compliance controls are associated with this Policy definition 'Kubernetes cluster containers should not share host process ID or host IPC namespace' (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v2.0 |
PV-2 |
Azure_Security_Benchmark_v2.0_PV-2 |
Azure Security Benchmark PV-2 |
Posture and Vulnerability Management |
Sustain secure configurations for Azure services |
Customer |
Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others.
Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects
Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage |
n/a |
link |
19 |
| Azure_Security_Benchmark_v3.0 |
PV-2 |
Azure_Security_Benchmark_v3.0_PV-2 |
Microsoft cloud security benchmark PV-2 |
Posture and Vulnerability Management |
Audit and enforce secure configurations |
Shared |
**Security Principle:**
Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration.
**Azure Guidance:**
Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement.
**Implementation and additional context:**
Understand Azure Policy effects:
https://docs.microsoft.com/azure/governance/policy/concepts/effects
Create and manage policies to enforce compliance:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Get compliance data of Azure resources:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data |
n/a |
link |
27 |
|
C.04.7 - Evaluated |
C.04.7 - Evaluated |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
| Canada_Federal_PBMM_3-1-2020 |
AC_4(21) |
Canada_Federal_PBMM_3-1-2020_AC_4(21) |
Canada Federal PBMM 3-1-2020 AC 4(21) |
Information Flow Enforcement |
Information Flow Enforcement | Physical / Logical Separation of Information Flows |
Shared |
The information system separates information flows logically or physically using session encryption to accomplish separation of all sessions. |
To enhance security measures and safeguard sensitive data from unauthorized access or interception. |
|
27 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
124 |
| Canada_Federal_PBMM_3-1-2020 |
SC_12 |
Canada_Federal_PBMM_3-1-2020_SC_12 |
Canada Federal PBMM 3-1-2020 SC 12 |
Cryptographic Key Establishment and Management |
Cryptographic Key Establishment and Management |
Shared |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography. |
To enhance overall security posture and compliance with industry best practices.
|
|
29 |
| Canada_Federal_PBMM_3-1-2020 |
SC_12(1) |
Canada_Federal_PBMM_3-1-2020_SC_12(1) |
Canada Federal PBMM 3-1-2020 SC 12(1) |
Cryptographic Key Establishment and Management |
Cryptographic Key Establishment and Management | Availability |
Shared |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
To implement backup and recovery mechanisms. |
|
29 |
| Canada_Federal_PBMM_3-1-2020 |
SC_2 |
Canada_Federal_PBMM_3-1-2020_SC_2 |
Canada Federal PBMM 3-1-2020 SC 2 |
Application Partitioning |
Application Partitioning |
Shared |
The information system separates user functionality (including user interface services) from information system management functionality. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_5 |
Canada_Federal_PBMM_3-1-2020_SC_5 |
Canada Federal PBMM 3-1-2020 SC 5 |
Denial of Service Protection |
Denial of Service Protection |
Shared |
The information system protects against or limits the effects of the following denial of service attempts that attack bandwidth, transactional capacity and storage by employing geo-replication, IP address blocking, and network-based DDoS protections. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_6 |
Canada_Federal_PBMM_3-1-2020_SC_6 |
Canada Federal PBMM 3-1-2020 SC 6 |
Resource Availability |
Resource Availability |
Shared |
The information system protects the availability of resources by allocating organization-defined resources by priority; quota, or organization-defined security safeguards. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_7 |
Canada_Federal_PBMM_3-1-2020_SC_7 |
Canada Federal PBMM 3-1-2020 SC 7 |
Boundary Protection |
Boundary Protection |
Shared |
1. The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
2. The information system implements sub-networks for publicly accessible system components that are physically or logically separated from internal organizational networks.
