last sync: 2025-Feb-18 18:37:08 UTC

Secure transfer to storage accounts should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Secure transfer to storage accounts should be enabled
Id 404c3081-a854-4457-ae30-26a93ef643f9
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly Microsoft.Storage storageAccounts properties.supportsHttpsTrafficOnly True True
Rule resource types IF (1)
Microsoft.Storage/storageAccounts
Compliance
The following 161 compliance controls are associated with this Policy definition 'Secure transfer to storage accounts should be enabled' (404c3081-a854-4457-ae30-26a93ef643f9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1277 AU_ISM_1277 AU ISM 1277 Guidelines for Database Systems - Database servers Communications between database servers and web servers - 1277 n/a Data communicated between database servers and web applications is encrypted. link 6
Azure_Security_Benchmark_v1.0 4.4 Azure_Security_Benchmark_v1.0_4.4 Azure Security Benchmark 4.4 Data Protection Encrypt all sensitive information in transit Shared Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater. Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit n/a link 10
Azure_Security_Benchmark_v2.0 DP-4 Azure_Security_Benchmark_v2.0_DP-4 Azure Security Benchmark DP-4 Data Protection Encrypt sensitive information in transit Shared To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled. By default, Azure provides encryption for data in transit between Azure data centers. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit n/a link 12
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Microsoft cloud security benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link 15
B.09.1 - Security aspects and stages B.09.1 - Security aspects and stages 404 not found n/a n/a 2
Canada_Federal_PBMM_3-1-2020 CA_3 Canada_Federal_PBMM_3-1-2020_CA_3 Canada Federal PBMM 3-1-2020 CA 3 Information System Connections System Interconnections Shared 1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually. To establish and maintain secure connections between information systems. 77
Canada_Federal_PBMM_3-1-2020 CA_3(3) Canada_Federal_PBMM_3-1-2020_CA_3(3) Canada Federal PBMM 3-1-2020 CA 3(3) Information System Connections System Interconnections | Classified Non-National Security System Connections Shared The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. To ensure the integrity and security of internal systems against external threats. 77
Canada_Federal_PBMM_3-1-2020 CA_3(5) Canada_Federal_PBMM_3-1-2020_CA_3(5) Canada Federal PBMM 3-1-2020 CA 3(5) Information System Connections System Interconnections | Restrictions on External Network Connections Shared The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. To enhance security posture against unauthorized access. 77
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 CM_3(6) Canada_Federal_PBMM_3-1-2020_CM_3(6) Canada Federal PBMM 3-1-2020 CM 3(6) Configuration Change Control Configuration Change Control | Cryptography Management Shared The organization ensures that cryptographic mechanisms used to provide any cryptographic-based safeguards are under configuration management. To uphold security and integrity measures. 20
Canada_Federal_PBMM_3-1-2020 SC_12 Canada_Federal_PBMM_3-1-2020_SC_12 Canada Federal PBMM 3-1-2020 SC 12 Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management Shared The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography. To enhance overall security posture and compliance with industry best practices. 29
Canada_Federal_PBMM_3-1-2020 SC_12(1) Canada_Federal_PBMM_3-1-2020_SC_12(1) Canada Federal PBMM 3-1-2020 SC 12(1) Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management | Availability Shared The organization maintains availability of information in the event of the loss of cryptographic keys by users. To implement backup and recovery mechanisms. 29
Canada_Federal_PBMM_3-1-2020 SI_3 Canada_Federal_PBMM_3-1-2020_SI_3 Canada Federal PBMM 3-1-2020 SI 3 Malicious Code Protection Malicious Code Protection Shared 1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. 2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. 3. The organization configures malicious code protection mechanisms to: a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. 4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. To mitigate potential impacts on system availability. 52
Canada_Federal_PBMM_3-1-2020 SI_3(1) Canada_Federal_PBMM_3-1-2020_SI_3(1) Canada Federal PBMM 3-1-2020 SI 3(1) Malicious Code Protection Malicious Code Protection | Central Management Shared The organization centrally manages malicious code protection mechanisms. To centrally manage malicious code protection mechanisms. 51
