compliance controls are associated with this Policy definition 'Secure transfer to storage accounts should be enabled' (404c3081-a854-4457-ae30-26a93ef643f9)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
AU_ISM |
1277 |
AU_ISM_1277 |
AU ISM 1277 |
Guidelines for Database Systems - Database servers |
Communications between database servers and web servers - 1277 |
|
n/a |
Data communicated between database servers and web applications is encrypted. |
link |
6 |
Azure_Security_Benchmark_v1.0 |
4.4 |
Azure_Security_Benchmark_v1.0_4.4 |
Azure Security Benchmark 4.4 |
Data Protection |
Encrypt all sensitive information in transit |
Shared |
Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit |
n/a |
link |
10 |
Azure_Security_Benchmark_v2.0 |
DP-4 |
Azure_Security_Benchmark_v2.0_DP-4 |
Azure Security Benchmark DP-4 |
Data Protection |
Encrypt sensitive information in transit |
Shared |
To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem
Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit |
n/a |
link |
12 |
Azure_Security_Benchmark_v3.0 |
DP-3 |
Azure_Security_Benchmark_v3.0_DP-3 |
Microsoft cloud security benchmark DP-3 |
Data Protection |
Encrypt sensitive data in transit |
Shared |
**Security Principle:**
Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks.
**Azure Guidance:**
Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default.
**Implementation and additional context:**
Double encryption for Azure data in transit:
https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security:
https://docs.microsoft.com/security/engineering/solving-tls1-problem
Enforce secure transfer in Azure storage:
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account |
n/a |
link |
15 |
|
B.09.1 - Security aspects and stages |
B.09.1 - Security aspects and stages |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
125 |
Canada_Federal_PBMM_3-1-2020 |
CM_3(6) |
Canada_Federal_PBMM_3-1-2020_CM_3(6) |
Canada Federal PBMM 3-1-2020 CM 3(6) |
Configuration Change Control |
Configuration Change Control | Cryptography Management |
Shared |
The organization ensures that cryptographic mechanisms used to provide any cryptographic-based safeguards are under configuration management. |
To uphold security and integrity measures. |
|
20 |
Canada_Federal_PBMM_3-1-2020 |
SC_12 |
Canada_Federal_PBMM_3-1-2020_SC_12 |
Canada Federal PBMM 3-1-2020 SC 12 |
Cryptographic Key Establishment and Management |
Cryptographic Key Establishment and Management |
Shared |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography. |
To enhance overall security posture and compliance with industry best practices.
|
|
29 |
Canada_Federal_PBMM_3-1-2020 |
SC_12(1) |
Canada_Federal_PBMM_3-1-2020_SC_12(1) |
Canada Federal PBMM 3-1-2020 SC 12(1) |
Cryptographic Key Establishment and Management |
Cryptographic Key Establishment and Management | Availability |
Shared |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
To implement backup and recovery mechanisms. |
|
29 |
Canada_Federal_PBMM_3-1-2020 |
SI_3 |
Canada_Federal_PBMM_3-1-2020_SI_3 |
Canada Federal PBMM 3-1-2020 SI 3 |
Malicious Code Protection |
Malicious Code Protection |
Shared |
1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.
2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
3. The organization configures malicious code protection mechanisms to:
a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and
b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection.
4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
To mitigate potential impacts on system availability. |
|
52 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(1) |
Canada_Federal_PBMM_3-1-2020_SI_3(1) |
Canada Federal PBMM 3-1-2020 SI 3(1) |
Malicious Code Protection |
Malicious Code Protection | Central Management |
Shared |
The organization centrally manages malicious code protection mechanisms. |
To centrally manage malicious code protection mechanisms. |
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(2) |
Canada_Federal_PBMM_3-1-2020_SI_3(2) |
Canada Federal PBMM 3-1-2020 SI 3(2) |
Malicious Code Protection |
Malicious Code Protection | Automatic Updates |
Shared |
The information system automatically updates malicious code protection mechanisms. |
To ensure automatic updates in malicious code protection mechanisms. |
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(7) |
Canada_Federal_PBMM_3-1-2020_SI_3(7) |
Canada Federal PBMM 3-1-2020 SI 3(7) |
Malicious Code Protection |
Malicious Code Protection | Non Signature-Based Detection |
Shared |
The information system implements non-signature-based malicious code detection mechanisms. |
To enhance overall security posture.
|
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_4 |
Canada_Federal_PBMM_3-1-2020_SI_4 |
Canada Federal PBMM 3-1-2020 SI 4 |
Information System Monitoring |
Information System Monitoring |
Shared |
1. The organization monitors the information system to detect:
a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and
b. Unauthorized local, network, and remote connections;
2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods.
3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.
4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information.
6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards.