3. The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_7(12) |
Canada_Federal_PBMM_3-1-2020_SC_7(12) |
Canada Federal PBMM 3-1-2020 SC 7(12) |
Boundary Protection |
Boundary Protection | Host-Based Protection |
Shared |
The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_7(3) |
Canada_Federal_PBMM_3-1-2020_SC_7(3) |
Canada Federal PBMM 3-1-2020 SC 7(3) |
Boundary Protection |
Boundary Protection | Access Points |
Shared |
The organization limits the number of external network connections to the information system. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_7(5) |
Canada_Federal_PBMM_3-1-2020_SC_7(5) |
Canada Federal PBMM 3-1-2020 SC 7(5) |
Boundary Protection |
Boundary Protection | Deny by Default / Allow by Exception |
Shared |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_7(7) |
Canada_Federal_PBMM_3-1-2020_SC_7(7) |
Canada Federal PBMM 3-1-2020 SC 7(7) |
Boundary Protection |
Boundary Protection | Prevent Split Tunneling for Remote Devices |
Shared |
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
SC_7(8) |
Canada_Federal_PBMM_3-1-2020_SC_7(8) |
Canada Federal PBMM 3-1-2020 SC 7(8) |
Boundary Protection |
Boundary Protection | Route Traffic to Authenticated Proxy Servers |
Shared |
The information system routes organization-defined internal communications traffic to all untrusted networks outside the control of the organization
through authenticated proxy servers at managed interfaces. |
To strengthen security posture and mitigate potential security vulnerabilities. |
|
4 |
| CIS_Controls_v8.1 |
4.1 |
CIS_Controls_v8.1_4.1 |
CIS Controls v8.1 4.1 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process. |
Shared |
1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure data integrity and safety of enterprise assets. |
|
44 |
| CMMC_2.0_L2 |
CM.L2-3.4.1 |
CMMC_2.0_L2_CM.L2-3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
25 |
| CMMC_2.0_L2 |
CM.L2-3.4.2 |
CMMC_2.0_L2_CM.L2-3.4.2 |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| CMMC_L2_v1.9.0 |
AC.L1_3.1.20 |
CMMC_L2_v1.9.0_AC.L1_3.1.20 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20 |
Access Control |
External Connections |
Shared |
Verify and control/limit connections to and use of external information systems. |
To enhance security and minimise potential risks associated with external access. |
|
27 |
| CMMC_L2_v1.9.0 |
AC.L2_3.1.3 |
CMMC_L2_v1.9.0_AC.L2_3.1.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 |
Access Control |
Control CUI Flow |
Shared |
Control the flow of CUI in accordance with approved authorizations. |
To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations |
|
46 |
| CSA_v4.0.12 |
CCC_04 |
CSA_v4.0.12_CCC_04 |
CSA Cloud Controls Matrix v4.0.12 CCC 04 |
Change Control and Configuration Management |
Unauthorized Change Protection |
Shared |
n/a |
Restrict the unauthorized addition, removal, update, and management
of organization assets. |
|
25 |
| CSA_v4.0.12 |
GRC_04 |
CSA_v4.0.12_GRC_04 |
CSA Cloud Controls Matrix v4.0.12 GRC 04 |
Governance, Risk and Compliance |
Policy Exception Process |
Shared |
n/a |
Establish and follow an approved exception process as mandated by
the governance program whenever a deviation from an established policy occurs. |
|
1 |
| CSA_v4.0.12 |
TVM_01 |
CSA_v4.0.12_TVM_01 |
CSA Cloud Controls Matrix v4.0.12 TVM 01 |
Threat & Vulnerability Management |
Threat and Vulnerability Management Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to identify, report and prioritize the remediation of
vulnerabilities, in order to protect systems against vulnerability exploitation.
Review and update the policies and procedures at least annually. |
|
2 |
| CSA_v4.0.12 |
TVM_09 |
CSA_v4.0.12_TVM_09 |
CSA Cloud Controls Matrix v4.0.12 TVM 09 |
Threat & Vulnerability Management |
Vulnerability Management Reporting |
Shared |
n/a |
Define and implement a process for tracking and reporting vulnerability
identification and remediation activities that includes stakeholder notification. |
|
2 |
| CSA_v4.0.12 |
UEM_05 |
CSA_v4.0.12_UEM_05 |
CSA Cloud Controls Matrix v4.0.12 UEM 05 |
Universal Endpoint Management |
Endpoint Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data. |
|
10 |
| Cyber_Essentials_v3.1 |
1 |
Cyber_Essentials_v3.1_1 |
Cyber Essentials v3.1 1 |
Cyber Essentials |
Firewalls |
Shared |
n/a |
Aim: to make sure that only secure and necessary network services can be accessed from the internet. |
|
37 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
68 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
66 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
66 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_7 |
EU_2555_(NIS2)_2022_7 |
EU 2022/2555 (NIS2) 2022 7 |
|
National cybersecurity strategy |
Shared |
n/a |
Requires Member States to adopt a national cybersecurity strategy. |
|
16 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
64 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
| FedRAMP_High_R4 |
CM-6 |
FedRAMP_High_R4_CM-6 |
FedRAMP High CM-6 |
Configuration Management |
Configuration Settings |
Shared |
n/a |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown
and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4.
