Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_17

AC_17

Canada Federal PBMM 3-1-2020 AC 17

Remote Access

Shared

1. The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. 2. The organization authorizes remote access to the information system prior to allowing such connections. (AA). The organization ensures that all employees working off site safeguard information as per the organization's minimum security requirements (NOTE: Item (AA) is not applicable to CSPs).

To ensure the security of the organization's information system, especially when accessed remotely.

Canada_Federal_PBMM_3-1-2020_AC_17(1)

AC_17(1)

Canada Federal PBMM 3-1-2020 AC 17(1)

Remote Access

Remote Access | Automated Monitoring / Control

Shared

The information system monitors and controls remote access methods.

To ensure that remote access methods to the information system are monitored and controlled effectively

Canada_Federal_PBMM_3-1-2020_AC_17(2)

AC_17(2)

Canada Federal PBMM 3-1-2020 AC 17(2)

Remote Access

Remote Access | Protection of Confidentiality / Integrity using Encryption

Shared

1. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. 2. The cryptography must be compliant with the requirements of SC-13.

To enhance security by encrypting data transmitted during remote access sessions.

Canada_Federal_PBMM_3-1-2020_AC_17(3)

AC_17(3)

Canada Federal PBMM 3-1-2020 AC 17(3)

Remote Access

Remote Access | Managed Access Control Points

Shared

The information system routes all remote accesses through approved managed network access control points.

To mitigate the risk of unauthorized access or malicious activities.

Canada_Federal_PBMM_3-1-2020_AC_17(4)

AC_17(4)

Canada Federal PBMM 3-1-2020 AC 17(4)

Remote Access

Remote Access | Privileged Commands / Access

Shared

1. The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for approved operational requirements; and 2. The organization documents the rationale for such access in the security plan for the information system.

To ensure transparency and accountability in the management of remote access privileges and security-related activities.

Canada_Federal_PBMM_3-1-2020_AC_17(9)

AC_17(9)

Canada Federal PBMM 3-1-2020 AC 17(9)

Remote Access

Remote Access | Disconnect / Disable Access

Shared

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within a period no greater than 15 minutes.

To mitigate the risk of security breaches.

Canada_Federal_PBMM_3-1-2020_AC_2(10)

AC_2(10)

Canada Federal PBMM 3-1-2020 AC 2(10)

Account Management

Account Management | Shared / Group Account Credential Termination

Shared

The information system terminates shared/group account credentials when members leave the group.

To uphold security measures within the information system.

Canada_Federal_PBMM_3-1-2020_AC_2(2)

AC_2(2)

Canada Federal PBMM 3-1-2020 AC 2(2)

Account Management

Account Management | Removal of Temporary / Emergency Accounts

Shared

The information system automatically disables temporary and emergency accounts after no more than 30 days for both temporary and emergency accounts.

To ensure timely security measures for both types of accounts.

Canada_Federal_PBMM_3-1-2020_AC_2(3)

AC_2(3)

Canada Federal PBMM 3-1-2020 AC 2(3)

Account Management

Account Management | Disable Inactive Accounts

Shared

The information system automatically disables inactive accounts after 90 days.

To bolster security measures and ensure efficient account management.

Canada_Federal_PBMM_3-1-2020_AC_20

AC_20

Canada Federal PBMM 3-1-2020 AC 20

Use of External Information Systems

Shared

1. The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from external information systems. 2. The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external information systems.

To ensure secure and compliant interactions between internal and external information systems while maintaining trust and security standards.

Canada_Federal_PBMM_3-1-2020_AC_20(1)

AC_20(1)

Canada Federal PBMM 3-1-2020 AC 20(1)

Use of External Information Systems

Use of External Information Systems | Limits of Authorized Use

Shared

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: 1. Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or 2. Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

To ensure appropriate security measures are in place to safeguard organization-controlled information when accessed or processed externally.

Canada_Federal_PBMM_3-1-2020_AC_5

AC_5

Canada Federal PBMM 3-1-2020 AC 5

Separation of Duties

Shared

The organization: 1. Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions; 2. Documents separation of duties of individuals; and 3. Defines information system access authorizations to support separation of duties.

To facilitate proper separation of duties within the organization.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_IA_5(3)

IA_5(3)

Canada Federal PBMM 3-1-2020 IA 5(3)

Authenticator Management

Authenticator Management | In-Person or Trusted Third-Party Registration

Shared

The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles.

To enhance security and accountability within the organization's registration procedures.

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

CIS_Azure_2.0.0

4.5.3

CIS_Azure_2.0.0_4.5.3

CIS Microsoft Azure Foundations Benchmark recommendation 4.5.3

4.5

Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible.

Shared

n/a

Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure. AAD client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. AAD does not require this.

link

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

12.5

CIS_Controls_v8.1_12.5

CIS Controls v8.1 12.5

Network Infrastructure Management

Centralize network authentication, authorization and auditing (AAA)

Shared

Centralize network AAA.

To ensure that all network AAA is centralized to maintain standardisation and integrity of AAA.