Canada_Federal_PBMM_3-1-2020 SI_3(2) Canada_Federal_PBMM_3-1-2020_SI_3(2) Canada Federal PBMM 3-1-2020 SI 3(2) Malicious Code Protection Malicious Code Protection | Automatic Updates Shared The information system automatically updates malicious code protection mechanisms. To ensure automatic updates in malicious code protection mechanisms. 51
Canada_Federal_PBMM_3-1-2020 SI_3(7) Canada_Federal_PBMM_3-1-2020_SI_3(7) Canada Federal PBMM 3-1-2020 SI 3(7) Malicious Code Protection Malicious Code Protection | Non Signature-Based Detection Shared The information system implements non-signature-based malicious code detection mechanisms. To enhance overall security posture. 51
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 94
Canada_Federal_PBMM_3-1-2020 SI_8(1) Canada_Federal_PBMM_3-1-2020_SI_8(1) Canada Federal PBMM 3-1-2020 SI 8(1) Spam Protection Spam Protection | Central Management of Protection Mechanisms Shared The organization centrally manages spam protection mechanisms. To enhance overall security posture. 88
CCCS SC-8(1) CCCS_SC-8(1) CCCS SC-8(1) System and Communications Protection Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by physical security safeguards applied in applied in accordance with, or uses an adequate risk-based approach aligned with the practices specified in TBS and RCMP physical security standards and any related provisions of the Industrial Security Program. The cryptography must be compliant with the requirements of control SC-13. link 5
CIS_Azure_1.1.0 3.1 CIS_Azure_1.1.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.3.0 3.1 CIS_Azure_1.3.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.4.0 3.1 CIS_Azure_1.4.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_2.0.0 3.1 CIS_Azure_2.0.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Ensure that 'Secure transfer required' is set to 'Enabled' Shared n/a Enable data encryption in transit. The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name. link 4
CIS_Azure_Foundations_v2.1.0 3.1 CIS_Azure_Foundations_v2.1.0_3.1 CIS Azure Foundations v2.1.0 3.1 Storage Accounts Ensure Private Endpoints are used to access Storage Accounts Shared n/a Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it. 1
CIS_Controls_v8.1 3.10 CIS_Controls_v8.1_3.10 404 not found n/a n/a 8
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
CMMC_2.0_L2 SC.L2-3.13.8 CMMC_2.0_L2_SC.L2-3.13.8 404 not found n/a n/a 16
CMMC_L2_v1.9.0 SC.L1_3.13.1 CMMC_L2_v1.9.0_SC.L1_3.13.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1 System and Communications Protection Boundary Protection Shared Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. To protect information assets from external attacks and insider threats. 43
CMMC_L2_v1.9.0 SC.L1_3.13.5 CMMC_L2_v1.9.0_SC.L1_3.13.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5 System and Communications Protection Public Access System Separation Shared Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources. 43
CMMC_L2_v1.9.0 SC.L2_3.13.10 CMMC_L2_v1.9.0_SC.L2_3.13.10 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.10 System and Communications Protection Key Management Shared Establish and manage cryptographic keys for cryptography employed in organizational systems. To protect information assets from unauthorized access, manipulation, or disclosure. 14
CMMC_L2_v1.9.0 SC.L2_3.13.11 CMMC_L2_v1.9.0_SC.L2_3.13.11 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.11 System and Communications Protection CUI Encryption Shared Employ FIPS validated cryptography when used to protect the confidentiality of CUI. To ensure the integrity and effectiveness of cryptographic protections applied to sensitive data. 19
CMMC_L3 AC.1.002 CMMC_L3_AC.1.002 CMMC L3 AC.1.002 Access Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 27
CMMC_L3 SC.1.175 CMMC_L3_SC.1.175 CMMC L3 SC.1.175 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. link 30
CMMC_L3 SC.3.185 CMMC_L3_SC.3.185 CMMC L3 SC.3.185 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. link 10
CSA_v4.0.12 CEK_01 CSA_v4.0.12_CEK_01 CSA Cloud Controls Matrix v4.0.12 CEK 01 Cryptography, Encryption & Key Management Encryption and Key Management Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually. 14
CSA_v4.0.12 CEK_02 CSA_v4.0.12_CEK_02 CSA Cloud Controls Matrix v4.0.12 CEK 02 Cryptography, Encryption & Key Management CEK Roles and Responsibilities Shared n/a Define and implement cryptographic, encryption and key management roles and responsibilities. 25
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 CEK_04 CSA_v4.0.12_CEK_04 CSA Cloud Controls Matrix v4.0.12 CEK 04 Cryptography, Encryption & Key Management Encryption Algorithm Shared n/a Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology. 12