References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov. |
link |
23 |
| FedRAMP_Moderate_R4 |
CM-6 |
FedRAMP_Moderate_R4_CM-6 |
FedRAMP Moderate CM-6 |
Configuration Management |
Configuration Settings |
Shared |
n/a |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown
and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4.
References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov. |
link |
23 |
| FFIEC_CAT_2017 |
3.2.3 |
FFIEC_CAT_2017_3.2.3 |
FFIEC CAT 2017 3.2.3 |
Cybersecurity Controls |
Event Detection |
Shared |
n/a |
- A normal network activity baseline is established.
- Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.
- Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.
- Responsibilities for monitoring and reporting suspicious systems activity have been assigned.
- The physical environment is monitored to detect potential unauthorized access. |
|
34 |
| ISO_IEC_27002_2022 |
5.14 |
ISO_IEC_27002_2022_5.14 |
ISO IEC 27002 2022 5.14 |
Protection,
Preventive Control |
Information transfer |
Shared |
To maintain the security of information transferred within an organization and with any external interested party. |
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. |
|
46 |
| New_Zealand_ISM |
14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
14. Software security |
14.1.9.C.01 Maintaining hardened SOEs |
|
n/a |
Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. |
|
16 |
| NIST_CSF_v2.0 |
ID.AM_01 |
NIST_CSF_v2.0_ID.AM_01 |
NIST CSF v2.0 ID.AM 01 |
IDENTIFY - Asset Management |
Inventories of hardware managed by the organization are maintained. |
Shared |
n/a |
To ensure that cybersecurity risks are known to the organization. |
|
1 |
| NIST_CSF_v2.0 |
ID.RA_07 |
NIST_CSF_v2.0_ID.RA_07 |
NIST CSF v2.0 ID.RA 07 |
IDENTIFY -Risk Assessment |
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked. |
Shared |
n/a |
To ensure that cybersecurity risks are known to the organization. |
|
4 |
| NIST_SP_800-171_R2_3 |
.4.1 |
NIST_SP_800-171_R2_3.4.1 |
NIST SP 800-171 R2 3.4.1 |
Configuration Management |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. |
link |
31 |
| NIST_SP_800-171_R2_3 |
.4.2 |
NIST_SP_800-171_R2_3.4.2 |
NIST SP 800-171 R2 3.4.2 |
Configuration Management |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings. |
link |
25 |
| NIST_SP_800-171_R3_3 |
.1.12 |
NIST_SP_800-171_R3_3.1.12 |
NIST 800-171 R3 3.1.12 |
Access Control |
Remote Access |
Shared |
Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. |
a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.
b. Authorize each type of remote system access prior to establishing such connections.
c. Route remote access to the system through authorized and managed access control points.
d. Authorize remote execution of privileged commands and remote access to security-relevant information. |
|
15 |
| NIST_SP_800-171_R3_3 |
.1.18 |
NIST_SP_800-171_R3_3.1.18 |
NIST 800-171 R3 3.1.18 |
Access Control |
Access Control for Mobile Devices |
Shared |
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields). |
a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices.
b. Authorize the connection of mobile devices to the system.
c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices. |
|
28 |
| NIST_SP_800-171_R3_3 |
.1.3 |
NIST_SP_800-171_R3_3.1.3 |
NIST 800-171 R3 3.1.3 |
Access Control |
Information Flow Enforcement |
Shared |
Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also
consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement.
Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. |
|
46 |
| NIST_SP_800-171_R3_3 |
.13.9 |
NIST_SP_800-171_R3_3.13.9 |
NIST 800-171 R3 3.13.9 |
System and Communications Protection Control |
Network Disconnect |
Shared |
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses. |
Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity. |
|
27 |
| NIST_SP_800-171_R3_3 |
.4.6 |
NIST_SP_800-171_R3_3.4.6 |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| NIST_SP_800-53_R4 |
CM-6 |
NIST_SP_800-53_R4_CM-6 |
NIST SP 800-53 Rev. 4 CM-6 |
Configuration Management |
Configuration Settings |
Shared |
n/a |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown
and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4.