12.8

CIS_Controls_v8.1_12.8

CIS Controls v8.1 12.8

Network Infrastructure Management

Establish and maintain dedicated computing resources for all administrative work

Shared

1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. 2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.

To ensure administrative work is on a different system on which access to data and internet is restricted.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

101

13.11

CIS_Controls_v8.1_13.11

CIS Controls v8.1 13.11

Network Monitoring and Defense

Tune security event alerting thresholds

Shared

Tune security event alerting thresholds monthly, or more frequently.

To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

3.14

CIS_Controls_v8.1_3.14

CIS Controls v8.1 3.14

Data Protection

Log sensitive data access

Shared

Log sensitive data access, including modification and disposal.

To enhance accountability, traceability, and security measures within the enterprise.

4.7

CIS_Controls_v8.1_4.7

CIS Controls v8.1 4.7

Secure Configuration of Enterprise Assets and Software

Manage default accounts on enterprise assets and software

Shared

1. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. 2. Example implementations can include: disabling default accounts or making them unusable.

To ensure access to default accounts is restricted.

5.1

CIS_Controls_v8.1_5.1

CIS Controls v8.1 5.1

Account Management

Establish and maintain an inventory of accounts

Shared

1. Establish and maintain an inventory of all accounts managed in the enterprise. 2. The inventory must include both user and administrator accounts. 3. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. 4. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

To ensure accurate tracking and management of accounts.

5.3

CIS_Controls_v8.1_5.3

CIS Controls v8.1 5.3

Account Management

Disable dormant accounts

Shared

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

To implement time based expiry of access to systems.

5.4

CIS_Controls_v8.1_5.4

CIS Controls v8.1 5.4

Account Management

Restrict administrator privileges to dedicated administrator accounts.

Shared

1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. 2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

To restrict access to privileged accounts.

5.5

CIS_Controls_v8.1_5.5

CIS Controls v8.1 5.5

Account Management

Establish and maintain an inventory of service accounts.

Shared

1. Establish and maintain an inventory of service accounts. 2. The inventory, at a minimum, must contain department owner, review date, and purpose. 3. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

To ensure accurate tracking and management of service accounts.

5.6

CIS_Controls_v8.1_5.6

CIS Controls v8.1 5.6

Account Management

Centralize account management

Shared

Centralize account management through a directory or identity service.

To optimize and simply the process of account management.

6.1

CIS_Controls_v8.1_6.1

CIS Controls v8.1 6.1

Access Control Management

Establish an access granting process

Shared

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

To implement role based access controls.

6.2

CIS_Controls_v8.1_6.2

CIS Controls v8.1 6.2

Access Control Management

Establish an access revoking process

Shared

1. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. 2. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

To restrict access to enterprise assets.

CMMC_L2_v1.9.0_AU.L2_3.3.1

AU.L2_3.3.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1

Audit and Accountability

System Auditing

Shared

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

To enhance security and accountability measures.

CMMC_L2_v1.9.0_AU.L2_3.3.3

AU.L2_3.3.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3

Audit and Accountability

Event Review

Shared

Review and update logged events.

To enhance the effectiveness of security measures.

CMMC_L2_v1.9.0_CM.L2_3.4.5

CM.L2_3.4.5

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.5

Configuration Management

Access Restrictions for Change

Shared

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

To ensure only authorized individuals have access to make changes and that proper controls are in place to safeguard system integrity and security.

CMMC_L2_v1.9.0_IA.L1_3.5.1

IA.L1_3.5.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L1 3.5.1

Identification and Authentication

Identification

Shared

Identify information system users, processes acting on behalf of users, or devices.

To enable effective monitoring, authentication, and access control measures to be implemented within the system.

CMMC_L2_v1.9.0_IA.L2_3.5.7

IA.L2_3.5.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.7

Identification and Authentication

Password Complexity

Shared

Enforce a minimum password complexity and change of characters when new passwords are created.

To reduce the risk of unauthorized access through password guessing or brute force attacks.

CMMC_L2_v1.9.0_IR.L2_3.6.1

IR.L2_3.6.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IR.L2 3.6.1

Incident Response

Incident Handling

Shared

Establish an operational incident handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

To effectively respond to and mitigate the impact of security incidents or breaches.

CMMC_L2_v1.9.0_PE.L2_3.10.6

PE.L2_3.10.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6

Physical Protection

Alternative Work Sites

Shared

Enforce safeguarding measures for CUI at alternate work sites.

To ensure that sensitive information is protected even when employees are working remotely or at off site locations.

CMMC_L2_v1.9.0_PS.L2_3.9.2

PS.L2_3.9.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PS.L2 3.9.2

Personnel Security

Personnel Actions

Shared

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

To ensure that organizational systems containing CUI are protected during and after personnel actions, such as terminations and transfers.

IAM_01

CSA_v4.0.12_IAM_01

CSA Cloud Controls Matrix v4.0.12 IAM 01

Identity & Access Management

Identity and Access Management Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.