7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. |
To enhance overall security posture.
|
|
95 |
Canada_Federal_PBMM_3-1-2020 |
SI_4(1) |
Canada_Federal_PBMM_3-1-2020_SI_4(1) |
Canada Federal PBMM 3-1-2020 SI 4(1) |
Information System Monitoring |
Information System Monitoring | System-Wide Intrusion Detection System |
Shared |
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
To enhance overall security posture.
|
|
95 |
Canada_Federal_PBMM_3-1-2020 |
SI_4(2) |
Canada_Federal_PBMM_3-1-2020_SI_4(2) |
Canada Federal PBMM 3-1-2020 SI 4(2) |
Information System Monitoring |
Information System Monitoring | Automated Tools for Real-Time Analysis |
Shared |
The organization employs automated tools to support near real-time analysis of events. |
To enhance overall security posture.
|
|
94 |
Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
88 |
CCCS |
SC-8(1) |
CCCS_SC-8(1) |
CCCS SC-8(1) |
System and Communications Protection |
Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection |
|
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by physical security safeguards applied in applied in accordance with, or uses an adequate risk-based approach aligned with the practices specified in TBS and RCMP physical security standards and any related provisions of the Industrial Security Program. The cryptography must be compliant with the requirements of control SC-13. |
link |
5 |
CIS_Azure_1.1.0 |
3.1 |
CIS_Azure_1.1.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.3.0 |
3.1 |
CIS_Azure_1.3.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_1.4.0 |
3.1 |
CIS_Azure_1.4.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
CIS_Azure_2.0.0 |
3.1 |
CIS_Azure_2.0.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
n/a |
Enable data encryption in transit.
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name. |
link |
4 |
CIS_Azure_Foundations_v2.1.0 |
3.1 |
CIS_Azure_Foundations_v2.1.0_3.1 |
CIS Azure Foundations v2.1.0 3.1 |
Storage Accounts |
Ensure Private Endpoints are used to access Storage Accounts |
Shared |
n/a |
Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it. |
|
1 |
CIS_Controls_v8.1 |
3.10 |
CIS_Controls_v8.1_3.10 |
404 not found |
|
|
|
n/a |
n/a |
|
8 |
CIS_Controls_v8.1 |
4.1 |
CIS_Controls_v8.1_4.1 |
CIS Controls v8.1 4.1 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process. |
Shared |
1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure data integrity and safety of enterprise assets. |
|
44 |
CMMC_2.0_L2 |
SC.L2-3.13.8 |
CMMC_2.0_L2_SC.L2-3.13.8 |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
CMMC_L2_v1.9.0 |
SC.L1_3.13.1 |
CMMC_L2_v1.9.0_SC.L1_3.13.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1 |
System and Communications Protection |
Boundary Protection |
Shared |
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
To protect information assets from external attacks and insider threats. |
|
43 |
CMMC_L2_v1.9.0 |
SC.L1_3.13.5 |
CMMC_L2_v1.9.0_SC.L1_3.13.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5 |
System and Communications Protection |
Public Access System Separation |
Shared |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources. |
|
43 |
CMMC_L2_v1.9.0 |
SC.L2_3.13.10 |
CMMC_L2_v1.9.0_SC.L2_3.13.10 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.10 |
System and Communications Protection |
Key Management |
Shared |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
To protect information assets from unauthorized access, manipulation, or disclosure. |
|
14 |
CMMC_L2_v1.9.0 |
SC.L2_3.13.11 |
CMMC_L2_v1.9.0_SC.L2_3.13.11 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.11 |
System and Communications Protection |
CUI Encryption |
Shared |
Employ FIPS validated cryptography when used to protect the confidentiality of CUI. |
To ensure the integrity and effectiveness of cryptographic protections applied to sensitive data. |
|
19 |
CMMC_L3 |
AC.1.002 |
CMMC_L3_AC.1.002 |
CMMC L3 AC.1.002 |
Access Control |
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). |
link |
27 |
CMMC_L3 |
SC.1.175 |
CMMC_L3_SC.1.175 |
CMMC L3 SC.1.175 |
System and Communications Protection |
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. |
link |
30 |
CMMC_L3 |
SC.3.185 |
CMMC_L3_SC.3.185 |
CMMC L3 SC.3.185 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. |
link |
10 |
CSA_v4.0.12 |
CEK_01 |
CSA_v4.0.12_CEK_01 |
CSA Cloud Controls Matrix v4.0.12 CEK 01 |
Cryptography, Encryption & Key Management |
Encryption and Key Management Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for Cryptography, Encryption and Key Management. Review
and update the policies and procedures at least annually. |
|
14 |
CSA_v4.0.12 |
CEK_02 |
CSA_v4.0.12_CEK_02 |
CSA Cloud Controls Matrix v4.0.12 CEK 02 |
Cryptography, Encryption & Key Management |
CEK Roles and Responsibilities |
Shared |
n/a |
Define and implement cryptographic, encryption and key management
roles and responsibilities. |
|
25 |
CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
58 |
CSA_v4.0.12 |
CEK_04 |
CSA_v4.0.12_CEK_04 |
CSA Cloud Controls Matrix v4.0.12 CEK 04 |
Cryptography, Encryption & Key Management |
Encryption Algorithm |
Shared |
n/a |
Use encryption algorithms that are appropriate for data protection,
considering the classification of data, associated risks, and usability of the
encryption technology. |
|
12 |
CSA_v4.0.12 |
CEK_10 |
CSA_v4.0.12_CEK_10 |
CSA Cloud Controls Matrix v4.0.12 CEK 10 |
Cryptography, Encryption & Key Management |
Key Generation |
Shared |
n/a |
Generate Cryptographic keys using industry accepted cryptographic
libraries specifying the algorithm strength and the random number generator
used. |
|
24 |
CSA_v4.0.12 |
CEK_11 |
CSA_v4.0.12_CEK_11 |
CSA Cloud Controls Matrix v4.0.12 CEK 11 |
Cryptography, Encryption & Key Management |
Key Purpose |
Shared |
n/a |
Manage cryptographic secret and private keys that are provisioned
for a unique purpose. |
|
24 |
CSA_v4.0.12 |
CEK_12 |
CSA_v4.0.12_CEK_12 |
CSA Cloud Controls Matrix v4.0.12 CEK 12 |
Cryptography, Encryption & Key Management |
Key Rotation |
Shared |
n/a |
Rotate cryptographic keys in accordance with the calculated cryptoperiod,
which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements. |
|
22 |
CSA_v4.0.12 |
CEK_13 |
CSA_v4.0.12_CEK_13 |
CSA Cloud Controls Matrix v4.0.12 CEK 13 |
Cryptography, Encryption & Key Management |
Key Revocation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the
organization, which include provisions for legal and regulatory requirements. |
|
12 |
CSA_v4.0.12 |
CEK_14 |
CSA_v4.0.12_CEK_14 |
CSA Cloud Controls Matrix v4.0.12 CEK 14 |
Cryptography, Encryption & Key Management |
Key Destruction |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements. |
|
12 |
CSA_v4.0.12 |
CEK_15 |
CSA_v4.0.12_CEK_15 |
CSA Cloud Controls Matrix v4.0.12 CEK 15 |
Cryptography, Encryption & Key Management |
Key Activation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements. |
|
21 |
CSA_v4.0.12 |
CEK_16 |
CSA_v4.0.12_CEK_16 |
CSA Cloud Controls Matrix v4.0.12 CEK 16 |
Cryptography, Encryption & Key Management |
Key Suspension |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements. |
|
23 |
CSA_v4.0.12 |
CEK_17 |
CSA_v4.0.12_CEK_17 |
CSA Cloud Controls Matrix v4.0.12 CEK 17 |
Cryptography, Encryption & Key Management |
Key Deactivation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to deactivate keys at the time of their expiration date, which include
provisions for legal and regulatory requirements. |
|
11 |
CSA_v4.0.12 |
CEK_18 |
CSA_v4.0.12_CEK_18 |
CSA Cloud Controls Matrix v4.0.12 CEK 18 |
Cryptography, Encryption & Key Management |
Key Archival |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to manage archived keys in a secure repository requiring least privilege
access, which include provisions for legal and regulatory requirements. |
|
11 |
CSA_v4.0.12 |
CEK_19 |
CSA_v4.0.12_CEK_19 |
CSA Cloud Controls Matrix v4.0.12 CEK 19 |
Cryptography, Encryption & Key Management |
Key Compromise |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to use compromised keys to encrypt information only in controlled circumstance,
and thereafter exclusively for decrypting data and never for encrypting data,
which include provisions for legal and regulatory requirements. |
|
11 |
CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
25 |
CSA_v4.0.12 |
CEK_21 |
CSA_v4.0.12_CEK_21 |
CSA Cloud Controls Matrix v4.0.12 CEK 21 |
Cryptography, Encryption & Key Management |
Key Inventory Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures in order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and regulatory
requirements. |
|
12 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FedRAMP_High_R4 |
SC-8 |
FedRAMP_High_R4_SC-8 |
FedRAMP High SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
FedRAMP_High_R4 |
SC-8(1) |
FedRAMP_High_R4_SC-8(1) |
FedRAMP High SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
FedRAMP_Moderate_R4 |
SC-8 |
FedRAMP_Moderate_R4_SC-8 |
FedRAMP Moderate SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
FedRAMP_Moderate_R4 |
SC-8(1) |
FedRAMP_Moderate_R4_SC-8(1) |
FedRAMP Moderate SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
FFIEC_CAT_2017 |
3.1.1 |
FFIEC_CAT_2017_3.1.1 |
FFIEC CAT 2017 3.1.1 |
Cybersecurity Controls |
Infrastructure Management |
Shared |
n/a |
- Network perimeter defense tools (e.g., border router and firewall) are used.
- Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.
- All ports are monitored.
- Up to date antivirus and anti-malware tools are used.
- Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
- Ports, functions, protocols and services are prohibited if no longer needed for business purposes.
- Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
- Programs that can override system, object, network, virtual machine, and application controls are restricted.
- System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.
- Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) |
|
72 |
FFIEC_CAT_2017 |
4.1.1 |
FFIEC_CAT_2017_4.1.1 |
FFIEC CAT 2017 4.1.1 |
External Dependency Management |
Connections |
Shared |
n/a |
- The critical business processes that are dependent on external connectivity have been identified.
- The institution ensures that third-party connections are authorized.
- A network diagram is in place and identifies all external connections.
- Data flow diagrams are in place and document information flow to external parties. |
|
43 |
hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
hipaa |
0812.01n2Organizational.8-01.n |
hipaa-0812.01n2Organizational.8-01.n |
0812.01n2Organizational.8-01.n |
08 Network Protection |
0812.01n2Organizational.8-01.n 01.04 Network Access Control |
Shared |
n/a |
Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
|
12 |
hipaa |
0814.01n1Organizational.12-01.n |
hipaa-0814.01n1Organizational.12-01.n |
0814.01n1Organizational.12-01.n |
08 Network Protection |
0814.01n1Organizational.12-01.n 01.04 Network Access Control |
Shared |
n/a |
The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. |
|
11 |
hipaa |
0943.09y1Organizational.1-09.y |
hipaa-0943.09y1Organizational.1-09.y |
0943.09y1Organizational.1-09.y |
09 Transmission Protection |
0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. |
|
4 |
hipaa |
1401.05i1Organizational.1239-05.i |
hipaa-1401.05i1Organizational.1239-05.i |
1401.05i1Organizational.1239 - 05.i |
Identification of Risks Related to External Parties |
Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. |
Customer |
n/a |
Master Supplier Service Agreement (MSSA)) Supplier Data Protection Requirements (DPR) Supplier Code of Conduct (SCoC)
Sample of Datacenter TVRAs |
|
1 |
HITRUST_CSF_v11.3 |
01.m |
HITRUST_CSF_v11.3_01.m |
HITRUST CSF v11.3 01.m |
Network Access Control |
To ensure segregation in networks. |
Shared |
Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. |
Groups of information services, users, and information systems should be segregated on networks. |
|
48 |
HITRUST_CSF_v11.3 |
01.n |
HITRUST_CSF_v11.3_01.n |
HITRUST CSF v11.3 01.n |
Network Access Control |
To prevent unauthorised access to shared networks. |
Shared |
Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. |
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
|
55 |
IRS_1075_9.3 |
.16.6 |
IRS_1075_9.3.16.6 |
IRS 1075 9.3.16.6 |
System and Communications Protection |
Transmission Confidentiality and Integrity (SC-8) |
|
n/a |
Information systems that receive, process, store, or transmit FTI, must:
a. Protect the confidentiality and integrity of transmitted information
b. Implement FIPS 140-2 cryptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN) (CE1)
The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4, Access Control for Transmission Medium (PE-4).
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines). |
link |
8 |
ISO_IEC_27002_2022 |
8.24 |
ISO_IEC_27002_2022_8.24 |
ISO IEC 27002 2022 8.24 |
Protection,
Preventive Control |
Use of cryptography |
Shared |
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
|
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. |
|
14 |
ISO_IEC_27017_2015 |
10.1.1 |
ISO_IEC_27017_2015_10.1.1 |
ISO IEC 27017 2015 10.1.1 |
Cryptography |
Policy on the use of cryptographic controls |
Shared |
For Cloud Service Customer:
The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud service provider.
When the cloud service provider offers cryptography, the cloud service customer should review any information supplied by the cloud service provider to confirm whether the cryptographic capabilities:
(i) meet the cloud service customer's policy requirements;
(ii) are compatible with any other cryptographic protection used by the cloud service customer;
(iii) apply to data at rest and in transit to, from and within the
cloud service.
For Cloud Service Provider:
The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. |
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. |
|
19 |
ISO_IEC_27017_2015 |
10.1.2 |
ISO_IEC_27017_2015_10.1.2 |
ISO IEC 27017 2015 10.1.2 |
Cryptography |
Key Management |
Shared |
For Cloud Service Customer:
The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management.
Where the cloud service provides key management functionality for use by the cloud service customer, the cloud service customer should request the following information on the procedures used to manage keys related to the cloud service:
(i) type of keys;
(ii) specifications of the key management system, including procedures for each stage of the key life-cycle, i.e., generating, changing or updating, storing, retiring, retrieving, retaining and destroying;
(iii) recommended key management procedures for use by the cloud service customer.
The cloud service customer should not permit the cloud service provider to store and manage the encryption keys for cryptographic operations when the cloud service customer employs its own key management or a separate and distinct key management service. |
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. |
|
14 |
ISO_IEC_27017_2015 |
18.1.5 |
ISO_IEC_27017_2015_18.1.5 |
ISO IEC 27017 2015 18.1.5 |
Compliance |
Regulation of Cryptographic Controls |
Shared |
For Cloud Service Customer:
The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations.