References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov. |
link |
23 |
| NIST_SP_800-53_R5.1.1 |
CM.3.8 |
NIST_SP_800-53_R5.1.1_CM.3.8 |
NIST SP 800-53 R5.1.1 CM.3.8 |
Configuration Management Control |
Configuration Change Control | Prevent or Restrict Configuration Changes |
Shared |
Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. |
System configuration changes can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
CM.7.9 |
NIST_SP_800-53_R5.1.1_CM.7.9 |
NIST SP 800-53 R5.1.1 CM.7.9 |
Configuration Management Control |
Least Functionality | Prohibiting The Use of Unauthorized Hardware |
Shared |
(a) Identify [Assignment: organization-defined hardware components authorized for system use];
(b) Prohibit the use or connection of unauthorized hardware components;
(c) Review and update the list of authorized hardware components [Assignment: organization-defined frequency]. |
Hardware components provide the foundation for organizational systems and the platform for the execution of authorized software programs. Managing the inventory of hardware components and controlling which hardware components are permitted to be installed or connected to organizational systems is essential in order to provide adequate security. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
RA.5.3 |
NIST_SP_800-53_R5.1.1_RA.5.3 |
NIST SP 800-53 R5.1.1 RA.5.3 |
Risk Assessment Control |
Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage |
Shared |
Define the breadth and depth of vulnerability scanning coverage. |
The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A] provides additional information on the breadth and depth of coverage. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
SA.10.1 |
NIST_SP_800-53_R5.1.1_SA.10.1 |
NIST SP 800-53 R5.1.1 SA.10.1 |
System and Services Acquisition Control |
Developer Configuration Management | Software and Firmware Integrity Verification |
Shared |
Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. |
Software and firmware integrity verification allows organizations to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms. The integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
SC.7.4 |
NIST_SP_800-53_R5.1.1_SC.7.4 |
NIST SP 800-53 R5.1.1 SC.7.4 |
System and Communications Protection |
Boundary Protection | External Telecommunications Services |
Shared |
(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks. |
External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include routing, Domain Name System (DNS), and management. Unauthorized control plane traffic can occur through a technique known as “spoofing.” |
|
1 |
| NIST_SP_800-53_R5 |
CM-6 |
NIST_SP_800-53_R5_CM-6 |
NIST SP 800-53 Rev. 5 CM-6 |
Configuration Management |
Configuration Settings |
Shared |
n/a |
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. |
link |
23 |
| NZ_ISM_v3.5 |
SS-3 |
NZ_ISM_v3.5_SS-3 |
NZISM Security Benchmark SS-3 |
Software security |
14.1.9 Maintaining hardened SOEs |
Customer |
n/a |
Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates.
End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation.
End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. |
link |
15 |
| NZISM_v3.7 |
16.3.5.C.01. |
NZISM_v3.7_16.3.5.C.01. |
NZISM v3.7 16.3.5.C.01. |
Privileged User Access |
16.3.5.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST:
1. ensure strong change management practices are implemented;
2. ensure that the use of privileged accounts is controlled and accountable;
3. ensure that system administrators are assigned and consistently use, an individual account for the performance of their administration tasks;
4. keep privileged accounts to a minimum; and
5. allow the use of privileged accounts for administrative work only. |
|
5 |
| NZISM_v3.7 |
16.3.5.C.02. |
NZISM_v3.7_16.3.5.C.02. |
NZISM v3.7 16.3.5.C.02. |
Privileged User Access |
16.3.5.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD:
1. ensure strong change management practices are implemented;
2. ensure that the use of privileged accounts is controlled and accountable;
3. ensure that system administrators are assigned an individual account for the performance of their administration tasks;
4. keep privileged accounts to a minimum; and
5. allow the use of privileged accounts for administrative work only. |
|
5 |
| NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
| NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
| NZISM_v3.7 |
19.1.22.C.02. |
NZISM_v3.7_19.1.22.C.02. |
NZISM v3.7 19.1.22.C.02. |
Gateways |
19.1.22.C.02. - ensure transparency, accountability, and adherence to established procedures for maintaining network security and integrity.
