compliance controls are associated with this Policy definition 'Kubernetes clusters should disable automounting API credentials' (423dd1ba-798e-40e4-9c4d-b6902674b423)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
PV-2 |
Azure_Security_Benchmark_v3.0_PV-2 |
Microsoft cloud security benchmark PV-2 |
Posture and Vulnerability Management |
Audit and enforce secure configurations |
Shared |
**Security Principle:**
Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration.
**Azure Guidance:**
Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement.
**Implementation and additional context:**
Understand Azure Policy effects:
https://docs.microsoft.com/azure/governance/policy/concepts/effects
Create and manage policies to enforce compliance:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Get compliance data of Azure resources:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data |
n/a |
link |
27 |
|
C.04.7 - Evaluated |
C.04.7 - Evaluated |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
| CIS_Controls_v8.1 |
4.1 |
CIS_Controls_v8.1_4.1 |
CIS Controls v8.1 4.1 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process. |
Shared |
1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure data integrity and safety of enterprise assets. |
|
44 |
| CIS_Controls_v8.1 |
4.8 |
CIS_Controls_v8.1_4.8 |
CIS Controls v8.1 4.8 |
Secure Configuration of Enterprise Assets and Software |
Uninstall or disable unnecessary services on enterprise assets and software |
Shared |
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. |
To prevent unauthorized access from third-party unapproved software or services. |
|
1 |
| CMMC_L2_v1.9.0 |
AC.L1_3.1.1 |
CMMC_L2_v1.9.0_AC.L1_3.1.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.1 |
Access Control |
Authorized Access Control |
Shared |
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
To ensure security and integrity. |
|
27 |
| CMMC_L2_v1.9.0 |
AC.L2_3.1.5 |
CMMC_L2_v1.9.0_AC.L2_3.1.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.5 |
Access Control |
Least Privilege |
Shared |
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
To restrict information system access. |
|
27 |
| CSA_v4.0.12 |
IAM_05 |
CSA_v4.0.12_IAM_05 |
CSA Cloud Controls Matrix v4.0.12 IAM 05 |
Identity & Access Management |
Least Privilege |
Shared |
n/a |
Employ the least privilege principle when implementing information
system access. |
|
27 |
| CSA_v4.0.12 |
IAM_10 |
CSA_v4.0.12_IAM_10 |
CSA Cloud Controls Matrix v4.0.12 IAM 10 |
Identity & Access Management |
Management of Privileged Access Roles |
Shared |
n/a |
Define and implement an access process to ensure privileged access
roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access. |
|
56 |
| Cyber_Essentials_v3.1 |
2 |
Cyber_Essentials_v3.1_2 |
Cyber Essentials v3.1 2 |
Cyber Essentials |
Secure Configuration |
Shared |
n/a |
Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. |
|
61 |
| Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
| FFIEC_CAT_2017 |
3.1.2 |
FFIEC_CAT_2017_3.1.2 |
FFIEC CAT 2017 3.1.2 |
Cybersecurity Controls |
Access and Data Management |
Shared |
n/a |
Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8
- Employee access to systems and confidential data provides for separation of duties.
- Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls).
- User access reviews are performed periodically for all systems and applications based on the risk to the application or system.
- Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel.
- Identification and authentication are required and managed for access to systems, applications, and hardware.
- Access controls include password complexity and limits to password attempts and reuse.
- All default passwords and unnecessary default accounts are changed before system implementation.
- Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk.
- Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.)
- Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems.
- All passwords are encrypted in storage and in transit.
- Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet).
- Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.)
- Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.
- Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software.
- Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request.
- Data is disposed of or destroyed according to documented requirements and within expected time frames. |
|
59 |
| ISO_IEC_27002_2022 |
8.2 |
ISO_IEC_27002_2022_8.2 |
ISO IEC 27002 2022 8.2 |
Protection,
Preventive, Control |
Privileged access rights |
Shared |
The allocation and use of privileged access rights should be restricted and managed.