For Cloud Service Provider:
The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and
regulations. |
To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. |
|
19 |
ISO27001-2013 |
A.10.1.1 |
ISO27001-2013_A.10.1.1 |
ISO 27001:2013 A.10.1.1 |
Cryptography |
Policy on the use of cryptographic controls |
Shared |
n/a |
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. |
link |
17 |
ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
New_Zealand_ISM |
18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
18. Network security |
18.1.13.C.02 Limiting network access |
|
n/a |
Agencies SHOULD implement network access controls on all networks. |
|
19 |
NIS2 |
DP._Data_Protection_8 |
NIS2_DP._Data_Protection_8 |
NIS2_DP._Data_Protection_8 |
DP. Data Protection |
Policies and procedures regarding the use of cryptography and, where appropriate, encryption |
|
n/a |
In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications. |
|
32 |
NIST_SP_800-171_R2_3 |
.13.8 |
NIST_SP_800-171_R2_3.13.8 |
NIST SP 800-171 R2 3.13.8 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. |
link |
16 |
NIST_SP_800-171_R3_3 |
.13.1 |
NIST_SP_800-171_R3_3.13.1 |
NIST 800-171 R3 3.13.1 |
System and Communications Protection Control |
Boundary Protection |
Shared |
Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.
b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
|
43 |
NIST_SP_800-171_R3_3 |
.13.10 |
NIST_SP_800-171_R3_3.13.10 |
NIST 800-171 R3 3.13.10 |
System and Communications Protection Control |
Cryptographic Key Establishment and Management |
Shared |
Cryptographic key establishment and management include key generation, distribution, storage, access, rotation, and destruction. Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11. |
Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key establishment and management]. |
|
14 |
NIST_SP_800-171_R3_3 |
.13.11 |
NIST_SP_800-171_R3_3.13.11 |
NIST 800-171 R3 3.13.11 |
System and Communications Protection Control |
Cryptographic Protection |
Shared |
Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. |
Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]. |
|
19 |
NIST_SP_800-53_R4 |
SC-8 |
NIST_SP_800-53_R4_SC-8 |
NIST SP 800-53 Rev. 4 SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
NIST_SP_800-53_R4 |
SC-8(1) |
NIST_SP_800-53_R4_SC-8(1) |
NIST SP 800-53 Rev. 4 SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
NIST_SP_800-53_R5.1.1 |
SC.12 |
NIST_SP_800-53_R5.1.1_SC.12 |
NIST SP 800-53 R5.1.1 SC.12 |
System and Communications Protection |
Cryptographic Key Establishment and Management |
Shared |
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. |
|
13 |
NIST_SP_800-53_R5.1.1 |
SC.13 |
NIST_SP_800-53_R5.1.1_SC.13 |
NIST SP 800-53 R5.1.1 SC.13 |
System and Communications Protection |
Cryptographic Protection |
Shared |
a. Determine the [Assignment: organization-defined cryptographic uses]; and
b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. |
Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. |
|
19 |
NIST_SP_800-53_R5.1.1 |
SC.7 |
NIST_SP_800-53_R5.1.1_SC.7 |
NIST SP 800-53 R5.1.1 SC.7 |
System and Communications Protection |
Boundary Protection |
Shared |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. |
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). |
|
43 |
NIST_SP_800-53_R5 |
SC-8 |
NIST_SP_800-53_R5_SC-8 |
NIST SP 800-53 Rev. 5 SC-8 |
System and Communications Protection |
Transmission Confidentiality and Integrity |
Shared |
n/a |
Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. |
link |
15 |
NIST_SP_800-53_R5 |
SC-8(1) |
NIST_SP_800-53_R5_SC-8(1) |
NIST SP 800-53 Rev. 5 SC-8 (1) |
System and Communications Protection |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. |
link |
14 |
NL_BIO_Cloud_Theme |
B.09.1(2) |
NL_BIO_Cloud_Theme_B.09.1(2) |
NL_BIO_Cloud_Theme_B.09.1(2) |
B.09 Privacy and protection of personal data |
Security aspects and stages |
|
n/a |
Availability, integrity and confidentiality measures have been taken for the storage, processing and transport of data |
|
2 |
NL_BIO_Cloud_Theme |
U.05.1(2) |
NL_BIO_Cloud_Theme_U.05.1(2) |
NL_BIO_Cloud_Theme_U.05.1(2) |
U.05 Data protection |
Cryptographic measures |
|
n/a |
Data transport is secured with cryptography to the latest state of the art (in accordance with the Forum for Standardization), whereby the key management is carried out by the CSC itself if possible. |
|
17 |
NL_BIO_Cloud_Theme |
U.11.1(2) |
NL_BIO_Cloud_Theme_U.11.1(2) |
NL_BIO_Cloud_Theme_U.11.1(2) |
U.11 Cryptoservices |
Policy |
|
n/a |
The cryptography policy includes at least the following topics: when cryptography is used; who is responsible for the implementation of cryptology; who is responsible for key management; which standards serve as a basis for cryptography and the way in which the standards of the Standardisation Forum are applied; the way in which the level of protection is determined; in the case of communication between organizations, the policy is determined among themselves. |
|
17 |
NL_BIO_Cloud_Theme |
U.11.2(2) |
NL_BIO_Cloud_Theme_U.11.2(2) |
NL_BIO_Cloud_Theme_U.11.2(2) |
U.11 Cryptoservices |
Cryptographic measures |
|
n/a |
In the case of PKIoverheid certificates: apply the PKIoverheid requirements with regard to key management. In other situations: use the ISO 11770 standard for managing cryptographic keys. |
|
17 |
NZ_ISM_v3.5 |
PS-4 |
NZ_ISM_v3.5_PS-4 |
NZISM Security Benchmark PS-4 |
Physical Security |
8.3.5 Network infrastructure in unsecure areas |
Customer |
n/a |
As agencies lose control over classified information when it is communicated over unsecure public network infrastructure or over infrastructure in unsecure areas they MUST ensure that it is encrypted to a sufficient level that if it was captured that it would be sufficiently difficult to determine the original information from the encrypted information. |
link |
2 |
NZISM_Security_Benchmark_v1.1 |
PS-4 |
NZISM_Security_Benchmark_v1.1_PS-4 |
NZISM Security Benchmark PS-4 |
Physical Security |
8.3.5 Network infrastructure in unsecure areas |
Customer |
Agencies communicating classified information over public network infrastructure or over infrastructure in unsecure areas MUST use encryption to lower the handling instructions to be equivalent to those for unclassified networks. |
As agencies lose control over classified information when it is communicated over unsecure public network infrastructure or over infrastructure in unsecure areas they MUST ensure that it is encrypted to a sufficient level that if it was captured that it would be sufficiently difficult to determine the original information from the encrypted information. |
link |
2 |
NZISM_v3.7 |
17.1.51.C.01. |
NZISM_v3.7_17.1.51.C.01. |
NZISM v3.7 17.1.51.C.01. |
Cryptographic Fundamentals |
17.1.51.C.01. - To enhace overall security posture. |
Shared |
n/a |
Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. |
|
20 |
NZISM_v3.7 |
17.1.52.C.01. |
NZISM_v3.7_17.1.52.C.01. |
NZISM v3.7 17.1.52.C.01. |
Cryptographic Fundamentals |
17.1.52.C.01. - To enhace overall security posture. |
Shared |
n/a |
Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
20 |
NZISM_v3.7 |
17.1.52.C.02. |
NZISM_v3.7_17.1.52.C.02. |
NZISM v3.7 17.1.52.C.02. |
Cryptographic Fundamentals |
17.1.52.C.02. - To enhance data accessibility and integrity. |
Shared |
n/a |
Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
20 |
NZISM_v3.7 |
17.1.53.C.03. |
NZISM_v3.7_17.1.53.C.03. |
NZISM v3.7 17.1.53.C.03. |
Cryptographic Fundamentals |
17.1.53.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
1. full disk encryption; or
2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. |
|
20 |
NZISM_v3.7 |
17.1.53.C.04. |
NZISM_v3.7_17.1.53.C.04. |
NZISM v3.7 17.1.53.C.04. |
Cryptographic Fundamentals |
17.1.53.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
1. full disk encryption; or
2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. |
|
20 |
NZISM_v3.7 |
17.1.54.C.01. |
NZISM_v3.7_17.1.54.C.01. |
NZISM v3.7 17.1.54.C.01. |
Cryptographic Fundamentals |
17.1.54.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system. |
|
20 |
NZISM_v3.7 |
17.1.55.C.01. |
NZISM_v3.7_17.1.55.C.01. |
NZISM v3.7 17.1.55.C.01. |
Cryptographic Fundamentals |
17.1.55.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. |
|
20 |
NZISM_v3.7 |
17.1.55.C.02. |
NZISM_v3.7_17.1.55.C.02. |
NZISM v3.7 17.1.55.C.02. |
Cryptographic Fundamentals |
17.1.55.C.02. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks. |
|
20 |
NZISM_v3.7 |
17.1.55.C.03. |
NZISM_v3.7_17.1.55.C.03. |
NZISM v3.7 17.1.55.C.03. |
Cryptographic Fundamentals |
17.1.55.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. |
|
20 |
NZISM_v3.7 |
17.1.55.C.04. |
NZISM_v3.7_17.1.55.C.04. |
NZISM v3.7 17.1.55.C.04. |
Cryptographic Fundamentals |
17.1.55.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. |
|
20 |
NZISM_v3.7 |
17.1.56.C.02. |
NZISM_v3.7_17.1.56.C.02. |
NZISM v3.7 17.1.56.C.02. |
Cryptographic Fundamentals |
17.1.56.C.02. - To ensure compliance with security protocols and best practices. |
Shared |
n/a |
Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment. |
|
20 |
NZISM_v3.7 |
17.1.57.C.01. |
NZISM_v3.7_17.1.57.C.01. |
NZISM v3.7 17.1.57.C.01. |
Cryptographic Fundamentals |
17.1.57.C.01. - To ensure compliance with security protocols and best practices. |
Shared |
n/a |
In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit. |
|
19 |
NZISM_v3.7 |
17.1.58.C.01. |
NZISM_v3.7_17.1.58.C.01. |
NZISM v3.7 17.1.58.C.01. |
Cryptographic Fundamentals |
17.1.58.C.01. - To ensure compliance with security protocols and best practices. |
Shared |
n/a |
Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. |
|
19 |
NZISM_v3.7 |
17.1.58.C.02. |
NZISM_v3.7_17.1.58.C.02. |
NZISM v3.7 17.1.58.C.02. |
Cryptographic Fundamentals |
17.1.58.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. |
|
25 |
NZISM_v3.7 |
17.1.58.C.03. |
NZISM_v3.7_17.1.58.C.03. |
NZISM v3.7 17.1.58.C.03. |
Cryptographic Fundamentals |
17.1.58.C.03. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies using HACE MUST consult the GCSB for key management requirements. |