CSA_v4.0.12 CEK_10 CSA_v4.0.12_CEK_10 CSA Cloud Controls Matrix v4.0.12 CEK 10 Cryptography, Encryption & Key Management Key Generation Shared n/a Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used. 24
CSA_v4.0.12 CEK_11 CSA_v4.0.12_CEK_11 CSA Cloud Controls Matrix v4.0.12 CEK 11 Cryptography, Encryption & Key Management Key Purpose Shared n/a Manage cryptographic secret and private keys that are provisioned for a unique purpose. 24
CSA_v4.0.12 CEK_12 CSA_v4.0.12_CEK_12 CSA Cloud Controls Matrix v4.0.12 CEK 12 Cryptography, Encryption & Key Management Key Rotation Shared n/a Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements. 22
CSA_v4.0.12 CEK_13 CSA_v4.0.12_CEK_13 CSA Cloud Controls Matrix v4.0.12 CEK 13 Cryptography, Encryption & Key Management Key Revocation Shared n/a Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 CEK_14 CSA_v4.0.12_CEK_14 CSA Cloud Controls Matrix v4.0.12 CEK 14 Cryptography, Encryption & Key Management Key Destruction Shared n/a Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 CEK_15 CSA_v4.0.12_CEK_15 CSA Cloud Controls Matrix v4.0.12 CEK 15 Cryptography, Encryption & Key Management Key Activation Shared n/a Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements. 21
CSA_v4.0.12 CEK_16 CSA_v4.0.12_CEK_16 CSA Cloud Controls Matrix v4.0.12 CEK 16 Cryptography, Encryption & Key Management Key Suspension Shared n/a Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. 23
CSA_v4.0.12 CEK_17 CSA_v4.0.12_CEK_17 CSA Cloud Controls Matrix v4.0.12 CEK 17 Cryptography, Encryption & Key Management Key Deactivation Shared n/a Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_18 CSA_v4.0.12_CEK_18 CSA Cloud Controls Matrix v4.0.12 CEK 18 Cryptography, Encryption & Key Management Key Archival Shared n/a Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_19 CSA_v4.0.12_CEK_19 CSA Cloud Controls Matrix v4.0.12 CEK 19 Cryptography, Encryption & Key Management Key Compromise Shared n/a Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_20 CSA_v4.0.12_CEK_20 CSA Cloud Controls Matrix v4.0.12 CEK 20 Cryptography, Encryption & Key Management Key Recovery Shared n/a Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. 25
CSA_v4.0.12 CEK_21 CSA_v4.0.12_CEK_21 CSA Cloud Controls Matrix v4.0.12 CEK 21 Cryptography, Encryption & Key Management Key Inventory Management Shared n/a Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements. 12
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FedRAMP_High_R4 SC-8 FedRAMP_High_R4_SC-8 FedRAMP High SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_High_R4 SC-8(1) FedRAMP_High_R4_SC-8(1) FedRAMP High SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
FedRAMP_Moderate_R4 SC-8 FedRAMP_Moderate_R4_SC-8 FedRAMP Moderate SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_Moderate_R4 SC-8(1) FedRAMP_Moderate_R4_SC-8(1) FedRAMP Moderate SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
FFIEC_CAT_2017 3.1.1 FFIEC_CAT_2017_3.1.1 FFIEC CAT 2017 3.1.1 Cybersecurity Controls Infrastructure Management Shared n/a - Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) 72
FFIEC_CAT_2017 4.1.1 FFIEC_CAT_2017_4.1.1 FFIEC CAT 2017 4.1.1 External Dependency Management Connections Shared n/a - The critical business processes that are dependent on external connectivity have been identified. - The institution ensures that third-party connections are authorized. - A network diagram is in place and identifies all external connections. - Data flow diagrams are in place and document information flow to external parties. 43
hipaa 0809.01n2Organizational.1234-01.n hipaa-0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 08 Network Protection 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Shared n/a Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 17
hipaa 0810.01n2Organizational.5-01.n hipaa-0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 08 Network Protection 0810.01n2Organizational.5-01.n 01.04 Network Access Control Shared n/a Transmitted information is secured and, at a minimum, encrypted over open, public networks. 16
hipaa 0811.01n2Organizational.6-01.n hipaa-0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 08 Network Protection 0811.01n2Organizational.6-01.n 01.04 Network Access Control Shared n/a Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 23
hipaa 0812.01n2Organizational.8-01.n hipaa-0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 08 Network Protection 0812.01n2Organizational.8-01.n 01.04 Network Access Control Shared n/a Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. 12