|
Shared |
n/a |
Agencies MUST document any changes to gateways in accordance with the agency's Change Management Policy. |
|
5 |
| NZISM_v3.7 |
2.1.49.C.01. |
NZISM_v3.7_2.1.49.C.01. |
NZISM v3.7 2.1.49.C.01. |
Overview of Key Agencies |
2.1.49.C.01. - facilitate collaboration and access to resources for effective security management and response. |
Shared |
n/a |
Security personnel MUST familiarise themselves with the information security roles and services provided by New Zealand Government organisations. |
|
4 |
| NZISM_v3.7 |
3.3.13.C.01. |
NZISM_v3.7_3.3.13.C.01. |
NZISM v3.7 3.3.13.C.01. |
Information Technology Security Managers |
3.3.13.C.01. - foster a culture of security awareness and equipping personnel with the knowledge and skills to effectively mitigate security risks. |
Shared |
n/a |
ITSMs SHOULD provide or arrange for the provision of information security awareness and training for all agency personnel. |
|
4 |
| NZISM_v3.7 |
3.3.6.C.05. |
NZISM_v3.7_3.3.6.C.05. |
NZISM v3.7 3.3.6.C.05. |
Information Technology Security Managers |
3.3.6.C.05. - enhance the integrity and security of agency IT operations. |
Shared |
n/a |
ITSMs SHOULD be included in the agency's change management and change control processes to ensure that risks are properly identified and controls are properly applied to manage those risks. |
|
5 |
| NZISM_v3.7 |
5.1.12.C.02. |
NZISM_v3.7_5.1.12.C.02. |
NZISM v3.7 5.1.12.C.02. |
Documentation Fundamentals |
5.1.12.C.02. - enhance the agency's ability to mitigate risks and minimize disruptions to operations. |
Shared |
n/a |
Agency personnel MUST be trained in and periodically exercise the Incident Response Plan. |
|
4 |
| NZISM_v3.7 |
5.7.4.C.01. |
NZISM_v3.7_5.7.4.C.01. |
NZISM v3.7 5.7.4.C.01. |
Emergency Procedures |
5.7.4.C.01. - ensure the protection of classified information and systems. |
Shared |
n/a |
Agencies MUST include in procedures for personnel evacuating a facility the requirement to secure classified information and systems prior to the evacuation. |
|
4 |
| NZISM_v3.7 |
6.3.6.C.01. |
NZISM_v3.7_6.3.6.C.01. |
NZISM v3.7 6.3.6.C.01. |
Change Management |
6.3.6.C.01. - maintain the integrity and security of systems. |
Shared |
n/a |
Agencies MUST ensure that for routine and urgent changes:
1. the change management process, as defined in the relevant information security documentation, is followed;
2. the proposed change is approved by the relevant authority;
3. any proposed change that could impact the security or accreditation status of a system is submitted to the Accreditation Authority for approval; and
4. all associated information security documentation is updated to reflect the change. |
|
5 |
| NZISM_v3.7 |
6.3.6.C.02. |
NZISM_v3.7_6.3.6.C.02. |
NZISM v3.7 6.3.6.C.02. |
Change Management |
6.3.6.C.02. - maintain operational integrity and security posture. |
Shared |
n/a |
Agencies SHOULD ensure that for routine and urgent changes:
1. the change management process, as defined in the relevant information security documentation, is followed;
2. the proposed change is approved by the relevant authority;
3. any proposed change that could impact the security of a system or accreditation status is submitted to the Accreditation Authority for approval; and
4. all associated information security documentation is updated to reflect the change. |
|
5 |
| NZISM_v3.7 |
6.3.7.C.01. |
NZISM_v3.7_6.3.7.C.01. |
NZISM v3.7 6.3.7.C.01. |
Change Management |
6.3.7.C.01. - foster systematic and responsive management of critical alterations. |
Shared |
n/a |
An agency's change management process MUST define appropriate actions to be followed before and after urgent changes are implemented. |
|
4 |
| NZISM_v3.7 |
6.3.7.C.02. |
NZISM_v3.7_6.3.7.C.02. |
NZISM v3.7 6.3.7.C.02. |
Change Management |
6.3.7.C.02. - facilitate structured management of critical alterations. |
Shared |
n/a |
An agency's change management process SHOULD define appropriate actions to be followed before and after urgent changes are implemented. |
|
4 |
| NZISM_v3.7 |
6.3.7.C.03. |
NZISM_v3.7_6.3.7.C.03. |
NZISM v3.7 6.3.7.C.03. |
Change Management |
6.3.7.C.03. - ensure systematic and effective management of changes. |
Shared |
n/a |