|
To ensure only authorized users, software components and services are provided with privileged access rights. |
|
29 |
| ISO_IEC_27017_2015 |
12.4.3 |
ISO_IEC_27017_2015_12.4.3 |
ISO IEC 27017 2015 12.4.3 |
Operations Security |
Administrator and Operation Logs |
Shared |
For Cloud Service Customer:
If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. The cloud service customer should determine whether logging capabilities provided by the cloud service provider are appropriate or whether the cloud service customer should implement additional logging capabilities. |
To log operation and performance of those operations wherein rivileged operation is delegated to the cloud service customer. |
|
28 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
431 |
| New_Zealand_ISM |
14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
14. Software security |
14.1.9.C.01 Maintaining hardened SOEs |
|
n/a |
Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. |
|
16 |
| NIST_CSF_v2.0 |
PR.AA_05 |
NIST_CSF_v2.0_PR.AA_05 |
NIST CSF v2.0 PR.AA 05 |
PROTECT- Identity Management, Authentication, and Access |
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
29 |
| NZ_ISM_v3.5 |
SS-3 |
NZ_ISM_v3.5_SS-3 |
NZISM Security Benchmark SS-3 |
Software security |
14.1.9 Maintaining hardened SOEs |
Customer |
n/a |
Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates.
End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation.
End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. |
link |
15 |
| NZISM_v3.7 |
16.1.33.C.01. |
NZISM_v3.7_16.1.33.C.01. |
NZISM v3.7 16.1.33.C.01. |
Identification, Authentication and Passwords |
16.1.33.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies MUST NOT use shared credentials to access accounts. |
|
25 |
| NZISM_v3.7 |
16.1.33.C.02. |
NZISM_v3.7_16.1.33.C.02. |
NZISM v3.7 16.1.33.C.02. |
Identification, Authentication and Passwords |
16.1.33.C.02. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies SHOULD NOT use shared credentials to access accounts. |
|
25 |
| NZISM_v3.7 |
16.1.34.C.01. |
NZISM_v3.7_16.1.34.C.01. |
NZISM v3.7 16.1.34.C.01. |
Identification, Authentication and Passwords |
16.1.34.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
If agencies choose to allow shared, non user-specific accounts they MUST ensure that an independent means of determining the identification of the system user is implemented. |
|
25 |
| NZISM_v3.7 |
16.1.35.C.02. |
NZISM_v3.7_16.1.35.C.02. |
NZISM v3.7 16.1.35.C.02. |
Identification, Authentication and Passwords |
16.1.35.C.02. - implement additional authentication factors to enhance security.
|
Shared |
n/a |
Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users. |
|
25 |
| NZISM_v3.7 |
16.1.36.C.01. |
NZISM_v3.7_16.1.36.C.01. |
NZISM v3.7 16.1.36.C.01. |
Identification, Authentication and Passwords |
16.1.36.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT allow storage of unprotected authentication information that grants system access, or decrypts an encrypted device, to be located on, or with the system or device, to which the authentication information grants access. |
|
17 |
| NZISM_v3.7 |
16.1.37.C.01. |
NZISM_v3.7_16.1.37.C.01. |
NZISM v3.7 16.1.37.C.01. |
Identification, Authentication and Passwords |
16.1.37.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST ensure that system authentication data is protected when in transit on agency networks or All-of-Government systems. |
|
17 |
| NZISM_v3.7 |
16.1.39.C.01. |
NZISM_v3.7_16.1.39.C.01. |
NZISM v3.7 16.1.39.C.01. |
Identification, Authentication and Passwords |
16.1.39.C.01. - enhance overall security posture. |
Shared |
n/a |
Where systems contain NZEO or other nationalities releasability marked or protectively marked information, agencies MUST provide a mechanism that allows system users and processes to identify users who are foreign nationals, including seconded foreign nationals. |
|
17 |
| NZISM_v3.7 |
16.1.39.C.02. |
NZISM_v3.7_16.1.39.C.02. |
NZISM v3.7 16.1.39.C.02. |
Identification, Authentication and Passwords |
16.1.39.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies using NZEO systems SHOULD ensure that identification includes specific nationality for all foreign nationals, including seconded foreign nationals. |
|
17 |
| NZISM_v3.7 |
16.1.41.C.02. |
NZISM_v3.7_16.1.41.C.02. |
NZISM v3.7 16.1.41.C.02. |
Identification, Authentication and Passwords |
16.1.41.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT:
1. allow predictable reset passwords;
2. reuse passwords when resetting multiple accounts;
3. store passwords in the clear on the system;