hipaa 0814.01n1Organizational.12-01.n hipaa-0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 08 Network Protection 0814.01n1Organizational.12-01.n 01.04 Network Access Control Shared n/a The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. 11
hipaa 0943.09y1Organizational.1-09.y hipaa-0943.09y1Organizational.1-09.y 0943.09y1Organizational.1-09.y 09 Transmission Protection 0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services Shared n/a Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. 4
hipaa 1401.05i1Organizational.1239-05.i hipaa-1401.05i1Organizational.1239-05.i 1401.05i1Organizational.1239 - 05.i Identification of Risks Related to External Parties Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. Customer n/a Master Supplier Service Agreement (MSSA))
Supplier Data Protection Requirements (DPR)
Supplier Code of Conduct (SCoC)

Sample of  Datacenter TVRAs
1
HITRUST_CSF_v11.3 01.m HITRUST_CSF_v11.3_01.m HITRUST CSF v11.3 01.m Network Access Control To ensure segregation in networks. Shared Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. Groups of information services, users, and information systems should be segregated on networks. 48
HITRUST_CSF_v11.3 01.n HITRUST_CSF_v11.3_01.n HITRUST CSF v11.3 01.n Network Access Control To prevent unauthorised access to shared networks. Shared Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. 55
IRS_1075_9.3 .16.6 IRS_1075_9.3.16.6 IRS 1075 9.3.16.6 System and Communications Protection Transmission Confidentiality and Integrity (SC-8) n/a Information systems that receive, process, store, or transmit FTI, must: a. Protect the confidentiality and integrity of transmitted information b. Implement FIPS 140-2 cryptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN) (CE1) The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4, Access Control for Transmission Medium (PE-4). This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines). link 8
ISO_IEC_27002_2022 8.24 ISO_IEC_27002_2022_8.24 ISO IEC 27002 2022 8.24 Protection, Preventive Control Use of cryptography Shared Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 14
ISO_IEC_27017_2015 10.1.1 ISO_IEC_27017_2015_10.1.1 ISO IEC 27017 2015 10.1.1 Cryptography Policy on the use of cryptographic controls Shared For Cloud Service Customer: The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud service provider. When the cloud service provider offers cryptography, the cloud service customer should review any information supplied by the cloud service provider to confirm whether the cryptographic capabilities: (i) meet the cloud service customer's policy requirements; (ii) are compatible with any other cryptographic protection used by the cloud service customer; (iii) apply to data at rest and in transit to, from and within the cloud service. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 19
ISO_IEC_27017_2015 10.1.2 ISO_IEC_27017_2015_10.1.2 ISO IEC 27017 2015 10.1.2 Cryptography Key Management Shared For Cloud Service Customer: The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management. Where the cloud service provides key management functionality for use by the cloud service customer, the cloud service customer should request the following information on the procedures used to manage keys related to the cloud service: (i) type of keys; (ii) specifications of the key management system, including procedures for each stage of the key life-cycle, i.e., generating, changing or updating, storing, retiring, retrieving, retaining and destroying; (iii) recommended key management procedures for use by the cloud service customer. The cloud service customer should not permit the cloud service provider to store and manage the encryption keys for cryptographic operations when the cloud service customer employs its own key management or a separate and distinct key management service. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 14
ISO_IEC_27017_2015 18.1.5 ISO_IEC_27017_2015_18.1.5 ISO IEC 27017 2015 18.1.5 Compliance Regulation of Cryptographic Controls Shared For Cloud Service Customer: The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. For Cloud Service Provider: The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations. To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. 19
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
New_Zealand_ISM 18.1.13.C.02 New_Zealand_ISM_18.1.13.C.02 New_Zealand_ISM_18.1.13.C.02 18. Network security 18.1.13.C.02 Limiting network access n/a Agencies SHOULD implement network access controls on all networks. 19
NIS2 DP._Data_Protection_8 NIS2_DP._Data_Protection_8 NIS2_DP._Data_Protection_8 DP. Data Protection Policies and procedures regarding the use of cryptography and, where appropriate, encryption n/a In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications. 32