Agencies SHOULD follow this change management process outline:
1. produce a written change request;
2. submit the change request to all stakeholders for approval;
3. document the changes to be implemented;
4. test the approved changes;
5. notification to user of the change schedule and likely effect or outage;
6. implement the approved changes after successful testing;
7. update the relevant information security documentation including the SRMP, SSP and SOPs
8. notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and
9. continually educate system users in regards to changes. |
|
4 |
| NZISM_v3.7 |
9.1.4.C.01. |
NZISM_v3.7_9.1.4.C.01. |
NZISM v3.7 9.1.4.C.01. |
Information Security Awareness and Training |
9.1.4.C.01. - enhance the capability to safeguard sensitive information and mitigate security risks effectively. |
Shared |
n/a |
Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness. |
|
4 |
| PCI_DSS_v4.0.1 |
1.4.1 |
PCI_DSS_v4.0.1_1.4.1 |
PCI DSS v4.0.1 1.4.1 |
Install and Maintain Network Security Controls |
NSCs are implemented between trusted and untrusted networks |
Shared |
n/a |
Examine configuration standards and network diagrams to verify that NSCs are defined between trusted and untrusted networks. Examine network configurations to verify that NSCs are in place between trusted and untrusted networks, in accordance with the documented configuration standards and network diagrams |
|
2 |
| PCI_DSS_v4.0.1 |
10.3.4 |
PCI_DSS_v4.0.1_10.3.4 |
PCI DSS v4.0.1 10.3.4 |
Log and Monitor All Access to System Components and Cardholder Data |
Log Integrity Monitoring |
Shared |
n/a |
File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
|
28 |
| PCI_DSS_v4.0.1 |
11.5.1 |
PCI_DSS_v4.0.1_11.5.1 |
PCI DSS v4.0.1 11.5.1 |
Test Security of Systems and Networks Regularly |
Intrusion Detection/Prevention |
Shared |
n/a |
Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows:
• All traffic is monitored at the perimeter of the CDE.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date |
|
23 |
| PCI_DSS_v4.0.1 |
11.5.2 |
PCI_DSS_v4.0.1_11.5.2 |
PCI DSS v4.0.1 11.5.2 |
Test Security of Systems and Networks Regularly |
Change-Detection Mechanism Deployment |
Shared |
n/a |
A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.
• To perform critical file comparisons at least once weekly. |
|
31 |
| PCI_DSS_v4.0.1 |
12.4.2 |
PCI_DSS_v4.0.1_12.4.2 |
PCI DSS v4.0.1 12.4.2 |
Support Information Security with Organizational Policies and Programs |
Quarterly Task Performance Reviews |
Shared |
n/a |
Additional requirement for service providers only: Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. Reviews are performed by personnel other than those responsible for performing the given task and include, but are not limited to, the following tasks:
• Daily log reviews.
• Configuration reviews for network security controls.
• Applying configuration standards to new systems.
• Responding to security alerts.
• Change-management processes |
|
2 |
| PCI_DSS_v4.0.1 |
2.2.4 |
PCI_DSS_v4.0.1_2.2.4 |
PCI DSS v4.0.1 2.2.4 |
Apply Secure Configurations to All System Components |
Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled |
Shared |
n/a |
Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled |
|
25 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
47 |
| SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
111 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC6.7 |
SOC_2023_CC6.7 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
| SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
| SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
| SWIFT_CSCF_2024 |
2.7 |
SWIFT_CSCF_2024_2.7 |
SWIFT Customer Security Controls Framework 2024 2.7 |
Risk Management |
Vulnerability Scanning |
Shared |
1. The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack.
2. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action. |
To identify known vulnerabilities within the user’s Swift environment by implementing a regular vulnerability scanning process and act upon results. |
|
16 |
| SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
| UK_NCSC_CAF_v3.2 |
B4 |
UK_NCSC_CAF_v3.2_B4 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |