R2_3.14.1 |
NIST SP 800-171 R2 3.14.1 |
System and Information Integrity |
Identify, report, and correct system flaws in a timely manner. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. [SP 800-40] provides guidance on patch management technologies. |
link |
23 |
| NIST_SP_800-171_R2_3 |
.14.2 |
NIST_SP_800-171_R2_3.14.2 |
NIST SP 800-171 R2 3.14.2 |
System and Information Integrity |
Provide protection from malicious code at designated locations within organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. |
link |
20 |
| NIST_SP_800-171_R2_3 |
.14.4 |
NIST_SP_800-171_R2_3.14.4 |
NIST SP 800-171 R2 3.14.4 |
System and Information Integrity |
Update malicious code protection mechanisms when new releases are available. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. |
link |
11 |
| NIST_SP_800-53_R4 |
RA-5 |
NIST_SP_800-53_R4_RA-5 |
NIST SP 800-53 Rev. 4 RA-5 |
Risk Assessment |
Vulnerability Scanning |
Shared |
n/a |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the
Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. |
link |
21 |
| NIST_SP_800-53_R4 |
RA-5(1) |
NIST_SP_800-53_R4_RA-5(1) |
NIST SP 800-53 Rev. 4 RA-5 (1) |
Risk Assessment |
Update Tool Capability |
Shared |
n/a |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
Supplemental Guidance: The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible. Related controls: SI-3, SI-7. |
link |
2 |
| NIST_SP_800-53_R4 |
RA-5(2) |
NIST_SP_800-53_R4_RA-5(2) |
NIST SP 800-53 Rev. 4 RA-5 (2) |
Risk Assessment |
Update By Frequency / Prior To New Scan / When Identified |
Shared |
n/a |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
Supplemental Guidance: Related controls: SI-3, SI-5. |
link |
2 |
| NIST_SP_800-53_R4 |
RA-5(3) |
NIST_SP_800-53_R4_RA-5(3) |
NIST SP 800-53 Rev. 4 RA-5 (3) |
Risk Assessment |
Breadth / Depth Of Coverage |
Shared |
n/a |
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
link |
2 |
| NIST_SP_800-53_R4 |
RA-5(6) |
NIST_SP_800-53_R4_RA-5(6) |
NIST SP 800-53 Rev. 4 RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. |
link |
5 |
| NIST_SP_800-53_R4 |
SA-10 |
NIST_SP_800-53_R4_SA-10 |
NIST SP 800-53 Rev. 4 SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
| NIST_SP_800-53_R4 |
SA-11 |
NIST_SP_800-53_R4_SA-11 |
NIST SP 800-53 Rev. 4 SA-11 |
System And Services Acquisition |
Developer Security Testing And Evaluation |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
Supplemental Guidance: Developmental security testing/evaluation occurs at all post‐design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2.
References: ISO/IEC 15408; NIST Special Publication 800-53A; Web: http://nvd.nist.gov, http://cwe.mitre.org, http://cve.mitre.org, http://capec.mitre.org. |
link |
3 |
| NIST_SP_800-53_R4 |
SI-3 |
NIST_SP_800-53_R4_SI-3 |
NIST SP 800-53 Rev. 4 SI-3 |
System And Information Integrity |
Malicious Code Protection |
Shared |
n/a |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.
References: NIST Special Publication 800-83. |
link |
11 |
| NIST_SP_800-53_R4 |
SI-3(1) |
NIST_SP_800-53_R4_SI-3(1) |
NIST SP 800-53 Rev. 4 SI-3 (1) |
System And Information Integrity |
Central Management |
Shared |
n/a |
The organization centrally manages malicious code protection mechanisms.
Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
link |
10 |
| NIST_SP_800-53_R4 |
SI-3(2) |
NIST_SP_800-53_R4_SI-3(2) |
NIST SP 800-53 Rev. 4 SI-3 (2) |
System And Information Integrity |
Automatic Updates |
Shared |
n/a |
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
link |
6 |
| NIST_SP_800-53_R4 |
SI-3(7) |
NIST_SP_800-53_R4_SI-3(7) |
NIST SP 800-53 Rev. 4 SI-3 (7) |
System And Information Integrity |
Nonsignature-Based Detection |
Shared |
n/a |
The information system implements nonsignature-based malicious code detection mechanisms.
Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
link |
6 |
| NIST_SP_800-53_R5 |
RA-5 |
NIST_SP_800-53_R5_RA-5 |
NIST SP 800-53 Rev. 5 RA-5 |
Risk Assessment |
Vulnerability Monitoring and Scanning |
Shared |
n/a |
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;
d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
link |
21 |
| NIST_SP_800-53_R5 |
RA-5(2) |
NIST_SP_800-53_R5_RA-5(2) |
NIST SP 800-53 Rev. 5 RA-5 (2) |
Risk Assessment |
Update Vulnerabilities to Be Scanned |
Shared |
n/a |
Update the system vulnerabilities to be scanned [Selection (OneOrMore): [Assignment: organization-defined frequency] ;prior to a new scan;when new vulnerabilities are identified and reported] . |
link |
2 |
| NIST_SP_800-53_R5 |
RA-5(3) |
NIST_SP_800-53_R5_RA-5(3) |
NIST SP 800-53 Rev. 5 RA-5 (3) |
Risk Assessment |
Breadth and Depth of Coverage |
Shared |
n/a |
Define the breadth and depth of vulnerability scanning coverage. |
link |
2 |
| NIST_SP_800-53_R5 |
RA-5(6) |
NIST_SP_800-53_R5_RA-5(6) |
NIST SP 800-53 Rev. 5 RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. |
link |
5 |
| NIST_SP_800-53_R5 |
SA-10 |
NIST_SP_800-53_R5_SA-10 |
NIST SP 800-53 Rev. 5 SA-10 |
System and Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
Require the developer of the system, system component, or system service to:
a. Perform configuration management during system, component, or service [Selection (OneOrMore): design;development;implementation;operation;disposal] ;
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
link |
9 |
| NIST_SP_800-53_R5 |
SA-11 |
NIST_SP_800-53_R5_SA-11 |
NIST SP 800-53 Rev. 5 SA-11 |
System and Services Acquisition |
Developer Testing and Evaluation |
Shared |
n/a |
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
a. Develop and implement a plan for ongoing security and privacy control assessments;
b. Perform [Selection (OneOrMore): unit;integration;system;regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during testing and evaluation. |
link |
3 |
| NIST_SP_800-53_R5 |
SI-3 |
NIST_SP_800-53_R5_SI-3 |
NIST SP 800-53 Rev. 5 SI-3 |
System and Information Integrity |
Malicious Code Protection |
Shared |
n/a |
a. Implement [Selection (OneOrMore): signature based;non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (OneOrMore): endpoint;network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. [Selection (OneOrMore): block malicious code;quarantine malicious code;take [Assignment: organization-defined action] ] ; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. |
link |
11 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
op.exp.6 Protection against harmful code |
op.exp.6 Protection against harmful code |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.3 Monitoring |
op.mon.3 Monitoring |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
11.3.1 |
PCI_DSS_v4.0_11.3.1 |
PCI DSS v4.0 11.3.1 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal vulnerabilities are regularly identified, prioritized, and addressed |
Shared |
n/a |
Internal vulnerability scans are performed as follows:
• At least once every three months.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been resolved.
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists. |
link |
7 |
| PCI_DSS_v4.0 |
11.3.1.1 |
PCI_DSS_v4.0_11.3.1.1 |
PCI DSS v4.0 11.3.1.1 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal vulnerabilities are regularly identified, prioritized, and addressed |
Shared |
n/a |
All other applicable vulnerabilities (those not ranked as high-risk or critical (per the entity’s vulnerability risk rankings defined at Requirement
6.3.1) are managed as follows:
• Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Rescans are conducted as needed. |
link |
2 |
| PCI_DSS_v4.0 |
11.3.1.3 |
PCI_DSS_v4.0_11.3.1.3 |
PCI DSS v4.0 11.3.1.3 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal vulnerabilities are regularly identified, prioritized, and addressed |
Shared |
n/a |
Internal scans are performed after any significant change as follows:
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV). |
link |
2 |
| PCI_DSS_v4.0 |
11.3.2 |
PCI_DSS_v4.0_11.3.2 |
PCI DSS v4.0 11.3.2 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal vulnerabilities are regularly identified, prioritized, and addressed |
Shared |
n/a |
External vulnerability scans are performed as follows:
• At least once every three months.
• By PCI SSC Approved Scanning Vendor (ASV).
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan. |
link |
2 |
| PCI_DSS_v4.0 |
11.3.2.1 |
PCI_DSS_v4.0_11.3.2.1 |
PCI DSS v4.0 11.3.2.1 |
Requirement 11: Test Security of Systems and Networks Regularly |
External and internal vulnerabilities are regularly identified, prioritized, and addressed |
Shared |
n/a |
External scans are performed after any significant change as follows:
• Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV). |
link |
2 |
| PCI_DSS_v4.0 |
5.2.1 |
PCI_DSS_v4.0_5.2.1 |
PCI DSS v4.0 5.2.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. |
link |
12 |
| PCI_DSS_v4.0 |
5.2.2 |
PCI_DSS_v4.0_5.2.2 |
PCI DSS v4.0 5.2.2 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
The deployed anti-malware solution(s):
• Detects all known types of malware.