NIST_SP_800-171_R2_3 .13.8 NIST_SP_800-171_R2_3.13.8 NIST SP 800-171 R2 3.13.8 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. link 16
NIST_SP_800-171_R3_3 .13.1 NIST_SP_800-171_R3_3.13.1 NIST 800-171 R3 3.13.1 System and Communications Protection Control Boundary Protection Shared Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. 43
NIST_SP_800-171_R3_3 .13.10 NIST_SP_800-171_R3_3.13.10 NIST 800-171 R3 3.13.10 System and Communications Protection Control Cryptographic Key Establishment and Management Shared Cryptographic key establishment and management include key generation, distribution, storage, access, rotation, and destruction. Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11. Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key establishment and management]. 14
NIST_SP_800-171_R3_3 .13.11 NIST_SP_800-171_R3_3.13.11 NIST 800-171 R3 3.13.11 System and Communications Protection Control Cryptographic Protection Shared Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]. 19
NIST_SP_800-53_R4 SC-8 NIST_SP_800-53_R4_SC-8 NIST SP 800-53 Rev. 4 SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
NIST_SP_800-53_R4 SC-8(1) NIST_SP_800-53_R4_SC-8(1) NIST SP 800-53 Rev. 4 SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
NIST_SP_800-53_R5.1.1 SC.12 NIST_SP_800-53_R5.1.1_SC.12 NIST SP 800-53 R5.1.1 SC.12 System and Communications Protection Cryptographic Key Establishment and Management Shared Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. 13
NIST_SP_800-53_R5.1.1 SC.13 NIST_SP_800-53_R5.1.1_SC.13 NIST SP 800-53 R5.1.1 SC.13 System and Communications Protection Cryptographic Protection Shared a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 19
NIST_SP_800-53_R5.1.1 SC.7 NIST_SP_800-53_R5.1.1_SC.7 NIST SP 800-53 R5.1.1 SC.7 System and Communications Protection Boundary Protection Shared a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). 43
NIST_SP_800-53_R5 SC-8 NIST_SP_800-53_R5_SC-8 NIST SP 800-53 Rev. 5 SC-8 System and Communications Protection Transmission Confidentiality and Integrity Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. link 15
NIST_SP_800-53_R5 SC-8(1) NIST_SP_800-53_R5_SC-8(1) NIST SP 800-53 Rev. 5 SC-8 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. link 14
NL_BIO_Cloud_Theme B.09.1(2) NL_BIO_Cloud_Theme_B.09.1(2) NL_BIO_Cloud_Theme_B.09.1(2) B.09 Privacy and protection of personal data Security aspects and stages n/a Availability, integrity and confidentiality measures have been taken for the storage, processing and transport of data 2
NL_BIO_Cloud_Theme U.05.1(2) NL_BIO_Cloud_Theme_U.05.1(2) NL_BIO_Cloud_Theme_U.05.1(2) U.05 Data protection Cryptographic measures n/a Data transport is secured with cryptography to the latest state of the art (in accordance with the Forum for Standardization), whereby the key management is carried out by the CSC itself if possible. 17
NL_BIO_Cloud_Theme U.11.1(2) NL_BIO_Cloud_Theme_U.11.1(2) NL_BIO_Cloud_Theme_U.11.1(2) U.11 Cryptoservices Policy n/a The cryptography policy includes at least the following topics: when cryptography is used; who is responsible for the implementation of cryptology; who is responsible for key management; which standards serve as a basis for cryptography and the way in which the standards of the Standardisation Forum are applied; the way in which the level of protection is determined; in the case of communication between organizations, the policy is determined among themselves. 17
NL_BIO_Cloud_Theme U.11.2(2) NL_BIO_Cloud_Theme_U.11.2(2) NL_BIO_Cloud_Theme_U.11.2(2) U.11 Cryptoservices Cryptographic measures n/a In the case of PKIoverheid certificates: apply the PKIoverheid requirements with regard to key management. In other situations: use the ISO 11770 standard for managing cryptographic keys. 17
NZ_ISM_v3.5 PS-4 NZ_ISM_v3.5_PS-4 NZISM Security Benchmark PS-4 Physical Security 8.3.5 Network infrastructure in unsecure areas Customer n/a As agencies lose control over classified information when it is communicated over unsecure public network infrastructure or over infrastructure in unsecure areas they MUST ensure that it is encrypted to a sufficient level that if it was captured that it would be sufficiently difficult to determine the original information from the encrypted information. link 2