IAM_02

CSA_v4.0.12_IAM_02

CSA Cloud Controls Matrix v4.0.12 IAM 02

Identity & Access Management

Strong Password Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

IAM_03

CSA_v4.0.12_IAM_03

CSA Cloud Controls Matrix v4.0.12 IAM 03

Identity & Access Management

Identity Inventory

Shared

n/a

Manage, store, and review the information of system identities, and level of access.

IAM_04

CSA_v4.0.12_IAM_04

CSA Cloud Controls Matrix v4.0.12 IAM 04

Identity & Access Management

Separation of Duties

Shared

n/a

Employ the separation of duties principle when implementing information system access.

IAM_07

CSA_v4.0.12_IAM_07

CSA Cloud Controls Matrix v4.0.12 IAM 07

Identity & Access Management

User Access Changes and Revocation

Shared

n/a

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

IAM_10

CSA_v4.0.12_IAM_10

CSA Cloud Controls Matrix v4.0.12 IAM 10

Identity & Access Management

Management of Privileged Access Roles

Shared

n/a

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

IAM_11

CSA_v4.0.12_IAM_11

CSA Cloud Controls Matrix v4.0.12 IAM 11

Identity & Access Management

CSCs Approval for Agreed Privileged Access Roles

Shared

n/a

Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles.

IAM_12

CSA_v4.0.12_IAM_12

CSA Cloud Controls Matrix v4.0.12 IAM 12

Identity & Access Management

Safeguard Logs Integrity

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

IAM_13

CSA_v4.0.12_IAM_13

CSA Cloud Controls Matrix v4.0.12 IAM 13

Identity & Access Management

Uniquely Identifiable Users

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.

IAM_14

CSA_v4.0.12_IAM_14

CSA Cloud Controls Matrix v4.0.12 IAM 14

Identity & Access Management

Strong Authentication

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

IAM_15

CSA_v4.0.12_IAM_15

CSA Cloud Controls Matrix v4.0.12 IAM 15

Identity & Access Management

Passwords Management

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.

IAM_16

CSA_v4.0.12_IAM_16

CSA Cloud Controls Matrix v4.0.12 IAM 16

Identity & Access Management

Authorization Mechanisms

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.

LOG_07

CSA_v4.0.12_LOG_07

CSA Cloud Controls Matrix v4.0.12 LOG 07

Logging and Monitoring

Logging Scope

Shared

n/a

Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.

LOG_08

CSA_v4.0.12_LOG_08

CSA Cloud Controls Matrix v4.0.12 LOG 08

Logging and Monitoring

Log Records

Shared

n/a

Generate audit records containing relevant security information.

LOG_10

CSA_v4.0.12_LOG_10

CSA Cloud Controls Matrix v4.0.12 LOG 10

Logging and Monitoring

Encryption Monitoring and Reporting

Shared

n/a

Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.

LOG_11

CSA_v4.0.12_LOG_11

CSA Cloud Controls Matrix v4.0.12 LOG 11

Logging and Monitoring

Transaction/Activity Logging

Shared

n/a

Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_1

Cyber Essentials v3.1 1

Cyber Essentials

Firewalls

Shared

n/a

Aim: to make sure that only secure and necessary network services can be accessed from the internet.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_2

Cyber Essentials v3.1 2

Cyber Essentials

Secure Configuration

Shared

n/a

Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

EU_2555_(NIS2)_2022_10

EU 2022/2555 (NIS2) 2022 10

Computer security incident response teams (CSIRTs)

Shared

n/a

Requires Member States to designate or establish CSIRTs.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_13

EU 2022/2555 (NIS2) 2022 13

Cooperation at national level

Shared

n/a

Requires cooperation between competent authorities, single points of contact, and CSIRTs at the national level.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_2555_(NIS2)_2022_23

EU 2022/2555 (NIS2) 2022 23

Reporting obligations

Shared

n/a

Requires essential and important entities to notify significant incidents to their CSIRT or competent authority.

EU_2555_(NIS2)_2022_7

EU 2022/2555 (NIS2) 2022 7

National cybersecurity strategy

Shared

n/a

Requires Member States to adopt a national cybersecurity strategy.

EU_2555_(NIS2)_2022_9

EU 2022/2555 (NIS2) 2022 9

National cyber crisis management frameworks

Shared

n/a

Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FBI_Criminal_Justice_Information_Services_v5.9.5_5.3

404 not found

n/a

FBI_Criminal_Justice_Information_Services_v5.9.5_5.4

404 not found

n/a

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FBI_Criminal_Justice_Information_Services_v5.9.5_5.6

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6

Policy and Implementation - Identification And Authentication

Identification And Authentication

Shared

Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft.

1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity. 2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources.

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

3.1.2

FFIEC_CAT_2017_3.1.2

FFIEC CAT 2017 3.1.2

Cybersecurity Controls

Access and Data Management

Shared

n/a

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames.

01.c

HITRUST_CSF_v11.3_01.c

HITRUST CSF v11.3 01.c

Authorized Access to Information Systems

Control privileged access to information systems and services.

Shared

1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization.

The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.

01.i

HITRUST_CSF_v11.3_01.i

HITRUST CSF v11.3 01.i

Network Access Control

Implement role based access to internal and external network services.

Shared

1. It is to be determined who is allowed access to which network and what networked services. 2. The networks and network services to which users have authorized access is to be specified.

Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment.

01.j

HITRUST_CSF_v11.3_01.j

HITRUST CSF v11.3 01.j

Network Access Control

Prevent unauthorized access to networked services.

Shared

1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted.

Appropriate authentication methods shall be used to control access by remote users.

01.q

HITRUST_CSF_v11.3_01.q

HITRUST CSF v11.3 01.q

Operating System Access Control

Prevent unauthorized access to operating systems and implement authentication technique to verify user.

Shared

1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability. 2. Multi-factor authentication to be implemented for network and local access to privileged accounts. 3. Users to be uniquely identified and authenticated for local access and remote access. 4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts.

All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

09.aa

HITRUST_CSF_v11.3_09.aa

HITRUST CSF v11.3 09.aa

Monitoring

Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements.

Shared

1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information.

Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

113

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

ISO_IEC_27001_2022

9.1

ISO_IEC_27001_2022_9.1

ISO IEC 27001 2022 9.1

Performance Evaluation

Monitoring, measurement, analysis and evaluation

Shared

1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results.

Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system.

5.17

ISO_IEC_27002_2022_5.17

ISO IEC 27002 2022 5.17

Protection, Preventive Control

Authentication information

Shared

Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.

To ensure proper entity authentication and prevent failures of authentication processes.

5.18

ISO_IEC_27002_2022_5.18

ISO IEC 27002 2022 5.18

Protection, Preventive Control

Access rights

Shared

Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

To ensure access to information and other associated assets is defined and authorized according to the business requirements.

6.7

ISO_IEC_27002_2022_6.7

ISO IEC 27002 2022 6.7

Protection, Preventive, Control

Remote working

Shared

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

To ensure the security of information when personnel are working remotely.

8.15

ISO_IEC_27002_2022_8.15

ISO IEC 27002 2022 8.15

Detection Control

Logging

Shared

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations.

ISO_IEC_27017_2015_12.4.1

8.9

ISO_IEC_27002_2022_8.9

ISO IEC 27002 2022 8.9

Protection, Preventive Control

Configuration management

Shared

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

ISO_IEC_27017_2015

12.4.1

ISO IEC 27017 2015 12.4.1

Operations Security

Event Logging

Shared

For Cloud Service Customer: The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. For Cloud Service Provider: The cloud service provider should provide logging capabilities to the cloud service customer.

ISO_IEC_27017_2015

16.1.2

ISO_IEC_27017_2015_16.1.2

ISO IEC 27017 2015 16.1.2

Information Security Incident Management

Reporting Information Security Events

Shared

For Cloud Service Customer: The cloud service customer should request information from the cloud service provider about the mechanisms for: (i) the cloud service customer to report an information security event it has detected to the cloud service provider; (ii) the cloud service provider to receive reports regarding an information security event detected by the cloud service provider; (iii) the cloud service customer to track the status of a reported information security event. For Cloud Service Provider: The cloud service provider should provide mechanisms for: (i) the cloud service customer to report an information security event to the cloud service provider; (ii) the cloud service provider to report an information security event to a cloud service customer; (iii) the cloud service customer to track the status of a reported information security event.

To support timely, consistent and effective reporting of information security events that can be identified by personnel.

ISO_IEC_27017_2015

9.2.4

ISO_IEC_27017_2015_9.2.4

ISO IEC 27017 2015 9.2.4

Access Control

Management of secret authentication information of users

Shared

For Cloud Service Customer: The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements. For Cloud Service Provider: The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication.

To ensure proper entity authentication and prevent failures of authentication processes.

New_Zealand_ISM

16.1.32.C.01

New_Zealand_ISM_16.1.32.C.01

16. Access Control and Passwords

16.1.32.C.01 System user identification

n/a

Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system.

NIST_CSF_v2.0

DE.AE

NIST_CSF_v2.0_DE.AE

404 not found

n/a

NIST_CSF_v2.0

DE.AE_03

NIST_CSF_v2.0_DE.AE_03

NIST CSF v2.0 DE.AE 03

DETECT-Adverse Event Analysis

Information is correlated from multiple sources.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_CSF_v2.0

PR.AA_01

NIST_CSF_v2.0_PR.AA_01

NIST CSF v2.0 PR.AA 01

PROTECT- Identity Management, Authentication, and Access

Identities and credentials for authorized users, services, and hardware are managed by the organization.

Shared

n/a

To implement safeguards for managing organization’s cybersecurity risks.

