| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
3.2 |
CIS_Azure_1.1.0_3.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.2 |
3 Storage Accounts |
Ensure that storage account access keys are periodically regenerated |
Shared |
The customer is responsible for implementing this recommendation. |
Regenerate storage account access keys periodically. |
link |
7 |
| CIS_Azure_1.1.0 |
8.1 |
CIS_Azure_1.1.0_8.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.1 |
8 Other Security Considerations |
Ensure that the expiration date is set on all keys |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all keys in Azure Key Vault have an expiration time set. |
link |
8 |
| CIS_Azure_1.1.0 |
8.2 |
CIS_Azure_1.1.0_8.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.2 |
8 Other Security Considerations |
Ensure that the expiration date is set on all Secrets |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all Secrets in the Azure Key Vault have an expiration time set. |
link |
8 |
| CIS_Azure_1.3.0 |
3.2 |
CIS_Azure_1.3.0_3.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.2 |
3 Storage Accounts |
Ensure that storage account access keys are periodically regenerated |
Shared |
The customer is responsible for implementing this recommendation. |
Regenerate storage account access keys periodically. |
link |
7 |
| CIS_Azure_1.3.0 |
8.1 |
CIS_Azure_1.3.0_8.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.1 |
8 Other Security Considerations |
Ensure that the expiration date is set on all keys |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all keys in Azure Key Vault have an expiration time set. |
link |
8 |
| CIS_Azure_1.3.0 |
8.2 |
CIS_Azure_1.3.0_8.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.2 |
8 Other Security Considerations |
Ensure that the expiration date is set on all Secrets |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all Secrets in the Azure Key Vault have an expiration time set. |
link |
8 |
| CIS_Azure_1.3.0 |
9.11 |
CIS_Azure_1.3.0_9.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.11 |
9 AppService |
Ensure Azure Keyvaults are used to store secrets |
Shared |
The customer is responsible for implementing this recommendation. |
Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. |
link |
9 |
| CIS_Azure_1.4.0 |
3.2 |
CIS_Azure_1.4.0_3.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.2 |
3 Storage Accounts |
Ensure That Storage Account Access Keys are Periodically Regenerated |
Shared |
The customer is responsible for implementing this recommendation. |
Regenerate storage account access keys periodically. |
link |
7 |
| CIS_Azure_1.4.0 |
8.1 |
CIS_Azure_1.4.0_8.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.1 |
8 Other Security Considerations |
Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
link |
8 |
| CIS_Azure_1.4.0 |
8.2 |
CIS_Azure_1.4.0_8.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.2 |
8 Other Security Considerations |
Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
link |
8 |
| CIS_Azure_1.4.0 |
8.3 |
CIS_Azure_1.4.0_8.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.3 |
8 Other Security Considerations |
Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
link |
8 |
| CIS_Azure_1.4.0 |
8.4 |
CIS_Azure_1.4.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
link |
8 |
| CIS_Azure_1.4.0 |
9.11 |
CIS_Azure_1.4.0_9.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.11 |
9 AppService |
Ensure Azure Keyvaults are Used to Store Secrets |
Shared |
The customer is responsible for implementing this recommendation. |
Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. |
link |
9 |
| FedRAMP_High_R4 |
PE-3 |
FedRAMP_High_R4_PE-3 |
FedRAMP High PE-3 |
Physical And Environmental Protection |
Physical Access Control |
Shared |
n/a |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
Supplemental Guidance: Related controls: CA-2, CA-7. |
link |
4 |
| FedRAMP_High_R4 |
SC-12 |
FedRAMP_High_R4_SC-12 |
FedRAMP High SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| FedRAMP_Moderate_R4 |
PE-3 |
FedRAMP_Moderate_R4_PE-3 |
FedRAMP Moderate PE-3 |
Physical And Environmental Protection |
Physical Access Control |
Shared |
n/a |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
Supplemental Guidance: Related controls: CA-2, CA-7. |
link |
4 |
| FedRAMP_Moderate_R4 |
SC-12 |
FedRAMP_Moderate_R4_SC-12 |
FedRAMP Moderate SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| hipaa |
0314.09q3Organizational.2-09.q |
hipaa-0314.09q3Organizational.2-09.q |
0314.09q3Organizational.2-09.q |
03 Portable Media Security |
0314.09q3Organizational.2-09.q 09.07 Media Handling |
Shared |
n/a |
The organization implements cryptographic mechanisms to protect the confidentiality and integrity of sensitive (non-public) information stored on digital media during transport outside of controlled areas. |
|
9 |
| hipaa |
0904.10f2Organizational.1-10.f |
hipaa-0904.10f2Organizational.1-10.f |
0904.10f2Organizational.1-10.f |
09 Transmission Protection |
0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls |
Shared |
n/a |
Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. |
|
10 |
| hipaa |
1192.01l1Organizational.1-01.l |
hipaa-1192.01l1Organizational.1-01.l |
1192.01l1Organizational.1-01.l |
11 Access Control |
1192.01l1Organizational.1-01.l 01.04 Network Access Control |
Shared |
n/a |
Access to network equipment is physically protected. |
|
5 |
| hipaa |
1193.01l2Organizational.13-01.l |
hipaa-1193.01l2Organizational.13-01.l |
1193.01l2Organizational.13-01.l |
11 Access Control |
1193.01l2Organizational.13-01.l 01.04 Network Access Control |
Shared |
n/a |
Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. |
|
5 |
| hipaa |
1808.08b2Organizational.7-08.b |
hipaa-1808.08b2Organizational.7-08.b |
1808.08b2Organizational.7-08.b |
18 Physical & Environmental Security |
1808.08b2Organizational.7-08.b 08.01 Secure Areas |
Shared |
n/a |
Physical access rights are reviewed every 90 days and updated accordingly. |
|
7 |
| hipaa |
1811.08b3Organizational.3-08.b |
hipaa-1811.08b3Organizational.3-08.b |
1811.08b3Organizational.3-08.b |
18 Physical & Environmental Security |
1811.08b3Organizational.3-08.b 08.01 Secure Areas |
Shared |
n/a |
Combinations and keys for organization-defined high-risk entry/exit points are changed when lost or stolen or combinations are compromised. |
|
4 |
| hipaa |
1845.08b1Organizational.7-08.b |
hipaa-1845.08b1Organizational.7-08.b |
1845.08b1Organizational.7-08.b |
18 Physical & Environmental Security |
1845.08b1Organizational.7-08.b 08.01 Secure Areas |
Shared |
n/a |
For facilities where the information system resides, the organization enforces physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the organization determines necessary for areas officially designated as publicly accessible. |
|
4 |
| hipaa |
1847.08b2Organizational.910-08.b |
hipaa-1847.08b2Organizational.910-08.b |
1847.08b2Organizational.910-08.b |
18 Physical & Environmental Security |
1847.08b2Organizational.910-08.b 08.01 Secure Areas |
Shared |
n/a |
The organization ensures onsite personnel and visitor identification (e.g., badges) are revoked, updated when access requirements change, or terminated when expired or when access is no longer authorized, and all physical access mechanisms, such as keys, access cards and combinations, are returned, disabled or changed. |
|
2 |
| hipaa |
1848.08b2Organizational.11-08.b |
hipaa-1848.08b2Organizational.11-08.b |
1848.08b2Organizational.11-08.b |
18 Physical & Environmental Security |
1848.08b2Organizational.11-08.b 08.01 Secure Areas |
Shared |
n/a |
A restricted area, security room, or locked room is used to control access to areas containing covered information, and is controlled accordingly. |
|
1 |
| hipaa |
1892.01l1Organizational.1 |
hipaa-1892.01l1Organizational.1 |
1892.01l1Organizational.1 |
18 Physical & Environmental Security |