NZISM_Security_Benchmark_v1.1 PS-4 NZISM_Security_Benchmark_v1.1_PS-4 NZISM Security Benchmark PS-4 Physical Security 8.3.5 Network infrastructure in unsecure areas Customer Agencies communicating classified information over public network infrastructure or over infrastructure in unsecure areas MUST use encryption to lower the handling instructions to be equivalent to those for unclassified networks. As agencies lose control over classified information when it is communicated over unsecure public network infrastructure or over infrastructure in unsecure areas they MUST ensure that it is encrypted to a sufficient level that if it was captured that it would be sufficiently difficult to determine the original information from the encrypted information. link 2
NZISM_v3.7 17.1.51.C.01. NZISM_v3.7_17.1.51.C.01. NZISM v3.7 17.1.51.C.01. Cryptographic Fundamentals 17.1.51.C.01. - To enhace overall security posture. Shared n/a Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. 20
NZISM_v3.7 17.1.52.C.01. NZISM_v3.7_17.1.52.C.01. NZISM v3.7 17.1.52.C.01. Cryptographic Fundamentals 17.1.52.C.01. - To enhace overall security posture. Shared n/a Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. 20
NZISM_v3.7 17.1.52.C.02. NZISM_v3.7_17.1.52.C.02. NZISM v3.7 17.1.52.C.02. Cryptographic Fundamentals 17.1.52.C.02. - To enhance data accessibility and integrity. Shared n/a Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. 20
NZISM_v3.7 17.1.53.C.03. NZISM_v3.7_17.1.53.C.03. NZISM v3.7 17.1.53.C.03. Cryptographic Fundamentals 17.1.53.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. 20
NZISM_v3.7 17.1.53.C.04. NZISM_v3.7_17.1.53.C.04. NZISM v3.7 17.1.53.C.04. Cryptographic Fundamentals 17.1.53.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. 20
NZISM_v3.7 17.1.54.C.01. NZISM_v3.7_17.1.54.C.01. NZISM v3.7 17.1.54.C.01. Cryptographic Fundamentals 17.1.54.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system. 20
NZISM_v3.7 17.1.55.C.01. NZISM_v3.7_17.1.55.C.01. NZISM v3.7 17.1.55.C.01. Cryptographic Fundamentals 17.1.55.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. 20
NZISM_v3.7 17.1.55.C.02. NZISM_v3.7_17.1.55.C.02. NZISM v3.7 17.1.55.C.02. Cryptographic Fundamentals 17.1.55.C.02. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks. 20
NZISM_v3.7 17.1.55.C.03. NZISM_v3.7_17.1.55.C.03. NZISM v3.7 17.1.55.C.03. Cryptographic Fundamentals 17.1.55.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. 20
NZISM_v3.7 17.1.55.C.04. NZISM_v3.7_17.1.55.C.04. NZISM v3.7 17.1.55.C.04. Cryptographic Fundamentals 17.1.55.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. 20
NZISM_v3.7 17.1.56.C.02. NZISM_v3.7_17.1.56.C.02. NZISM v3.7 17.1.56.C.02. Cryptographic Fundamentals 17.1.56.C.02. - To ensure compliance with security protocols and best practices. Shared n/a Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment. 20
NZISM_v3.7 17.1.57.C.01. NZISM_v3.7_17.1.57.C.01. NZISM v3.7 17.1.57.C.01. Cryptographic Fundamentals 17.1.57.C.01. - To ensure compliance with security protocols and best practices. Shared n/a In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit. 19
NZISM_v3.7 17.1.58.C.01. NZISM_v3.7_17.1.58.C.01. NZISM v3.7 17.1.58.C.01. Cryptographic Fundamentals 17.1.58.C.01. - To ensure compliance with security protocols and best practices. Shared n/a Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. 19
NZISM_v3.7 17.1.58.C.02. NZISM_v3.7_17.1.58.C.02. NZISM v3.7 17.1.58.C.02. Cryptographic Fundamentals 17.1.58.C.02. - To enhance overall cybersecurity posture. Shared n/a Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. 25
NZISM_v3.7 17.1.58.C.03. NZISM_v3.7_17.1.58.C.03. NZISM v3.7 17.1.58.C.03. Cryptographic Fundamentals 17.1.58.C.03. - To enhance overall cybersecurity posture. Shared n/a Agencies using HACE MUST consult the GCSB for key management requirements. 17
NZISM_v3.7 17.10.12.C.01. NZISM_v3.7_17.10.12.C.01. NZISM v3.7 17.10.12.C.01. Hardware Security Modules 17.10.12.C.01. - To enhance the overall security posture of the systems and the sensitive information they protect. Shared n/a Agencies MUST consider the use of HSMs when undertaking a security risk assessment or designing network and security architectures. 15
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 75
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
PCI_DSS_V3.2.1 3.4 PCI_DSS_v3.2.1_3.4 PCI DSS v3.2.1 3.4 Requirement 3 PCI DSS requirement 3.4 customer n/a n/a link 7
PCI_DSS_V3.2.1 4.1 PCI_DSS_v3.2.1_4.1 PCI DSS v3.2.1 4.1 Requirement 4 PCI DSS requirement 4.1 customer n/a n/a link 7
PCI_DSS_V3.2.1 6.5.3 PCI_DSS_v3.2.1_6.5.3 PCI DSS v3.2.1 6.5.3 Requirement 6 PCI DSS requirement 6.5.3 shared n/a n/a link 7
PCI_DSS_v4.0.1 1.4.4 PCI_DSS_v4.0.1_1.4.4 PCI DSS v4.0.1 1.4.4 Install and Maintain Network Security Controls System components that store cardholder data are not directly accessible from untrusted networks Shared n/a Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks 43