|
17 |
NZISM_v3.7 |
17.10.12.C.01. |
NZISM_v3.7_17.10.12.C.01. |
NZISM v3.7 17.10.12.C.01. |
Hardware Security Modules |
17.10.12.C.01. - To enhance the overall security posture of the systems and the sensitive information they protect. |
Shared |
n/a |
Agencies MUST consider the use of HSMs when undertaking a security risk assessment or designing network and security architectures. |
|
15 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
75 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
PCI_DSS_V3.2.1 |
3.4 |
PCI_DSS_v3.2.1_3.4 |
PCI DSS v3.2.1 3.4 |
Requirement 3 |
PCI DSS requirement 3.4 |
customer |
n/a |
n/a |
link |
7 |
PCI_DSS_V3.2.1 |
4.1 |
PCI_DSS_v3.2.1_4.1 |
PCI DSS v3.2.1 4.1 |
Requirement 4 |
PCI DSS requirement 4.1 |
customer |
n/a |
n/a |
link |
7 |
PCI_DSS_V3.2.1 |
6.5.3 |
PCI_DSS_v3.2.1_6.5.3 |
PCI DSS v3.2.1 6.5.3 |
Requirement 6 |
PCI DSS requirement 6.5.3 |
shared |
n/a |
n/a |
link |
7 |
PCI_DSS_v4.0.1 |
1.4.4 |
PCI_DSS_v4.0.1_1.4.4 |
PCI DSS v4.0.1 1.4.4 |
Install and Maintain Network Security Controls |
System components that store cardholder data are not directly accessible from untrusted networks |
Shared |
n/a |
Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks |
|
43 |
PCI_DSS_v4.0.1 |
3.5.1.1 |
PCI_DSS_v4.0.1_3.5.1.1 |
PCI DSS v4.0.1 3.5.1.1 |
Protect Stored Account Data |
Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7 |
Shared |
n/a |
Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable) to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures. Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. Examine data repositories to verify the PAN is rendered unreadable. Examine audit logs, including payment application logs, to verify the PAN is rendered unreadable |
|
19 |
PCI_DSS_v4.0.1 |
3.6.1 |
PCI_DSS_v4.0.1_3.6.1 |
PCI DSS v4.0.1 3.6.1 |
Protect Stored Account Data |
Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: access to keys is restricted to the fewest number of custodians necessary. Key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys. Keys are stored securely in the fewest possible locations and forms |
Shared |
n/a |
Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement |
|
16 |
PCI_DSS_v4.0.1 |
3.6.1.1 |
PCI_DSS_v4.0.1_3.6.1.1 |
PCI DSS v4.0.1 3.6.1.1 |
Protect Stored Account Data |
Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. Preventing the use of the same cryptographic keys in production and test environments. Description of the key usage for each key. Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, to support meeting Requirement 12.3.4 |
Shared |
n/a |
Additional testing procedure for service provider assessments only: Interview responsible personnel and examine documentation to verify that a document exists to describe the cryptographic architecture that includes all elements specified in this requirement |
|
14 |
PCI_DSS_v4.0.1 |
3.7.1 |
PCI_DSS_v4.0.1_3.7.1 |
PCI DSS v4.0.1 3.7.1 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define generation of strong cryptographic keys. Observe the method for generating keys to verify that strong keys are generated |
|
16 |
PCI_DSS_v4.0.1 |
3.7.2 |
PCI_DSS_v4.0.1_3.7.2 |
PCI DSS v4.0.1 3.7.2 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys. Observe the method for distributing keys to verify that keys are distributed securely |
|
16 |
PCI_DSS_v4.0.1 |
3.7.3 |
PCI_DSS_v4.0.1_3.7.3 |
PCI DSS v4.0.1 3.7.3 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys. Observe the method for storing keys to verify that keys are stored securely |
|
14 |
PCI_DSS_v4.0.1 |
3.7.5 |
PCI_DSS_v4.0.1_3.7.5 |
PCI DSS v4.0.1 3.7.5 |
Protect Stored Account Data |
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: the key has reached the end of its defined cryptoperiod. The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define retirement, replacement, or destruction of keys in accordance with all elements specified in this requirement. Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement |
|
14 |
PCI_DSS_v4.0.1 |
3.7.6 |
PCI_DSS_v4.0.1_3.7.6 |
PCI DSS v4.0.1 3.7.6 |
Protect Stored Account Data |
Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control. Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control |
|
16 |
PCI_DSS_v4.0.1 |
3.7.7 |
PCI_DSS_v4.0.1_3.7.7 |
PCI DSS v4.0.1 3.7.7 |
Protect Stored Account Data |
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define prevention of unauthorized substitution of cryptographic keys. Interview personnel and/or observe processes to verify that unauthorized substitution of keys is prevented |
|
14 |
PCI_DSS_v4.0.1 |
3.7.8 |
PCI_DSS_v4.0.1_3.7.8 |
PCI DSS v4.0.1 3.7.8 |
Protect Stored Account Data |
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define acknowledgments for key custodians in accordance with all elements specified in this requirement. Examine documentation or other evidence showing that key custodians have provided acknowledgments in accordance with all elements specified in this requirement |
|
14 |
PCI_DSS_v4.0.1 |
4.2.1 |
PCI_DSS_v4.0.1_4.2.1 |
PCI DSS v4.0.1 4.2.1 |
Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use |
Shared |
n/a |
Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement. Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected |
|
19 |
PCI_DSS_v4.0 |
3.5.1 |
PCI_DSS_v4.0_3.5.1 |
PCI DSS v4.0 3.5.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
PAN is rendered unreadable anywhere it is stored by using any of the following approaches:
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
– If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
• Index tokens.
• Strong cryptography with associated keymanagement processes and procedures. |
link |
11 |
PCI_DSS_v4.0 |
6.2.4 |
PCI_DSS_v4.0_6.2.4 |
PCI DSS v4.0 6.2.4 |
Requirement 06: Develop and Maintain Secure Systems and Software |
Bespoke and custom software are developed securely |
Shared |
n/a |
Software engineering techniques or other methods are defined and in use for bespoke and custom software by software development personnel to prevent or mitigate common software attacks and related vulnerabilities, including but not limited to the following:
• Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
• Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
• Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
• Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, clientside functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
• Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
• Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1. |
link |
7 |
RBI_CSF_Banks_v2016 |
10.1 |
RBI_CSF_Banks_v2016_10.1 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.1 |
|
n/a |
Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc |
|
15 |
RBI_CSF_Banks_v2016 |
10.2 |
RBI_CSF_Banks_v2016_10.2 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.2 |
|
n/a |
Document and implement emailserver specific controls |
|
15 |
RBI_CSF_Banks_v2016 |
13.4 |
RBI_CSF_Banks_v2016_13.4 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.4 |
|
n/a |
Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway |
|
41 |
RBI_ITF_NBFC_v2017 |
3.1.h |
RBI_ITF_NBFC_v2017_3.1.h |
RBI IT Framework 3.1.h |
Information and Cyber Security |
Public Key Infrastructure (PKI)-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. |
link |
31 |
RMiT_v1.0 |
10.16 |
RMiT_v1.0_10.16 |
RMiT 10.16 |
Cryptography |
Cryptography - 10.16 |
Shared |
n/a |
A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for:
(a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation;
(b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction;
(c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and
(d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. |
link |
10 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
75 |
SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
37 |
SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
29 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
219 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
230 |
SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
129 |
SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
To maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
168 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
214 |
SOC_2023 |
CC9.1 |
SOC_2023_CC9.1 |
SOC 2023 CC9.1 |
Risk Mitigation |
To enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. |
Shared |
n/a |
Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
|
18 |
SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
SWIFT_CSCF_2024 |
2.4A |
SWIFT_CSCF_2024_2.4A |
SWIFT Customer Security Controls Framework 2024 2.4A |
Risk Management |
Back Office Data Flow Security |
Shared |
Protection of data flows or connections between the back-office first hops as seen from the Swift or customer secure zone and the Swift infrastructure safeguards against person-in-the-middle attack, unintended disclosure, modification, and data access while in transit. |
To ensure the confidentiality, integrity, and mutual authenticity of data flowing between on-premises or remote Swift infrastructure components and the back-office first hops they connect to. |
|
24 |
SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
SWIFT_CSCF_v2021 |
2.5A |
SWIFT_CSCF_v2021_2.5A |
SWIFT CSCF v2021 2.5A |
Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
|
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
11 |
SWIFT_CSCF_v2022 |
2.5A |
SWIFT_CSCF_v2022_2.5A |
SWIFT CSCF v2022 2.5A |
2. Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
Customer |
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
6 |
|
U.05.1 - Cryptographic measures |
U.05.1 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
|
U.11.1 - Policy |
U.11.1 - Policy |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
|
U.11.2 - Cryptographic measures |
U.11.2 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
UK_NCSC_CSP |
1 |
UK_NCSC_CSP_1 |
UK NCSC CSP 1 |
Data in transit protection |
Data in transit protection |
Shared |
n/a |
User data transiting networks should be adequately protected against tampering and eavesdropping. |
link |
5 |