1892.01l1Organizational.1 01.04 Network Access Control |
Shared |
n/a |
Access to network equipment is physically protected. |
|
2 |
| ISO27001-2013 |
A.10.1.2 |
ISO27001-2013_A.10.1.2 |
ISO 27001:2013 A.10.1.2 |
Cryptography |
Key Management |
Shared |
n/a |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. |
link |
15 |
| ISO27001-2013 |
A.11.1.1 |
ISO27001-2013_A.11.1.1 |
ISO 27001:2013 A.11.1.1 |
Physical And Environmental Security |
Physical security perimeter |
Shared |
n/a |
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. |
link |
8 |
| ISO27001-2013 |
A.11.1.2 |
ISO27001-2013_A.11.1.2 |
ISO 27001:2013 A.11.1.2 |
Physical And Environmental Security |
Physical entry controls |
Shared |
n/a |
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
link |
9 |
| ISO27001-2013 |
A.11.1.3 |
ISO27001-2013_A.11.1.3 |
ISO 27001:2013 A.11.1.3 |
Physical And Environmental Security |
Securing offices, rooms and facilities |
Shared |
n/a |
Physical security for offices, rooms and facilities shall be designed and applied. |
link |
5 |
| NIST_SP_800-171_R2_3 |
.10.5 |
NIST_SP_800-171_R2_3.10.5 |
NIST SP 800-171 R2 3.10.5 |
Physical Protection |
Control and manage physical access devices. |
Shared |
Microsoft is responsible for implementing this requirement. |
Physical access devices include keys, locks, combinations, and card readers. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.13.10 |
NIST_SP_800-171_R2_3.13.10 |
NIST SP 800-171 R2 3.13.10 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment. |
link |
40 |
| NIST_SP_800-53_R4 |
PE-3 |
NIST_SP_800-53_R4_PE-3 |
NIST SP 800-53 Rev. 4 PE-3 |
Physical And Environmental Protection |
Physical Access Control |
Shared |
n/a |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
Supplemental Guidance: Related controls: CA-2, CA-7. |
link |
4 |
| NIST_SP_800-53_R4 |
SC-12 |
NIST_SP_800-53_R4_SC-12 |
NIST SP 800-53 Rev. 4 SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| NIST_SP_800-53_R5 |
PE-3 |
NIST_SP_800-53_R5_PE-3 |
NIST SP 800-53 Rev. 5 PE-3 |
Physical and Environmental Protection |
Physical Access Control |
Shared |
n/a |
a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by:
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress and egress to the facility using [Selection (OneOrMore): [Assignment: organization-defined physical access control systems or devices] ;guards] ;
b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points];
c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls];
d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity];
e. Secure keys, combinations, and other physical access devices;
f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. |
link |
4 |
| NIST_SP_800-53_R5 |
SC-12 |
NIST_SP_800-53_R5_SC-12 |
NIST SP 800-53 Rev. 5 SC-12 |
System and Communications Protection |
Cryptographic Key Establishment and Management |
Shared |
n/a |
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
link |
40 |
| PCI_DSS_v4.0 |
3.6.1 |
PCI_DSS_v4.0_3.6.1 |
PCI DSS v4.0 3.6.1 |
Requirement 03: Protect Stored Account Data |
Cryptographic keys used to protect stored account data are secured |
Shared |
n/a |
Procedures are defined and implemented to protect cryptographic keys used to Protect Stored Account Data against disclosure and misuse that include:
• Access to keys is restricted to the fewest number of custodians necessary.
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
• Key-encrypting keys are stored separately from data-encrypting keys.
• Keys are stored securely in the fewest possible locations and forms. |
link |
7 |
| PCI_DSS_v4.0 |
3.6.1.1 |
PCI_DSS_v4.0_3.6.1.1 |
PCI DSS v4.0 3.6.1.1 |
Requirement 03: Protect Stored Account Data |
Cryptographic keys used to protect stored account data are secured |
Shared |
n/a |
A documented description of the cryptographic architecture is maintained that includes:
• Details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date.
• Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Description of the key usage for each key.
• Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4. |
link |
7 |
| PCI_DSS_v4.0 |
3.6.1.2 |
PCI_DSS_v4.0_3.6.1.2 |
PCI DSS v4.0 3.6.1.2 |
Requirement 03: Protect Stored Account Data |
Cryptographic keys used to protect stored account data are secured |
Shared |
n/a |
Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the dataencrypting key.
• Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device.
• As at least two full-length key components or key shares, in accordance with an industry-accepted method. |
link |
8 |
| PCI_DSS_v4.0 |
3.6.1.3 |
PCI_DSS_v4.0_3.6.1.3 |
PCI DSS v4.0 3.6.1.3 |
Requirement 03: Protect Stored Account Data |
Cryptographic keys used to protect stored account data are secured |
Shared |
n/a |
Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary. |
link |
7 |
| PCI_DSS_v4.0 |
3.6.1.4 |
PCI_DSS_v4.0_3.6.1.4 |
PCI DSS v4.0 3.6.1.4 |
Requirement 03: Protect Stored Account Data |
Cryptographic keys used to protect stored account data are secured |
Shared |
n/a |
Cryptographic keys are stored in the fewest possible locations. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.1 |
PCI_DSS_v4.0_3.7.1 |
PCI DSS v4.0 3.7.1 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to Protect Stored Account Data. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.2 |
PCI_DSS_v4.0_3.7.2 |
PCI DSS v4.0 3.7.2 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to Protect Stored Account Data. |
link |
8 |
| PCI_DSS_v4.0 |
3.7.3 |
PCI_DSS_v4.0_3.7.3 |
PCI DSS v4.0 3.7.3 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to Protect Stored Account Data. |
link |
9 |
| PCI_DSS_v4.0 |
3.7.4 |
PCI_DSS_v4.0_3.7.4 |
PCI DSS v4.0 3.7.4 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following:
• A defined cryptoperiod for each key type in use.
• A process for key changes at the end of the defined cryptoperiod. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.5 |
PCI_DSS_v4.0_3.7.5 |
PCI DSS v4.0 3.7.5 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to Protect Stored Account Data, as deemed necessary when:
• The key has reached the end of its defined cryptoperiod.
• The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known.
• When keys are suspected of or known to be compromised.
• Retired or replaced keys are not used for encryption operations. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.6 |
PCI_DSS_v4.0_3.7.6 |
PCI DSS v4.0 3.7.6 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Where manual cleartext cryptographic keymanagement operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.7 |
PCI_DSS_v4.0_3.7.7 |
PCI DSS v4.0 3.7.7 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.8 |
PCI_DSS_v4.0_3.7.8 |
PCI DSS v4.0 3.7.8 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. |
link |
7 |
| PCI_DSS_v4.0 |
3.7.9 |
PCI_DSS_v4.0_3.7.9 |
PCI DSS v4.0 3.7.9 |
Requirement 03: Protect Stored Account Data |
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented |
Shared |
n/a |
Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service providers' customers. |
link |
7 |
| PCI_DSS_v4.0 |
4.2.1 |
PCI_DSS_v4.0_4.2.1 |
PCI DSS v4.0 4.2.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use. |
link |
12 |
| PCI_DSS_v4.0 |
4.2.1.1 |
PCI_DSS_v4.0_4.2.1.1 |
PCI DSS v4.0 4.2.1.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained. |
link |
8 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
80 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
| SWIFT_CSCF_v2022 |
3.1 |
SWIFT_CSCF_v2022_3.1 |
SWIFT CSCF v2022 3.1 |
3. Physically Secure the Environment |
Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. |
Shared |
n/a |
Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. |
link |
8 |