compliance controls are associated with this Policy definition 'Block untrusted and unsigned processes that run from USB' (3d399cf3-8fc6-0efc-6ab0-1412f1198517)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
2.1 |
CIS_Azure_1.1.0_2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1 |
2 Security Center |
Ensure that standard pricing tier is selected |
Shared |
The customer is responsible for implementing this recommendation. |
The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
15 |
| CIS_Azure_1.1.0 |
2.5 |
CIS_Azure_1.1.0_2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.5 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Endpoint protection recommendations for virtual machines. |
link |
8 |
| CIS_Azure_1.1.0 |
7.6 |
CIS_Azure_1.1.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_1.3.0 |
2.1 |
CIS_Azure_1.3.0_2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1 |
2 Security Center |
Ensure that Azure Defender is set to On for Servers |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.10 |
CIS_Azure_1.3.0_2.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.10 |
2 Security Center |
Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center. |
link |
8 |
| CIS_Azure_1.3.0 |
2.2 |
CIS_Azure_1.3.0_2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.2 |
2 Security Center |
Ensure that Azure Defender is set to On for App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.3 |
CIS_Azure_1.3.0_2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.3 |
2 Security Center |
Ensure that Azure Defender is set to On for Azure SQL database servers |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.4 |
CIS_Azure_1.3.0_2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.4 |
2 Security Center |
Ensure that Azure Defender is set to On for SQL servers on machines |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.5 |
CIS_Azure_1.3.0_2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.5 |
2 Security Center |
Ensure that Azure Defender is set to On for Storage |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.6 |
CIS_Azure_1.3.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Security Center |
Ensure that Azure Defender is set to On for Kubernetes |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.7 |
CIS_Azure_1.3.0_2.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.7 |
2 Security Center |
Ensure that Azure Defender is set to On for Container Registries |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.8 |
CIS_Azure_1.3.0_2.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.8 |
2 Security Center |
Ensure that Azure Defender is set to On for Key Vault |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. |
link |
9 |
| CIS_Azure_1.3.0 |
2.9 |
CIS_Azure_1.3.0_2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.9 |
2 Security Center |
Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Windows Defender ATP (WDATP) integration with Security Center. |
link |
8 |
| CIS_Azure_1.3.0 |
7.6 |
CIS_Azure_1.3.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_1.4.0 |
2.1 |
CIS_Azure_1.4.0_2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Servers is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.10 |
CIS_Azure_1.4.0_2.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.10 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. |
link |
8 |
| CIS_Azure_1.4.0 |
2.2 |
CIS_Azure_1.4.0_2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.2 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for App Service is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.3 |
CIS_Azure_1.4.0_2.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.3 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.4 |
CIS_Azure_1.4.0_2.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.4 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for SQL servers on machines is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.5 |
CIS_Azure_1.4.0_2.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.5 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Storage is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.6 |
CIS_Azure_1.4.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Kubernetes is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.7 |
CIS_Azure_1.4.0_2.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.7 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Container Registries is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.8 |
CIS_Azure_1.4.0_2.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.8 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Key Vault is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
link |
9 |
| CIS_Azure_1.4.0 |
2.9 |
CIS_Azure_1.4.0_2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.9 |
2 Microsoft Defender for Cloud |
Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected |
Shared |
The customer is responsible for implementing this recommendation. |
This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud. |
link |
8 |
| CIS_Azure_1.4.0 |
7.6 |
CIS_Azure_1.4.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_2.0.0 |
2.1.1 |
CIS_Azure_2.0.0_2.1.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.1 |
2.1 |
Ensure That Microsoft Defender for Servers Is Set to 'On' |
Shared |
Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource. |
Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.10 |
CIS_Azure_2.0.0_2.1.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.10 |
2.1 |
Ensure That Microsoft Defender for Key Vault Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Key Vault incurs an additional cost per resource. |
Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.17 |
CIS_Azure_2.0.0_2.1.17 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.17 |
2.1 |
Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' |
Shared |
Microsoft Defender for Containers will require additional licensing. |
Enable automatic provisioning of the Microsoft Defender for Containers components.
As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities. |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.2 |
CIS_Azure_2.0.0_2.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.2 |
2.1 |
Ensure That Microsoft Defender for App Services Is Set To 'On' |
Shared |
Turning on Microsoft Defender for App Service incurs an additional cost per resource. |
Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.21 |
CIS_Azure_2.0.0_2.1.21 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.21 |
2.1 |
Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected |
Shared |
Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource. |
This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.
Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment.
Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.
Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions. |
link |
8 |
| CIS_Azure_2.0.0 |
2.1.22 |
CIS_Azure_2.0.0_2.1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.22 |
2.1 |
Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected |
Shared |
Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource. |
This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.
**IMPORTANT:** When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.
1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
1. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.
Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud.
MDE works only with Standard Tier subscriptions. |
link |
8 |
| CIS_Azure_2.0.0 |
2.1.4 |
CIS_Azure_2.0.0_2.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.4 |
2.1 |
Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per resource. |
Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.5 |
CIS_Azure_2.0.0_2.1.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.5 |
2.1 |
Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' |
Shared |
Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource. |
Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.7 |
CIS_Azure_2.0.0_2.1.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.7 |
2.1 |
Ensure That Microsoft Defender for Storage Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Storage incurs an additional cost per resource. |
Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
2.1.8 |
CIS_Azure_2.0.0_2.1.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.8 |
2.1 |
Ensure That Microsoft Defender for Containers Is Set To 'On' |
Shared |
Turning on Microsoft Defender for Containers incurs an additional cost per resource. |
Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). |
link |
9 |
| CIS_Azure_2.0.0 |
7.6 |
CIS_Azure_2.0.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 |
Ensure that Endpoint Protection for all Virtual Machines is installed |
Shared |
Endpoint protection will incur an additional cost to you. |
Install endpoint protection for all virtual machines.
Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems. |
link |
11 |
| FedRAMP_High_R4 |
AC-20(2) |
FedRAMP_High_R4_AC-20(2) |
FedRAMP High AC-20 (2) |
Access Control |
Portable Storage Devices |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. |
link |
3 |
| FedRAMP_High_R4 |
MP-7 |
FedRAMP_High_R4_MP-7 |
FedRAMP High MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4.
References: None. |
link |
4 |
| FedRAMP_High_R4 |
MP-7(1) |
FedRAMP_High_R4_MP-7(1) |
FedRAMP High MP-7 (1) |
Media Protection |
Prohibit Use Without Owner |
Shared |
n/a |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. |
link |
4 |
| FedRAMP_High_R4 |
SI-3 |
FedRAMP_High_R4_SI-3 |
FedRAMP High SI-3 |
System And Information Integrity |
Malicious Code Protection |
Shared |
n/a |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.
References: NIST Special Publication 800-83. |
link |
11 |
| FedRAMP_High_R4 |
SI-3(1) |
FedRAMP_High_R4_SI-3(1) |
FedRAMP High SI-3 (1) |
System And Information Integrity |
Central Management |
Shared |
n/a |
The organization centrally manages malicious code protection mechanisms.
Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
link |
10 |
| FedRAMP_High_R4 |
SI-3(2) |
FedRAMP_High_R4_SI-3(2) |
FedRAMP High SI-3 (2) |
System And Information Integrity |
Automatic Updates |
Shared |
n/a |
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
link |
6 |
| FedRAMP_High_R4 |
SI-3(7) |
FedRAMP_High_R4_SI-3(7) |
FedRAMP High SI-3 (7) |
System And Information Integrity |
Nonsignature-Based Detection |
Shared |
n/a |
The information system implements nonsignature-based malicious code detection mechanisms.
Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
link |
6 |
| FedRAMP_Moderate_R4 |
AC-20(2) |
FedRAMP_Moderate_R4_AC-20(2) |
FedRAMP Moderate AC-20 (2) |
Access Control |
Portable Storage Devices |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. |
link |
3 |
| FedRAMP_Moderate_R4 |
MP-7 |
FedRAMP_Moderate_R4_MP-7 |
FedRAMP Moderate MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
MP-7(1) |
FedRAMP_Moderate_R4_MP-7(1) |
FedRAMP Moderate MP-7 (1) |
Media Protection |
Prohibit Use Without Owner |
Shared |
n/a |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. |
link |
4 |
| FedRAMP_Moderate_R4 |
SI-3 |
FedRAMP_Moderate_R4_SI-3 |
FedRAMP Moderate SI-3 |
System And Information Integrity |
Malicious Code Protection |
Shared |
n/a |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.
References: NIST Special Publication 800-83. |
link |
11 |
| FedRAMP_Moderate_R4 |
SI-3(1) |
FedRAMP_Moderate_R4_SI-3(1) |
FedRAMP Moderate SI-3 (1) |
System And Information Integrity |
Central Management |
Shared |
n/a |
The organization centrally manages malicious code protection mechanisms.
Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
link |
10 |
| FedRAMP_Moderate_R4 |
SI-3(2) |
FedRAMP_Moderate_R4_SI-3(2) |
FedRAMP Moderate SI-3 (2) |
System And Information Integrity |
Automatic Updates |
Shared |
n/a |
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
link |
6 |
| FedRAMP_Moderate_R4 |
SI-3(7) |
FedRAMP_Moderate_R4_SI-3(7) |
FedRAMP Moderate SI-3 (7) |
System And Information Integrity |
Nonsignature-Based Detection |
Shared |
n/a |
The information system implements nonsignature-based malicious code detection mechanisms.
Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
link |
6 |
| hipaa |
0201.09j1Organizational.124-09.j |
hipaa-0201.09j1Organizational.124-09.j |
0201.09j1Organizational.124-09.j |
02 Endpoint Protection |
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. |
|
18 |
| hipaa |
0204.09j2Organizational.1-09.j |
hipaa-0204.09j2Organizational.1-09.j |
0204.09j2Organizational.1-09.j |
02 Endpoint Protection |
0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Scans for malicious software are performed on boot and every 12 hours. |
|
11 |
| hipaa |
0205.09j2Organizational.2-09.j |
hipaa-0205.09j2Organizational.2-09.j |
0205.09j2Organizational.2-09.j |
02 Endpoint Protection |
0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Malicious code that is identified is blocked, quarantined, and an alert is sent to the administrators. |
|
10 |
| hipaa |
0206.09j2Organizational.34-09.j |
hipaa-0206.09j2Organizational.34-09.j |
0206.09j2Organizational.34-09.j |
02 Endpoint Protection |
0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Anti-malware is centrally managed and cannot be disabled by the users. |
|
6 |
| hipaa |
0207.09j2Organizational.56-09.j |
hipaa-0207.09j2Organizational.56-09.j |
0207.09j2Organizational.56-09.j |
02 Endpoint Protection |
0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Centrally-managed, up-to-date anti-spam and anti-malware protection is implemented at information system entry/exit points for the network and on all devices. |
|
7 |
| hipaa |
0214.09j1Organizational.6-09.j |
hipaa-0214.09j1Organizational.6-09.j |
0214.09j1Organizational.6-09.j |
02 Endpoint Protection |
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. |
|
13 |
| hipaa |
0215.09j2Organizational.8-09.j |
hipaa-0215.09j2Organizational.8-09.j |
0215.09j2Organizational.8-09.j |
02 Endpoint Protection |
0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system. |
|
7 |
| hipaa |
0217.09j2Organizational.10-09.j |
hipaa-0217.09j2Organizational.10-09.j |
0217.09j2Organizational.10-09.j |
02 Endpoint Protection |
0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization configures malicious code and spam protection mechanisms to (i) perform periodic scans of the information system according to organization guidelines; (ii) perform real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and, (iii) block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection. |
|
25 |
| hipaa |
0219.09j2Organizational.12-09.j |
hipaa-0219.09j2Organizational.12-09.j |
0219.09j2Organizational.12-09.j |
02 Endpoint Protection |
0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization has implemented safeguards to protect its information system's memory from unauthorized code execution. |
|
7 |
| hipaa |
0225.09k1Organizational.1-09.k |
hipaa-0225.09k1Organizational.1-09.k |
0225.09k1Organizational.1-09.k |
02 Endpoint Protection |
0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations). |
|
10 |
| hipaa |
0226.09k1Organizational.2-09.k |
hipaa-0226.09k1Organizational.2-09.k |
0226.09k1Organizational.2-09.k |
02 Endpoint Protection |
0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware. |
|
9 |
| hipaa |
0227.09k2Organizational.12-09.k |
hipaa-0227.09k2Organizational.12-09.k |
0227.09k2Organizational.12-09.k |
02 Endpoint Protection |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization takes specific actions to protect against mobile code performing unauthorized actions. |
|
18 |
| hipaa |
0301.09o1Organizational.123-09.o |
hipaa-0301.09o1Organizational.123-09.o |
0301.09o1Organizational.123-09.o |
03 Portable Media Security |
0301.09o1Organizational.123-09.o 09.07 Media Handling |
Shared |
n/a |
The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. |
|
14 |
| hipaa |
0302.09o2Organizational.1-09.o |
hipaa-0302.09o2Organizational.1-09.o |
0302.09o2Organizational.1-09.o |
03 Portable Media Security |
0302.09o2Organizational.1-09.o 09.07 Media Handling |
Shared |
n/a |
The organization protects and controls media containing sensitive information during transport outside of controlled areas. |
|
6 |
| hipaa |
0303.09o2Organizational.2-09.o |
hipaa-0303.09o2Organizational.2-09.o |
0303.09o2Organizational.2-09.o |
03 Portable Media Security |
0303.09o2Organizational.2-09.o 09.07 Media Handling |
Shared |
n/a |
Digital and non-digital media requiring restricted use, and the specific safeguards used to restrict their use are identified. |
|
6 |
| hipaa |
0304.09o3Organizational.1-09.o |
hipaa-0304.09o3Organizational.1-09.o |
0304.09o3Organizational.1-09.o |
03 Portable Media Security |
0304.09o3Organizational.1-09.o 09.07 Media Handling |
Shared |
n/a |
The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. |
|
8 |
| ISO27001-2013 |
A.12.2.1 |
ISO27001-2013_A.12.2.1 |
ISO 27001:2013 A.12.2.1 |
Operations Security |
Controls against malware |
Shared |
n/a |
Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. |
link |
12 |
| ISO27001-2013 |
A.8.1.2 |
ISO27001-2013_A.8.1.2 |
ISO 27001:2013 A.8.1.2 |
Asset Management |
Ownership of assets |
Shared |
n/a |
Assets maintained in the inventory shall be owned. |
link |
7 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
| ISO27001-2013 |
A.8.3.1 |
ISO27001-2013_A.8.3.1 |
ISO 27001:2013 A.8.3.1 |
Asset Management |
Management of removable media |
Shared |
n/a |
Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. |
link |
6 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
|
mp.si.4 Transport |
mp.si.4 Transport |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
|
mp.si.5 Erasure and destruction |
mp.si.5 Erasure and destruction |
404 not found |
|
|
|
n/a |
n/a |
|
9 |
| NIST_SP_800-171_R2_3 |
.1.21 |
NIST_SP_800-171_R2_3.1.21 |
NIST SP 800-171 R2 3.1.21 |
Access Control |
Limit use of portable storage devices on external systems. |
Shared |
Microsoft is responsible for implementing this requirement. |
Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system. |
link |
3 |
| NIST_SP_800-171_R2_3 |
.14.2 |
NIST_SP_800-171_R2_3.14.2 |
NIST SP 800-171 R2 3.14.2 |
System and Information Integrity |
Provide protection from malicious code at designated locations within organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. |
link |
20 |
| NIST_SP_800-171_R2_3 |
.14.4 |
NIST_SP_800-171_R2_3.14.4 |
NIST SP 800-171 R2 3.14.4 |
System and Information Integrity |
Update malicious code protection mechanisms when new releases are available. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. |
link |
11 |
| NIST_SP_800-171_R2_3 |
.8.7 |
NIST_SP_800-171_R2_3.8.7 |
NIST SP 800-171 R2 3.8.7 |
Media Protection |
Control the use of removable media on system components. |
Shared |
Microsoft is responsible for implementing this requirement. |
In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.8.8 |
NIST_SP_800-171_R2_3.8.8 |
NIST SP 800-171 R2 3.8.8 |
Media Protection |
Prohibit the use of portable storage devices when such devices have no identifiable owner. |
Shared |
Microsoft is responsible for implementing this requirement. |
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code). |
link |
4 |
| NIST_SP_800-53_R4 |
AC-20(2) |
NIST_SP_800-53_R4_AC-20(2) |
NIST SP 800-53 Rev. 4 AC-20 (2) |
Access Control |
Portable Storage Devices |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. |
link |
3 |
| NIST_SP_800-53_R4 |
MP-7 |
NIST_SP_800-53_R4_MP-7 |
NIST SP 800-53 Rev. 4 MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4.
References: None. |
link |
4 |
| NIST_SP_800-53_R4 |
MP-7(1) |
NIST_SP_800-53_R4_MP-7(1) |
NIST SP 800-53 Rev. 4 MP-7 (1) |
Media Protection |
Prohibit Use Without Owner |
Shared |
n/a |
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. |
link |
4 |
| NIST_SP_800-53_R4 |
SI-3 |
NIST_SP_800-53_R4_SI-3 |
NIST SP 800-53 Rev. 4 SI-3 |
System And Information Integrity |
Malicious Code Protection |
Shared |
n/a |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.