.1.1

NIST_SP_800-171_R3_3.1.1

NIST 800-171 R3 3.1.1

Access Control

Account Management

Shared

a. Define the types of system accounts allowed and prohibited. b. Create, enable, modify, disable, and remove system accounts in accordance with organizational policy, procedures, prerequisites, and criteria. c. Specify authorized users of the system, group and role membership, and access authorizations (i.e., privileges). d. Authorize access to the system based on a valid access authorization and intended system usage. e. Monitor the use of system accounts. f. Disable system accounts when: 1. The accounts have expired; 2. The accounts have been inactive for [Assignment: organization-defined time period]; 3. The accounts are no longer associated with a user or individual; 4. The accounts are in violation of organizational policy; or 5. Significant risks associated with individuals are discovered. g. Notify organizational personnel or roles when: 1. Accounts are no longer required; 2. Users are terminated or transferred; and 3. System usage or need-to-know changes for an individual.

This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g.,privileged access, non-privileged access) are addressed in requirement 03.01.02. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service. Users who require administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes,organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements). Users who pose a significant security risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among human resource managers, mission/business owners, system administrators, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary.

NIST_SP_800-171_R3_3.1.12

.1.12

NIST 800-171 R3 3.1.12

Access Control

Remote Access

Shared

Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system.

a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. b. Authorize each type of remote system access prior to establishing such connections. c. Route remote access to the system through authorized and managed access control points. d. Authorize remote execution of privileged commands and remote access to security-relevant information.

NIST_SP_800-171_R3_3.1.16

.1.16

NIST 800-171 R3 3.1.16

Access Control

Wireless Access

Shared

Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential missions or business functions can help reduce susceptibility to threats by adversaries involving wireless technologies.

a. Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system. b. Authorize each type of wireless access to the system prior to establishing such connections. c. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment.

.1.2

NIST_SP_800-171_R3_3.1.2

NIST 800-171 R3 3.1.2

Access Control

Access Enforcement

Shared

Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions.

Enforce approved authorizations for logical access to CUI and system resources.

.1.5

NIST_SP_800-171_R3_3.1.5

NIST 800-171 R3 3.1.5

Access Control

Least Privilege

Shared

Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, and establishing intrusion detection parameters. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, and access control lists.

a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. b. Authorize access to [Assignment: organization-defined security functions and security-relevant information]. c. Review the privileges assigned to roles or classes of users periodically to validate the need for such privileges. d. Reassign or remove privileges, as necessary.

.1.6

NIST_SP_800-171_R3_3.1.6

NIST 800-171 R3 3.1.6

Access Control

Least Privilege – Privileged Accounts

Shared

Privileged accounts are typically described as system administrator accounts. Restricting privileged accounts to specific personnel or roles prevents nonprivileged users from accessing security functions or security-relevant information. Requiring the use of non-privileged accounts when accessing nonsecurity functions or nonsecurity information limits exposure when operating from within privileged accounts. Including roles addresses situations in which organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

a. Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. b. Require that users (or roles) with privileged accounts use non-privileged accounts when accessing nonsecurity functions or nonsecurity information.

.3.1

NIST_SP_800-171_R3_3.3.1

404 not found

n/a

.3.5

NIST_SP_800-171_R3_3.3.5

404 not found

n/a

.4.5

NIST_SP_800-171_R3_3.4.5

404 not found

n/a

.5.1

NIST_SP_800-171_R3_3.5.1

404 not found

n/a

NIST_SP_800-171_R3_3.5.12

.5.12

NIST 800-171 R3 3.5.12

Identification and Authentication Control

Authenticator Management

Shared

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication). The requirement to protect individual authenticators may be implemented by 03.15.03 for authenticators in the possession of individuals and by 03.01.01, 03.01.02, 03.01.05, and 03.13.08 for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators.

a. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution. b. Establish initial authenticator content for any authenticators issued by the organization. c. Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators. d. Change default authenticators at first use. e. Change or refresh authenticators periodically or when the following events occur:[Assignment: organization-defined events]. f. Protect authenticator content from unauthorized disclosure and modification.

.5.5

NIST_SP_800-171_R3_3.5.5

404 not found

n/a

.5.7

NIST_SP_800-171_R3_3.5.7

404 not found

n/a

.6.1

NIST_SP_800-171_R3_3.6.1

404 not found

n/a

.6.2

NIST_SP_800-171_R3_3.6.2

404 not found

n/a

NIST_SP_800-53_R5.1.1_AC.17

AC.17

NIST SP 800-53 R5.1.1 AC.17

Access Control

Remote Access

Shared

a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections.

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3.

NIST_SP_800-53_R5.1.1_AC.18

AC.18

NIST SP 800-53 R5.1.1 AC.18

Access Control

Wireless Access

Shared

a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections.

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.

NIST_SP_800-53_R5.1.1_AC.2

AC.2

NIST SP 800-53 R5.1.1 AC.2

Access Control

Account Management

Shared

a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes.

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts. Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

NIST_SP_800-53_R5.1.1_AU.2

AU.2

NIST SP 800-53 R5.1.1 AU.2

Audit and Accountability Control

Event Logging

Shared

a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency].

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

NIST_SP_800-53_R5.1.1_CM.5

CM.5

NIST SP 800-53 R5.1.1 CM.5

Configuration Management Control

Access Restrictions for Change

Shared

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

NIST_SP_800-53_R5.1.1_IA.2

IA.2

NIST SP 800-53 R5.1.1 IA.2

Identification and Authentication Control

Identification and Authentication (organizational Users)

Shared

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

NIST_SP_800-53_R5.1.1_IA.5

IA.5

NIST SP 800-53 R5.1.1 IA.5

Identification and Authentication Control

Authenticator Management

Shared

Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

NIST_SP_800-53_R5.1.1_IR.5

IR.5

NIST SP 800-53 R5.1.1 IR.5

Incident Response Control

Incident Monitoring

Shared

Track and document incidents.

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

NIST_SP_800-53_R5.1.1_RA.5.8

RA.5.8

NIST SP 800-53 R5.1.1 RA.5.8

Risk Assessment Control

Vulnerability Monitoring and Scanning | Review Historic Audit Logs

Shared

Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].

Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.

14.1.10.C.01.

NZISM_v3.7_14.1.10.C.01.

NZISM v3.7 14.1.10.C.01.

Standard Operating Environments

14.1.10.C.01. - reduce potential vulnerabilities.

Shared

n/a

Agencies MUST reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords before or during the installation process.

14.1.10.C.02.

NZISM_v3.7_14.1.10.C.02.

NZISM v3.7 14.1.10.C.02.

Standard Operating Environments

14.1.10.C.02. - reduce potential vulnerabilities.

Shared

n/a

Agencies SHOULD reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords, before or during the installation process.

16.1.31.C.01.

NZISM_v3.7_16.1.31.C.01.

NZISM v3.7 16.1.31.C.01.

Identification, Authentication and Passwords

16.1.31.C.01. - promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST: 1. develop, implement and maintain a set of policies and procedures covering all system users: a. identification; b. authentication; c. authorisation; d. privileged access identification and management; and 2. make their system users aware of the agency's policies and procedures.

16.1.32.C.01.

NZISM_v3.7_16.1.32.C.01.

NZISM v3.7 16.1.32.C.01.

Identification, Authentication and Passwords

16.1.32.C.01. - promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST ensure that all system users are: 1. uniquely identifiable; and 2. authenticated on each occasion that access is granted to a system.

16.1.47.C.01.

NZISM_v3.7_16.1.47.C.01.

NZISM v3.7 16.1.47.C.01.

Identification, Authentication and Passwords

16.1.47.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD ensure that repeated account lockouts are investigated before reauthorising access.

16.4.32.C.02.

NZISM_v3.7_16.4.32.C.02.

NZISM v3.7 16.4.32.C.02.

Privileged Access Management

16.4.32.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Privileged Access credentials MUST NOT be issued until approval has been formally granted.

16.5.10.C.01.

NZISM_v3.7_16.5.10.C.01.

NZISM v3.7 16.5.10.C.01.

Remote Access

16.5.10.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system.

16.5.10.C.02.

NZISM_v3.7_16.5.10.C.02.

NZISM v3.7 16.5.10.C.02.

Remote Access

16.5.10.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD authenticate both the remote system user and device during the authentication process.

16.5.11.C.01.

NZISM_v3.7_16.5.11.C.01.

NZISM v3.7 16.5.11.C.01.

Remote Access

16.5.11.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges.

16.5.11.C.02.

NZISM_v3.7_16.5.11.C.02.

NZISM v3.7 16.5.11.C.02.

Remote Access

16.5.11.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges.

16.5.12.C.01.

NZISM_v3.7_16.5.12.C.01.

NZISM v3.7 16.5.12.C.01.

Remote Access

16.5.12.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD establish VPN connections for all remote access connections.

16.6.10.C.02.

NZISM_v3.7_16.6.10.C.02.

NZISM v3.7 16.6.10.C.02.

Event Logging and Auditing

16.6.10.C.02. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency.

16.6.11.C.01.

NZISM_v3.7_16.6.11.C.01.

NZISM v3.7 16.6.11.C.01.

Event Logging and Auditing

16.6.11.C.01. - enhance system security and accountability.

Shared

n/a

For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification.

16.6.12.C.01.

NZISM_v3.7_16.6.12.C.01.

NZISM v3.7 16.6.12.C.01.

Event Logging and Auditing

16.6.12.C.01. - maintain integrity of the data.

Shared

n/a

Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period.

16.6.6.C.01.

NZISM_v3.7_16.6.6.C.01.

NZISM v3.7 16.6.6.C.01.

Event Logging and Auditing

16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST maintain system management logs for the life of a system.

16.6.7.C.01.

NZISM_v3.7_16.6.7.C.01.

NZISM v3.7 16.6.7.C.01.

Event Logging and Auditing

16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations.

Shared

n/a

A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities.

1.2.1

PCI_DSS_v4.0.1_1.2.1

PCI DSS v4.0.1 1.2.1

Install and Maintain Network Security Controls

Configuration standards for NSC rulesets are defined, implemented, and maintained

Shared

n/a

Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards

1.2.7

PCI_DSS_v4.0.1_1.2.7

PCI DSS v4.0.1 1.2.7

Install and Maintain Network Security Controls

Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective

Shared

n/a

Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated

10.4.1

PCI_DSS_v4.0.1_10.4.1

PCI DSS v4.0.1 10.4.1

Log and Monitor All Access to System Components and Cardholder Data

Daily Audit Log Review

Shared

n/a

The following audit logs are reviewed at least once daily: • All security events. • Logs of all system components that store, process, or transmit CHD and/or SAD. • Logs of all critical system components. • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).

10.4.1.1

PCI_DSS_v4.0.1_10.4.1.1

PCI DSS v4.0.1 10.4.1.1

Log and Monitor All Access to System Components and Cardholder Data

Automated Log Review Mechanisms

Shared

n/a

Automated mechanisms are used to perform audit log reviews.

10.4.2

PCI_DSS_v4.0.1_10.4.2

PCI DSS v4.0.1 10.4.2

Log and Monitor All Access to System Components and Cardholder Data

Periodic Review of Other Logs

Shared

n/a

Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.

10.4.2.1

PCI_DSS_v4.0.1_10.4.2.1

PCI DSS v4.0.1 10.4.2.1

Log and Monitor All Access to System Components and Cardholder Data

Frequency of Log Reviews

Shared

n/a

The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1

12.10.5

PCI_DSS_v4.0.1_12.10.5

PCI DSS v4.0.1 12.10.5

Support Information Security with Organizational Policies and Programs

Monitoring and Alert Response

Shared

n/a

The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: • Intrusion-detection and intrusion-prevention systems. • Network security controls. • Change-detection mechanisms for critical files. • The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Detection of unauthorized wireless access points.

2.2.2

PCI_DSS_v4.0.1_2.2.2

PCI DSS v4.0.1 2.2.2

Apply Secure Configurations to All System Components

Vendor default accounts are managed as follows: If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6. If the vendor default account(s) will not be used, the account is removed or disabled

Shared

n/a

Examine system configuration standards to verify they include managing vendor default accounts in accordance with all elements specified in this requirement. Examine vendor documentation and observe a system administrator logging on using vendor default accounts to verify accounts are implemented in accordance with all elements specified in this requirement. Examine configuration files and interview personnel to verify that all vendor default accounts that will not be used are removed or disabled

2.3.1

PCI_DSS_v4.0.1_2.3.1

PCI DSS v4.0.1 2.3.1

Apply Secure Configurations to All System Components

For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: Default wireless encryption keys. Passwords on wireless access points. SNMP defaults. Any other security-related wireless vendor defaults

Shared

n/a

Examine policies and procedures and interview responsible personnel to verify that processes are defined for wireless vendor defaults to either change them upon installation or to confirm them to be secure in accordance with all elements of this requirement. Examine vendor documentation and observe a system administrator logging into wireless devices to verify: SNMP defaults are not used. Default passwords/passphrases on wireless access points are not used. Examine vendor documentation and wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable

3.2.1

PCI_DSS_v4.0.1_3.2.1

PCI DSS v4.0.1 3.2.1

Protect Stored Account Data

Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: coverage for all locations of stored account data, coverage for any sensitive authentication data (SAD) stored prior to completion of authorization, limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements, specific retention requirements for stored account data that defines length of retention period and includes a documented business justification, processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy, a process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable

Shared

n/a

Examine the data retention and disposal policies, procedures, and processes and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine files and system records on system components where account data is stored to verify that the data storage amount and retention time does not exceed the requirements defined in the data retention policy. Observe the mechanisms used to render account data unrecoverable to verify data cannot be recovered

3.3.3

PCI_DSS_v4.0.1_3.3.3

PCI DSS v4.0.1 3.3.3

Protect Stored Account Data

Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need and is secured. Encrypted using strong cryptography

Shared

n/a

Additional testing procedure for issuers and companies that support issuing services and store sensitive authentication data: Examine documented policies and interview personnel to verify there is a documented business justification for the storage of sensitive authentication data. Examine data stores and system configurations to verify that the sensitive authentication data is stored securely

7.2.1

PCI_DSS_v4.0.1_7.2.1

PCI DSS v4.0.1 7.2.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function

Shared

n/a

Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement

7.2.2

PCI_DSS_v4.0.1_7.2.2

PCI DSS v4.0.1 7.2.2

Restrict Access to System Components and Cardholder Data by Business Need to Know

Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities

Shared

n/a

Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement

7.2.3

PCI_DSS_v4.0.1_7.2.3

PCI DSS v4.0.1 7.2.3

Restrict Access to System Components and Cardholder Data by Business Need to Know

Required privileges are approved by authorized personnel

Shared

n/a

Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel. Examine user IDs and assigned privileges, and compare with documented approvals to verify that: Documented approval exists for the assigned privileges. The approval was by authorized personnel. Specified privileges match the roles assigned to the individual

7.2.4

PCI_DSS_v4.0.1_7.2.4

PCI DSS v4.0.1 7.2.4

Restrict Access to System Components and Cardholder Data by Business Need to Know

All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate

Shared

n/a

Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement

Sarbanes_Oxley_Act_(1)_2022_1

7.2.5

PCI_DSS_v4.0.1_7.2.5

PCI DSS v4.0.1 7.2.5

Restrict Access to System Components and Cardholder Data by Business Need to Know

All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use

Shared

n/a

Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

C1.1

SOC_2023_C1.1

SOC 2023 C1.1

Additional Criteria for Confidentiality

Preserve trust, compliance, and competitive advantage.

Shared

n/a

The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.

CC1.3

SOC_2023_CC1.3

SOC 2023 CC1.3

Control Environment

Enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives.

Shared

n/a

1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives.

CC2.2

SOC_2023_CC2.2

SOC 2023 CC2.2

Information and Communication

Facilitate effective internal communication, including objectives and responsibilities for internal control.

Shared

n/a

Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.1

SOC_2023_CC5.1

SOC 2023 CC5.1

Control Activities

Enhance the ability to manage uncertainties and accomplish its strategic goals.

Shared

n/a

Entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

CC5.2

SOC_2023_CC5.2

SOC 2023 CC5.2

Control Activities

Mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations.

Shared

n/a

Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities.

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC6.2

SOC_2023_CC6.2

SOC 2023 CC6.2

Logical and Physical Access Controls

Ensure effective access control and ensuring the security of the organization's systems and data.

Shared

n/a

1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC7.1

SOC_2023_CC7.1

SOC 2023 CC7.1

Systems Operations

Maintain a proactive approach to cybersecurity and mitigate risks effectively.

Shared

n/a

meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities.

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.5

SOC_2023_CC7.5

SOC 2023 CC7.5

Systems Operations

Ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents.

Shared

n/a

The entity identifies, develops, and implements activities to recover from identified security incidents.

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

CC9.2

SOC_2023_CC9.2

SOC 2023 CC9.2

Risk Mitigation

Ensure effective risk management throughout the supply chain and business ecosystem.

Shared

n/a

Entity assesses and manages risks associated with vendors and business partners.

PI1.3

SOC_2023_PI1.3

SOC 2023 PI1.3

Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods)

Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives.

Shared

n/a

The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.

1.2

SWIFT_CSCF_2024_1.2

SWIFT Customer Security Controls Framework 2024 1.2

Privileged Account Control

Operating System Privileged Account Control

Shared

Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence).

To restrict and control the allocation and usage of administrator-level operating system accounts.

11.2

SWIFT_CSCF_2024_11.2

404 not found

n/a

2.7

SWIFT_CSCF_2024_2.7

SWIFT Customer Security Controls Framework 2024 2.7

Risk Management

Vulnerability Scanning

Shared

1. The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack. 2. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action.

To identify known vulnerabilities within the user’s Swift environment by implementing a regular vulnerability scanning process and act upon results.

4.1

SWIFT_CSCF_2024_4.1

SWIFT Customer Security Controls Framework 2024 4.1

Password Management

Password Policy

Shared

1. Implementing a password policy that protects against common password attacks (for example, guessing and brute force) is effective for protecting against account compromise. Attackers often use the privileges of a compromised account to move laterally within an environment and progress the attack. 2. Another risk is the compromise of local authentication keys to tamper with the integrity of transactions. However, it is important to recognise that passwords alone are generally not sufficient in the current cyber-threat landscape. Users should consider this control in close relationship with the multi-factor authentication requirement.

To ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.

4.2

SWIFT_CSCF_2024_4.2

SWIFT Customer Security Controls Framework 2024 4.2

Access Control

Multi-Factor Authentication

Shared

1. Multi-factor authentication requires the presentation of two or more of the following common authentication factors: (A). Knowledge factor: something the operator knows (for example, a password) (B). Possession factor: something the operator has (for example, connected USB tokens or smart cards, or disconnected tokens such as a (time based) one-time password- (T)OTP- generator or application storing a cryptographic private key that runs on another device like operator’s mobile phone considered as a software token, RSA token, 3-Skey Digital and its mobile version considered as a software token, or Digipass) (C). Inherence factor: something the operator is (for example, biometrics such as fingerprints, retina scans, or voice recognition) Implementing multi-factor authentication provides an additional layer of protection against common authentication attacks (for example, shoulder surfing, password re-use, or weak passwords) and provides further protection from account compromises for malicious transaction processing. Attackers often use the privileges of a compromised account to move laterally within an environment and to progress an attack.

To prevent that a compromise of a single authentication factor allows access into Swift-related systems or applications by implementing multi-factor authentication.

5.1

SWIFT_CSCF_2024_5.1

SWIFT Customer Security Controls Framework 2024 5.1

Access Control

Logical Access Control

Shared

1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure. 2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack.

To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts.

5.2

SWIFT_CSCF_2024_5.2

SWIFT Customer Security Controls Framework 2024 5.2

Access Control

Token Management

Shared

1. The protection of connected and disconnected hardware authentication, personal tokens or software tokens is essential to safeguard the related operator or system account. 2. It also reinforces good security practice by providing an additional layer of protection from attackers.

To ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal and software tokens (when tokens are used).