4. allow passwords to be reused within eight password changes; and
5. allow system users to use sequential passwords. |
|
17 |
| NZISM_v3.7 |
16.1.43.C.01. |
NZISM_v3.7_16.1.43.C.01. |
NZISM v3.7 16.1.43.C.01. |
Identification, Authentication and Passwords |
16.1.43.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD disable LAN Manager for password authentication on workstations and servers. |
|
17 |
| NZISM_v3.7 |
16.1.48.C.02. |
NZISM_v3.7_16.1.48.C.02. |
NZISM v3.7 16.1.48.C.02. |
Identification, Authentication and Passwords |
16.1.48.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD seek legal advice on the exact wording of logon banners. |
|
16 |
| NZISM_v3.7 |
16.1.49.C.01. |
NZISM_v3.7_16.1.49.C.01. |
NZISM v3.7 16.1.49.C.01. |
Identification, Authentication and Passwords |
16.1.49.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD configure systems to display the date and time of the system user's previous login during the login process. |
|
15 |
| NZISM_v3.7 |
16.1.50.C.01. |
NZISM_v3.7_16.1.50.C.01. |
NZISM v3.7 16.1.50.C.01. |
Identification, Authentication and Passwords |
16.1.50.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD NOT permit the display of last logged on username, credentials or other identifying details. |
|
15 |
| NZISM_v3.7 |
16.1.50.C.02. |
NZISM_v3.7_16.1.50.C.02. |
NZISM v3.7 16.1.50.C.02. |
Identification, Authentication and Passwords |
16.1.50.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD NOT permit the caching of credentials unless specifically required. |
|
15 |
| NZISM_v3.7 |
16.2.3.C.01. |
NZISM_v3.7_16.2.3.C.01. |
NZISM v3.7 16.2.3.C.01. |
System Access and Passwords |
16.2.3.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT allow access to NZEO information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens. |
|
14 |
| NZISM_v3.7 |
16.2.3.C.02. |
NZISM_v3.7_16.2.3.C.02. |
NZISM v3.7 16.2.3.C.02. |
System Access and Passwords |
16.2.3.C.02. - enhance overall security posture. |
Shared |
n/a |
Unless a multilateral or bilateral security agreement is in place, agencies SHOULD NOT allow access to classified information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens. |
|
11 |
| PCI_DSS_v4.0.1 |
7.2.1 |
PCI_DSS_v4.0.1_7.2.1 |
PCI DSS v4.0.1 7.2.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function |
Shared |
n/a |
Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement |
|
43 |
| PCI_DSS_v4.0.1 |
7.2.2 |
PCI_DSS_v4.0.1_7.2.2 |
PCI DSS v4.0.1 7.2.2 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities |
Shared |
n/a |
Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement |
|
43 |
| PCI_DSS_v4.0.1 |
7.2.5 |
PCI_DSS_v4.0.1_7.2.5 |
PCI DSS v4.0.1 7.2.5 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use |
Shared |
n/a |
Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement |
|
44 |
| PCI_DSS_v4.0.1 |
7.2.6 |
PCI_DSS_v4.0.1_7.2.6 |
PCI DSS v4.0.1 7.2.6 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD |
Shared |
n/a |
Examine policies and procedures and interview personnel to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with all elements specified in this requirement. Examine configuration settings for querying repositories of stored cardholder data to verify they are in accordance with all elements specified in this requirement |
|
41 |
| PCI_DSS_v4.0.1 |
7.3.1 |
PCI_DSS_v4.0.1_7.3.1 |
PCI DSS v4.0.1 7.3.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
Shared |
n/a |
Examine vendor documentation and system settings to verify that access is managed for each system component via an access control system(s) that restricts access based on a user’s need to know and covers all system components |
|
27 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
47 |
| SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
127 |
| SOC_2023 |
CC6.2 |
SOC_2023_CC6.2 |
SOC 2023 CC6.2 |
Logical and Physical Access Controls |
Ensure effective access control and ensuring the security of the organization's systems and data. |
Shared |
n/a |
1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.
2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
|
50 |
| SOC_2023 |
CC6.3 |
SOC_2023_CC6.3 |
404 not found |
|
|
|
n/a |
n/a |
|
56 |
| SOC_2023 |
CC6.7 |
SOC_2023_CC6.7 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
143 |
| SWIFT_CSCF_2024 |
1.2 |
SWIFT_CSCF_2024_1.2 |
SWIFT Customer Security Controls Framework 2024 1.2 |
Privileged Account Control |
Operating System Privileged Account Control |
Shared |
Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). |
To restrict and control the allocation and usage of administrator-level operating system accounts. |
|
53 |