PCI_DSS_v4.0.1 3.5.1.1 PCI_DSS_v4.0.1_3.5.1.1 PCI DSS v4.0.1 3.5.1.1 Protect Stored Account Data Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7 Shared n/a Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable) to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures. Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. Examine data repositories to verify the PAN is rendered unreadable. Examine audit logs, including payment application logs, to verify the PAN is rendered unreadable 19
PCI_DSS_v4.0.1 3.6.1 PCI_DSS_v4.0.1_3.6.1 PCI DSS v4.0.1 3.6.1 Protect Stored Account Data Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: access to keys is restricted to the fewest number of custodians necessary. Key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys. Keys are stored securely in the fewest possible locations and forms Shared n/a Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement 16
PCI_DSS_v4.0.1 3.6.1.1 PCI_DSS_v4.0.1_3.6.1.1 PCI DSS v4.0.1 3.6.1.1 Protect Stored Account Data Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. Preventing the use of the same cryptographic keys in production and test environments. Description of the key usage for each key. Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, to support meeting Requirement 12.3.4 Shared n/a Additional testing procedure for service provider assessments only: Interview responsible personnel and examine documentation to verify that a document exists to describe the cryptographic architecture that includes all elements specified in this requirement 14
PCI_DSS_v4.0.1 3.7.1 PCI_DSS_v4.0.1_3.7.1 PCI DSS v4.0.1 3.7.1 Protect Stored Account Data Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define generation of strong cryptographic keys. Observe the method for generating keys to verify that strong keys are generated 16
PCI_DSS_v4.0.1 3.7.2 PCI_DSS_v4.0.1_3.7.2 PCI DSS v4.0.1 3.7.2 Protect Stored Account Data Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys. Observe the method for distributing keys to verify that keys are distributed securely 16
PCI_DSS_v4.0.1 3.7.3 PCI_DSS_v4.0.1_3.7.3 PCI DSS v4.0.1 3.7.3 Protect Stored Account Data Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys. Observe the method for storing keys to verify that keys are stored securely 14
PCI_DSS_v4.0.1 3.7.5 PCI_DSS_v4.0.1_3.7.5 PCI DSS v4.0.1 3.7.5 Protect Stored Account Data Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: the key has reached the end of its defined cryptoperiod. The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define retirement, replacement, or destruction of keys in accordance with all elements specified in this requirement. Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement 14
PCI_DSS_v4.0.1 3.7.6 PCI_DSS_v4.0.1_3.7.6 PCI DSS v4.0.1 3.7.6 Protect Stored Account Data Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control. Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control 16
PCI_DSS_v4.0.1 3.7.7 PCI_DSS_v4.0.1_3.7.7 PCI DSS v4.0.1 3.7.7 Protect Stored Account Data Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define prevention of unauthorized substitution of cryptographic keys. Interview personnel and/or observe processes to verify that unauthorized substitution of keys is prevented 14
PCI_DSS_v4.0.1 3.7.8 PCI_DSS_v4.0.1_3.7.8 PCI DSS v4.0.1 3.7.8 Protect Stored Account Data Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define acknowledgments for key custodians in accordance with all elements specified in this requirement. Examine documentation or other evidence showing that key custodians have provided acknowledgments in accordance with all elements specified in this requirement 14
PCI_DSS_v4.0.1 4.2.1 PCI_DSS_v4.0.1_4.2.1 PCI DSS v4.0.1 4.2.1 Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use Shared n/a Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement. Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected 19
PCI_DSS_v4.0 3.5.1 PCI_DSS_v4.0_3.5.1 PCI DSS v4.0 3.5.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a PAN is rendered unreadable anywhere it is stored by using any of the following approaches: • One-way hashes based on strong cryptography of the entire PAN. • Truncation (hashing cannot be used to replace the truncated segment of PAN). – If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. • Index tokens. • Strong cryptography with associated keymanagement processes and procedures. link 11