• Removes, blocks, or contains all known types of malware. |
link |
12 |
| PCI_DSS_v4.0 |
5.2.3 |
PCI_DSS_v4.0_5.2.3 |
PCI DSS v4.0 5.2.3 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
Any system components that are not at risk for malware are evaluated periodically to include the following:
• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection. |
link |
12 |
| PCI_DSS_v4.0 |
5.3.1 |
PCI_DSS_v4.0_5.3.1 |
PCI DSS v4.0 5.3.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-malware mechanisms and processes are active, maintained, and monitored |
Shared |
n/a |
The anti-malware solution(s) is kept current via automatic updates. |
link |
6 |
| PCI_DSS_v4.0 |
5.3.3 |
PCI_DSS_v4.0_5.3.3 |
PCI DSS v4.0 5.3.3 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-malware mechanisms and processes are active, maintained, and monitored |
Shared |
n/a |
For removable electronic media, the antimalware solution:
• Performs automatic scans of when the media is inserted, connected, or logically mounted, OR
• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted. |
link |
7 |
| PCI_DSS_v4.0 |
5.4.1 |
PCI_DSS_v4.0_5.4.1 |
PCI DSS v4.0 5.4.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-phishing mechanisms protect users against phishing attacks |
Shared |
n/a |
Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. |
link |
7 |
| PCI_DSS_v4.0 |
6.4.1 |
PCI_DSS_v4.0_6.4.1 |
PCI DSS v4.0 6.4.1 |
Requirement 06: Develop and Maintain Secure Systems and Software |
Public-facing web applications are protected against attacks |
Shared |
n/a |
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:
– At least once every 12 months and after significant changes.
– By an entity that specializes in application security.
– Including, at a minimum, all common software attacks in Requirement 6.3.6.
– All vulnerabilities are ranked in accordance with requirement 6.2.1.
– All vulnerabilities are corrected.
– The application is re-evaluated after the corrections
OR
• Installing an automated technical solution(s) that continually detects and prevents web-based
attacks as follows:
– Installed in front of public-facing web applications to detect and prevent webbased attacks.
– Actively running and up to date as applicable.
– Generating audit logs.
– Configured to either block web-based attacks or generate an alert that is immediately investigated. |
link |
7 |
| SOC_2 |
CC3.2 |
SOC_2_CC3.2 |
SOC 2 Type 2 CC3.2 |
Risk Assessment |
COSO Principle 7 |
Shared |
The customer is responsible for implementing this recommendation. |
Points of focus specified in the COSO framework:
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The
entity identifies and assesses risk at the entity, subsidiary, division, operating unit,
and functional levels relevant to the achievement of objectives.
• Analyzes Internal and External Factors — Risk identification considers both internal
and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified — Identified risks are analyzed through a
process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks — Risk assessment includes considering how
the risk should be managed and whether to accept, avoid, reduce, or share the risk.
Additional points of focus specifically related to all engagements using the trust services criteria:
• Identifies and Assesses Criticality of Information Assets and Identifies Threats and
Vulnerabilities — The entity's risk identification and assessment process includes
(1) identifying information assets, including physical devices and systems, virtual
devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying
the threats to the assets from intentional (including malicious) and unintentional
acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.
• Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other
Parties — The entity's risk assessment process includes the analysis of potential
threats and vulnerabilities arising from vendors providing goods and services, as
well as threats and vulnerabilities arising from business partners, customers, and
others with access to the entity's information systems.
• Considers the Significance of the Risk — The entity’s consideration of the potential
significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and
vulnerabilities in meeting objectives; (3) assessing the likelihood of identified
threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood. |
|
11 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
53 |
| SOC_2 |
CC7.1 |
SOC_2_CC7.1 |
SOC 2 Type 2 CC7.1 |
System Operations |
Detection and monitoring of new vulnerabilities |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Defined Configuration Standards — Management has defined configuration
standards.
• Monitors Infrastructure and Software — The entity monitors infrastructure and
software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.
• Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel
to unauthorized modifications of critical system files, configuration files, or content
files.
• Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components.
• Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to
identify potential vulnerabilities or misconfigurations on a periodic basis and after
any significant change in the environment and takes action to remediate identified
deficiencies on a timely basis |
|
17 |
| SWIFT_CSCF_v2022 |
2.2 |
SWIFT_CSCF_v2022_2.2 |
SWIFT CSCF v2022 2.2 |
2. Reduce Attack Surface and Vulnerabilities |
Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. |
Shared |
n/a |
All hardware and software inside the secure zone and on operator PCs are within the support life cycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied. |
link |
11 |
| SWIFT_CSCF_v2022 |
2.7 |
SWIFT_CSCF_v2022_2.7 |
SWIFT CSCF v2022 2.7 |
2. Reduce Attack Surface and Vulnerabilities |
Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. |
Shared |
n/a |
Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions. |
link |
16 |
| SWIFT_CSCF_v2022 |
6.1 |
SWIFT_CSCF_v2022_6.1 |
SWIFT CSCF v2022 6.1 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure that local SWIFT infrastructure is protected against malware and act upon results. |
Shared |
n/a |
Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. |
link |
31 |
| SWIFT_CSCF_v2022 |
6.4 |
SWIFT_CSCF_v2022_6.4 |
SWIFT CSCF v2022 6.4 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
Shared |
n/a |
Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. |
link |
52 |
| SWIFT_CSCF_v2022 |
8.5 |
SWIFT_CSCF_v2022_8.5 |
SWIFT CSCF v2022 8.5 |
8. Set and Monitor Performance |
Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. |
Shared |
n/a |
Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. |
link |
11 |