References: NIST Special Publication 800-83. |
link |
11 |
| NIST_SP_800-53_R4 |
SI-3(1) |
NIST_SP_800-53_R4_SI-3(1) |
NIST SP 800-53 Rev. 4 SI-3 (1) |
System And Information Integrity |
Central Management |
Shared |
n/a |
The organization centrally manages malicious code protection mechanisms.
Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
link |
10 |
| NIST_SP_800-53_R4 |
SI-3(2) |
NIST_SP_800-53_R4_SI-3(2) |
NIST SP 800-53 Rev. 4 SI-3 (2) |
System And Information Integrity |
Automatic Updates |
Shared |
n/a |
The information system automatically updates malicious code protection mechanisms.
Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
link |
6 |
| NIST_SP_800-53_R4 |
SI-3(7) |
NIST_SP_800-53_R4_SI-3(7) |
NIST SP 800-53 Rev. 4 SI-3 (7) |
System And Information Integrity |
Nonsignature-Based Detection |
Shared |
n/a |
The information system implements nonsignature-based malicious code detection mechanisms.
Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. |
link |
6 |
| NIST_SP_800-53_R5 |
AC-20(2) |
NIST_SP_800-53_R5_AC-20(2) |
NIST SP 800-53 Rev. 5 AC-20 (2) |
Access Control |
Portable Storage Devices ??? Restricted Use |
Shared |
n/a |
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. |
link |
3 |
| NIST_SP_800-53_R5 |
MP-7 |
NIST_SP_800-53_R5_MP-7 |
NIST SP 800-53 Rev. 5 MP-7 |
Media Protection |
Media Use |
Shared |
n/a |
a. [Selection: Restrict;Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. |
link |
4 |
| NIST_SP_800-53_R5 |
SI-3 |
NIST_SP_800-53_R5_SI-3 |
NIST SP 800-53 Rev. 5 SI-3 |
System and Information Integrity |
Malicious Code Protection |
Shared |
n/a |
a. Implement [Selection (OneOrMore): signature based;non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (OneOrMore): endpoint;network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. [Selection (OneOrMore): block malicious code;quarantine malicious code;take [Assignment: organization-defined action] ] ; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. |
link |
11 |
|
op.exp.1 Asset inventory |
op.exp.1 Asset inventory |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.exp.6 Protection against harmful code |
op.exp.6 Protection against harmful code |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
5.2.1 |
PCI_DSS_v4.0_5.2.1 |
PCI DSS v4.0 5.2.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. |
link |
12 |
| PCI_DSS_v4.0 |
5.2.2 |
PCI_DSS_v4.0_5.2.2 |
PCI DSS v4.0 5.2.2 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
The deployed anti-malware solution(s):
• Detects all known types of malware.
• Removes, blocks, or contains all known types of malware. |
link |
12 |
| PCI_DSS_v4.0 |
5.2.3 |
PCI_DSS_v4.0_5.2.3 |
PCI DSS v4.0 5.2.3 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
Any system components that are not at risk for malware are evaluated periodically to include the following:
• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection. |
link |
12 |
| PCI_DSS_v4.0 |
5.3.1 |
PCI_DSS_v4.0_5.3.1 |
PCI DSS v4.0 5.3.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-malware mechanisms and processes are active, maintained, and monitored |
Shared |
n/a |
The anti-malware solution(s) is kept current via automatic updates. |
link |
6 |
| PCI_DSS_v4.0 |
5.3.3 |
PCI_DSS_v4.0_5.3.3 |
PCI DSS v4.0 5.3.3 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-malware mechanisms and processes are active, maintained, and monitored |
Shared |
n/a |
For removable electronic media, the antimalware solution:
• Performs automatic scans of when the media is inserted, connected, or logically mounted, OR
• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted. |
link |
7 |
| PCI_DSS_v4.0 |
5.4.1 |
PCI_DSS_v4.0_5.4.1 |
PCI DSS v4.0 5.4.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-phishing mechanisms protect users against phishing attacks |
Shared |
n/a |
Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. |
link |
7 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
53 |
| SWIFT_CSCF_v2022 |
6.1 |
SWIFT_CSCF_v2022_6.1 |
SWIFT CSCF v2022 6.1 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure that local SWIFT infrastructure is protected against malware and act upon results. |
Shared |
n/a |
Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. |
link |
31 |