PCI_DSS_v4.0 6.2.4 PCI_DSS_v4.0_6.2.4 PCI DSS v4.0 6.2.4 Requirement 06: Develop and Maintain Secure Systems and Software Bespoke and custom software are developed securely Shared n/a Software engineering techniques or other methods are defined and in use for bespoke and custom software by software development personnel to prevent or mitigate common software attacks and related vulnerabilities, including but not limited to the following: • Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. • Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. • Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation. • Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, clientside functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF). • Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms. • Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1. link 7
RBI_CSF_Banks_v2016 10.1 RBI_CSF_Banks_v2016_10.1 Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 n/a Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc 15
RBI_CSF_Banks_v2016 10.2 RBI_CSF_Banks_v2016_10.2 Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.2 n/a Document and implement emailserver specific controls 15
RBI_CSF_Banks_v2016 13.4 RBI_CSF_Banks_v2016_13.4 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 n/a Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway 41
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
RMiT_v1.0 10.16 RMiT_v1.0_10.16 RMiT 10.16 Cryptography Cryptography - 10.16 Shared n/a A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for: (a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation; (b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction; (c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and (d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. link 10
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 75
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 37
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 29
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 129
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 168
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SOC_2023 CC9.1 SOC_2023_CC9.1 SOC 2023 CC9.1 Risk Mitigation To enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. Shared n/a Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. 18
SWIFT_CSCF_2024 1.1 SWIFT_CSCF_2024_1.1 SWIFT Customer Security Controls Framework 2024 1.1 Physical and Environmental Security Swift Environment Protection Shared 1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. 69
SWIFT_CSCF_2024 1.5 SWIFT_CSCF_2024_1.5 SWIFT Customer Security Controls Framework 2024 1.5 Physical and Environmental Security Customer Environment Protection Shared 1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. 57
SWIFT_CSCF_2024 2.1 SWIFT_CSCF_2024_2.1 SWIFT Customer Security Controls Framework 2024 2.1 Risk Management Internal Data Flow Security Shared The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. 48
SWIFT_CSCF_2024 2.4A SWIFT_CSCF_2024_2.4A SWIFT Customer Security Controls Framework 2024 2.4A Risk Management Back Office Data Flow Security Shared Protection of data flows or connections between the back-office first hops as seen from the Swift or customer secure zone and the Swift infrastructure safeguards against person-in-the-middle attack, unintended disclosure, modification, and data access while in transit. To ensure the confidentiality, integrity, and mutual authenticity of data flowing between on-premises or remote Swift infrastructure components and the back-office first hops they connect to. 24
SWIFT_CSCF_2024 9.1 SWIFT_CSCF_2024_9.1 404 not found n/a n/a 57
SWIFT_CSCF_v2021 2.5A SWIFT_CSCF_v2021_2.5A SWIFT CSCF v2021 2.5A Reduce Attack Surface and Vulnerabilities External Transmission Data Protection n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 11
SWIFT_CSCF_v2022 2.5A SWIFT_CSCF_v2022_2.5A SWIFT CSCF v2022 2.5A 2. Reduce Attack Surface and Vulnerabilities External Transmission Data Protection Customer n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 6
U.05.1 - Cryptographic measures U.05.1 - Cryptographic measures 404 not found n/a n/a 17
U.11.1 - Policy U.11.1 - Policy 404 not found n/a n/a 17
U.11.2 - Cryptographic measures U.11.2 - Cryptographic measures 404 not found n/a n/a 17
UK_NCSC_CSP 1 UK_NCSC_CSP_1 UK NCSC CSP 1 Data in transit protection Data in transit protection Shared n/a User data transiting networks should be adequately protected against tampering and eavesdropping. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Control the use of Storage Accounts in a Virtual Enclave ca122c06-05f6-4423-9018-ccb523168eb2 VirtualEnclaves Preview BuiltIn true
[Preview]: NIS2 32ff9e30-4725-4ca7-ba3a-904a7721ee87 Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v2.1.0 fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn true
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn true
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn true
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn unknown
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC