Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_1

AC_1

Canada Federal PBMM 3-1-2020 AC 1

Access Control Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with access control responsibilities: a. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the access control policy and associated access controls. 2. The organization reviews and updates the current: a. Access control policy at least every 3 years; and b. Access control procedures at least annually.

To establish and maintain effective access control measures.

Canada_Federal_PBMM_3-1-2020_AC_17(100)

AC_17(100)

Canada Federal PBMM 3-1-2020 AC 17(100)

Remote Access

Remote Access | Remote Access to Privileged Accounts using Dedicated Management Console

Shared

Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed).

To reduce the risk of unauthorized access or compromise of privileged accounts.

Canada_Federal_PBMM_3-1-2020_AC_2(7)

AC_2(7)

Canada Federal PBMM 3-1-2020 AC 2(7)

Account Management

Account Management | Role-Based Schemes

Shared

1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; 2. The organization monitors privileged role assignments; and 3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate.

To strengthen the security posture and safeguard sensitive data and critical resources.

Canada_Federal_PBMM_3-1-2020_AC_2(9)

AC_2(9)

Canada Federal PBMM 3-1-2020 AC 2(9)

Account Management

Account Management | Restrictions on Use of Shared Groups / Accounts

Shared

The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.

To maintain security and accountability.

Canada_Federal_PBMM_3-1-2020_AC_3

AC_3

Canada Federal PBMM 3-1-2020 AC 3

Access Enforcement

Shared

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

To mitigate the risk of unauthorized access.

Canada_Federal_PBMM_3-1-2020_AC_6

AC_6

Canada Federal PBMM 3-1-2020 AC 6

Least Privilege

Shared

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

To mitigate the risk of unauthorized access, data breaches, and system compromises.

Canada_Federal_PBMM_3-1-2020_AC_6(2)

AC_6(2)

Canada Federal PBMM 3-1-2020 AC 6(2)

Least Privilege

Least Privilege | Non-Privileged Access for Non-Security Functions

Shared

The organization requires that users of information system accounts, or roles, with access to any security function, use non-privileged accounts or roles, when accessing non-security functions.

To enhance security measures and minimise the risk of unauthorized access or misuse of privileges.

Canada_Federal_PBMM_3-1-2020_AU_9(4)

AU_9(4)

Canada Federal PBMM 3-1-2020 AU 9(4)

Protection of Audit Information

Protection of Audit Information | Access by Subset of Privileged Users

Shared

The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users.

To enhance security and maintain the integrity of audit processes.

Canada_Federal_PBMM_3-1-2020_CA_2(2)

CA_2(2)

Canada Federal PBMM 3-1-2020 CA 2(2)

Security Assessments

Security Assessments | Specialized Assessments

Shared

The organization includes as part of security control assessments that they will be announced and done at least annually and include at least vulnerability scanning and penetration testing.

To comprehensively evaluate security controls and identify potential weaknesses or vulnerabilities in the information system.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_CP_4

CP_4

Canada Federal PBMM 3-1-2020 CP 4

Contingency Plan Testing and Exercises

Contingency Plan Testing

Shared

1. The organization tests the contingency plan for the information system at least annually for moderate impact systems; at least every three years for low impact systems using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan. 2. The organization reviews the contingency plan test results. 3. The organization initiates corrective actions, if needed.

To enhance preparedness and resilience.

Canada_Federal_PBMM_3-1-2020_IR_9(1)

IR_9(1)

Canada Federal PBMM 3-1-2020 IR 9(1)

Information Spillage Response

Information Spillage Response | Responsible Personnel

Shared

The organization assigns incident response personnel as documented within the Incident Management Plan with responsibility for responding to information spills.

To assign a personnel for information spillage response.

Canada_Federal_PBMM_3-1-2020_IR_9(3)

IR_9(3)

Canada Federal PBMM 3-1-2020 IR 9(3)

Information Spillage Response

Information Spillage Response | Post-Spill Operations

Shared

The organization implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

To ensure plan is in place for post-spill operations.

Canada_Federal_PBMM_3-1-2020_IR_9(4)

IR_9(4)

Canada Federal PBMM 3-1-2020 IR 9(4)

Information Spillage Response

Information Spillage Response | Exposure to Unauthorized Personnel

Shared

The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.

To mitigate the risk of information spillage.

Canada_Federal_PBMM_3-1-2020_MP_2

MP_2

404 not found

n/a

Canada_Federal_PBMM_3-1-2020_PS_6

PS_6

Canada Federal PBMM 3-1-2020 PS 6

Access Agreements

Shared

1. The organization develops and documents access agreements for organizational information systems. 2. The organization reviews and updates the access agreements at least annually. 3. The organization ensures that individuals requiring access to organizational information and information systems: a. Sign appropriate access agreements prior to being granted access; and b. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or at least annually.

To develop and document access agreements for organizational information systems.

CCCS

AU-12

CCCS_AU-12

CCCS AU-12

Audit and Accountability

Audit Generation

n/a

(A) The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. (B) The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. (C) The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

CCCS

AU-3

CCCS_AU-3

CCCS AU-3

Audit and Accountability

Content of Audit Records

n/a

(A) The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

CCCS

SI-4

CCCS_SI-4

CCCS SI-4

System and Information Integrity

Information System Monitoring

n/a

(A) The organization monitors the information system to detect: (a) Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and (b) Unauthorized local, network, and remote connections; (B) The organization identifies unauthorized use of the information system through organization-defined techniques and methods. (C) The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. (D) The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. (E) The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. (F) The organization obtains legal opinion with regard to information system monitoring activities in accordance with orgnanizational policies, directives and standards. (G) The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

101

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

4.7

CIS_Controls_v8.1_4.7

CIS Controls v8.1 4.7

Secure Configuration of Enterprise Assets and Software

Manage default accounts on enterprise assets and software

Shared

1. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. 2. Example implementations can include: disabling default accounts or making them unusable.

To ensure access to default accounts is restricted.

5.3

CIS_Controls_v8.1_5.3

CIS Controls v8.1 5.3

Account Management

Disable dormant accounts

Shared

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

To implement time based expiry of access to systems.

6.1

CIS_Controls_v8.1_6.1

CIS Controls v8.1 6.1

Access Control Management

Establish an access granting process

Shared

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

To implement role based access controls.

6.2

CIS_Controls_v8.1_6.2

CIS Controls v8.1 6.2

Access Control Management

Establish an access revoking process

Shared

1. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. 2. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

To restrict access to enterprise assets.

8.11

CIS_Controls_v8.1_8.11

CIS Controls v8.1 8.11

Audit Log Management

Conduct audit log reviews

Shared

1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis.

To ensure the integrity of the data in audit logs.

CMMC_L2_v1.9.0_SI.L2_3.14.3

9.3

CIS_Controls_v8.1_9.3

CIS Controls v8.1 9.3

Email and Web Browser Protections

Maintain and enforce network-based URL filters

Shared

1. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. 2. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. 3. Enforce filters for all enterprise assets.

To prevent users from connecting to unsafe websites.

CMMC_2.0_L2

AU.L2-3.3.1

CMMC_2.0_L2_AU.L2-3.3.1

404 not found

n/a

CMMC_L2_v1.9.0

SI.L2_3.14.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3

System and Information Integrity

Security Alerts & Advisories

Shared

Monitor system security alerts and advisories and take action in response.

To proactively defend against emerging threats and minimize the risk of security incidents or breaches.

CMMC_L2_v1.9.0

SI.L2_3.14.6

CMMC_L2_v1.9.0_SI.L2_3.14.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6

System and Information Integrity

Monitor Communications for Attacks

Shared

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

To protect systems and data from unauthorized access or compromise.

CMMC_L2_v1.9.0

SI.L2_3.14.7

CMMC_L2_v1.9.0_SI.L2_3.14.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7

System and Information Integrity

Identify Unauthorized Use

Shared

Identify unauthorized use of organizational systems.

To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access.

AU.2.041

CMMC_L3_AU.2.041

CMMC L3 AU.2.041

Audit and Accountability

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).

AU.2.042

CMMC_L3_AU.2.042

CMMC L3 AU.2.042

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.

AU.3.046

CMMC_L3_AU.3.046

CMMC L3 AU.3.046

Audit and Accountability

Alert in the event of an audit logging process failure.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.

AU.3.048

CMMC_L3_AU.3.048

CMMC L3 AU.3.048

Audit and Accountability

Collect audit information (e.g., logs) into one or more central repositories.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations must aggregate and store audit logs in a central location to enable analysis activities and protect audit information. The repository should have the necessary infrastructure, capacity, and protection mechanisms to meet the organization’s audit requirements.

CEK_03

CSA_v4.0.12_CEK_03

CSA Cloud Controls Matrix v4.0.12 CEK 03

Cryptography, Encryption & Key Management

Data Encryption

Shared

n/a

Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.

HRS_06

CSA_v4.0.12_HRS_06

CSA Cloud Controls Matrix v4.0.12 HRS 06

Human Resources

Employment Termination

Shared

n/a

Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment.

IAM_12

CSA_v4.0.12_IAM_12

CSA Cloud Controls Matrix v4.0.12 IAM 12

Identity & Access Management

Safeguard Logs Integrity

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

TVM_04

CSA_v4.0.12_TVM_04

CSA Cloud Controls Matrix v4.0.12 TVM 04

Threat & Vulnerability Management

Detection Updates

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FFIEC_CAT_2017

3.2.3

FFIEC_CAT_2017_3.2.3

FFIEC CAT 2017 3.2.3

Cybersecurity Controls

Event Detection

Shared

n/a

- A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access.

HITRUST_CSF_v11.3

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

113

.17.4

IRS_1075_9.3.17.4

IRS 1075 9.3.17.4

System and Information Integrity

Information System Monitoring (SI-4)

n/a

The agency must: a. Monitor the information system to detect: 1. Attacks and indicators of potential attacks 2. Unauthorized local, network, and remote connections b. Identify unauthorized use of the information system c. Deploy monitoring devices: (i) strategically within the information system to collect agency-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the agency d. Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion e. Heighten the level of information system monitoring activity whenever there is an indication of increased risk to agency operations and assets, individuals, other organizations, or the nation, based on law enforcement information, intelligence information, or other credible sources of information f. Provide information system monitoring information to designated agency officials as needed g. Analyze outbound communications traffic at the external boundary of the information system and selected interior points within the network (e.g., subnetworks, subsystems) to discover anomalies--anomalies within agency information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses h. Employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications (CE11) i. Implement host-based monitoring mechanisms (e.g., Host intrusion prevention system (HIPS)) on information systems that receive, process, store, or transmit FTI (CE23) The information system must: a. Monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions (CE4) b. Alert designated agency officials when indications of compromise or potential compromise occur--alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices, such as firewalls, gateways, and routers and alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging; agency personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers (CE5) c. Notify designated agency officials of detected suspicious events and take necessary actions to address suspicious events (CE7) Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and nearby server farms supporting critical applications, with such devices typically being employed at the managed interfaces.

.3.11

IRS_1075_9.3.3.11

IRS 1075 9.3.3.11

Awareness and Training

Audit Generation (AU-12)

n/a

The information system must: a. Provide audit record generation capability for the auditable events defined in Section 9.3.3.2, Audit Events (AU-2) b. Allow designated agency officials to select which auditable events are to be audited by specific components of the information system c. Generate audit records for the events with the content defined in Section 9.3.3.4, Content of Audit Records (AU-3).

.3.3

IRS_1075_9.3.3.3

IRS 1075 9.3.3.3

Awareness and Training

Content of Audit Records (AU-3)

n/a

The information system must: a. Generate audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event b. Generate audit records containing details to facilitate the reconstruction of events if unauthorized activity or a malfunction occurs or is suspected in the audit records for audit events identified by type, location, or subject (CE1)

.3.6

IRS_1075_9.3.3.6

IRS 1075 9.3.3.6

Awareness and Training

Audit Review, Analysis, and Reporting (AU-6)

n/a

The agency must: a. Review and analyze information system audit records at least weekly or more frequently at the discretion of the information system owner for indications of unusual activity related to potential unauthorized FTI access b. Report findings according to the agency incident response policy. If the finding involves a potential unauthorized disclosure of FTI, the appropriate special agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA), and the IRS Office of Safeguards must be contacted, as described in Section 10.0, Reporting Improper Inspections or Disclosures. The Office of Safeguards recommends agencies identify events that may indicate a potential unauthorized access to FTI. This recommendation is not a requirement at this time, but agencies are encouraged to contact the Office of Safeguards with any questions regarding implementation strategies. Methods of detecting unauthorized access to FTI include matching audit trails to access attempts (successful or unsuccessful) across the following categories: Do Not Access List, Time of Day Access, Name Searches, Previous Accesses, Volume, Zip Code, Restricted TIN It is recommended the agency define a frequency in which the preceding categories are updated for an individual to ensure the information is kept current.

ISO_IEC_27002_2022

8.16

ISO_IEC_27002_2022_8.16

ISO IEC 27002 2022 8.16

Response, Detection, Corrective Control

Monitoring activities

Shared

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

To detect anomalous behaviour and potential information security incidents.

ISO27001-2013

A.12.4.1

ISO27001-2013_A.12.4.1

ISO 27001:2013 A.12.4.1

Operations Security

Event Logging

Shared

n/a

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

ISO27001-2013

A.12.4.3

ISO27001-2013_A.12.4.3

ISO 27001:2013 A.12.4.3

Operations Security

Administrator and operator logs

Shared

n/a

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

ISO27001-2013

A.12.4.4

ISO27001-2013_A.12.4.4

ISO 27001:2013 A.12.4.4

Operations Security

Clock Synchronization

Shared

n/a

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.

NIST_SP_800-171_R3_3.14.6

NIST_CSF_v2.0

DE.CM

NIST_CSF_v2.0_DE.CM

404 not found

n/a

NIST_SP_800-171_R3_3

.14.6

NIST 800-171 R3 3.14.6

System and Information Integrity Control

System Monitoring

Shared

System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives. Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements.

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks; and 2. Unauthorized connections. b. Identify unauthorized use of the system. c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions.

NIST_SP_800-53_R5.1.1

SI.4

NIST_SP_800-53_R5.1.1_SI.4

NIST SP 800-53 R5.1.1 SI.4

System and Information Integrity Control

System Monitoring

Shared

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency] ].

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

NIST_SP_800-53_R5.1.1

SI.4.2

NIST_SP_800-53_R5.1.1_SI.4.2

NIST SP 800-53 R5.1.1 SI.4.2

System and Information Integrity Control

System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

Shared

Employ automated tools and mechanisms to support near real-time analysis of events.

Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

NIST_SP_800-53_R5.1.1

SI.4.5

NIST_SP_800-53_R5.1.1_SI.4.5

NIST SP 800-53 R5.1.1 SI.4.5

System and Information Integrity Control

System Monitoring | System-generated Alerts

Shared

Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.

NZISM_Security_Benchmark_v1.1

AC-17

NZISM_Security_Benchmark_v1.1_AC-17

NZISM Security Benchmark AC-17

Access Control and Passwords

16.6.9 Events to be logged

Customer

Agencies MUST log, at minimum, the following events for all software components: logons; failed logon attempts; logoffs; date and time; all privileged operations; failed attempts to elevate privileges; security related system alerts and failures; system user and group additions, deletions and modification to permissions; and unauthorised or failed access attempts to systems and files identified as critical to the agency.

The events to be logged are key elements in the monitoring of the security posture of systems and contributing to reviews, audits, investigations and incident management.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

16.1.31.C.01.

NZISM_v3.7_16.1.31.C.01.

NZISM v3.7 16.1.31.C.01.

Identification, Authentication and Passwords

16.1.31.C.01. - promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST: 1. develop, implement and maintain a set of policies and procedures covering all system users: a. identification; b. authentication; c. authorisation; d. privileged access identification and management; and 2. make their system users aware of the agency's policies and procedures.

16.1.32.C.01.

NZISM_v3.7_16.1.32.C.01.

NZISM v3.7 16.1.32.C.01.

Identification, Authentication and Passwords

16.1.32.C.01. - promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST ensure that all system users are: 1. uniquely identifiable; and 2. authenticated on each occasion that access is granted to a system.

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

19.2.16.C.02.

NZISM_v3.7_19.2.16.C.02.

NZISM v3.7 19.2.16.C.02.

Cross Domain Solutions (CDS)

19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.

Shared

n/a

Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network.

19.2.18.C.01.

NZISM_v3.7_19.2.18.C.01.

NZISM v3.7 19.2.18.C.01.

Cross Domain Solutions (CDS)

19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks.

Shared

n/a

Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path.

19.2.19.C.01.

NZISM_v3.7_19.2.19.C.01.

NZISM v3.7 19.2.19.C.01.

Cross Domain Solutions (CDS)

19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.

Shared

n/a

Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority.

19.2.19.C.02.

NZISM_v3.7_19.2.19.C.02.

NZISM v3.7 19.2.19.C.02.

Cross Domain Solutions (CDS)

19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches.

Shared

n/a

Trusted sources MUST authorise all data to be exported from a security domain.

19.2.20.C.01.

NZISM_v3.7_19.2.20.C.01.

NZISM v3.7 19.2.20.C.01.

Cross Domain Solutions (CDS)

19.2.20.C.01. - enhance security measures and enable timely detection and response to potential security incidents or breaches.

Shared

n/a

All data exported from a security domain MUST be logged.

19.3.8.C.03.

NZISM_v3.7_19.3.8.C.03.

NZISM v3.7 19.3.8.C.03.

Firewalls

19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks

Shared

n/a

Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains. Your network: Restricted and below Their network: Unclassified You require: EAL4 firewall They require: N/A Your network: Restricted and below Their network: Restricted You require: EAL2 or PP firewall They require:EAL2 or PP firewall Your network: Restricted and below Their network: Confidential You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Secret You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Confidential Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Confidential Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Confidential Their network: Confidential You require: EAL2 or PP firewal They require: EAL2 or PP firewall Your network: Confidential Their network: Secret You require: EAL2 or PP firewal They require: EAL4 firewall Your network: Confidential Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Secret Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Confidential You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Secret You require: EAL2 or PP firewall They require: EAL2 or PP firewall Your network: Secret Their network: Top Secret You require: EAL2 or PP firewall They require: EAL4 firewall Your network: Top Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Top Secret Their network: Restricted You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Confidential You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Secret You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Top Secret Their network: Top Secret You require: EAL4 firewall They require: EAL4 firewall

op.exp.8 Recording of the activity

404 not found

n/a

10.3.4

PCI_DSS_v4.0.1_10.3.4

PCI DSS v4.0.1 10.3.4

Log and Monitor All Access to System Components and Cardholder Data

Log Integrity Monitoring

Shared

n/a

File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.

11.5.1

PCI_DSS_v4.0.1_11.5.1

PCI DSS v4.0.1 11.5.1

Test Security of Systems and Networks Regularly

Intrusion Detection/Prevention

Shared

n/a

Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date

11.5.1.1

PCI_DSS_v4.0.1_11.5.1.1

PCI DSS v4.0.1 11.5.1.1

Test Security of Systems and Networks Regularly

Covert Malware Detection

Shared

n/a

Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.

11.5.2

PCI_DSS_v4.0.1_11.5.2

PCI DSS v4.0.1 11.5.2

Test Security of Systems and Networks Regularly

Change-Detection Mechanism Deployment

Shared

n/a

A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly.

RBI_ITF_NBFC_v2017

3.1.g

RBI_ITF_NBFC_v2017_3.1.g

RBI IT Framework 3.1.g

Information and Cyber Security

Trails-3.1

n/a

The IS Policy must provide for a IS framework with the following basic tenets: Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.

RMiT_v1.0

10.66

RMiT_v1.0_10.66

RMiT 10.66

Security of Digital Services

Security of Digital Services - 10.66

Shared

n/a

A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

SWIFT_CSCF_2024

2.9

SWIFT_CSCF_2024_2.9

SWIFT Customer Security Controls Framework 2024 2.9

Transaction Controls

Transaction Business Controls

Shared

1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions. 2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity.

To ensure outbound transaction activity within the expected bounds of normal business.

SWIFT_CSCF_2024

6.4

SWIFT_CSCF_2024_6.4

SWIFT Customer Security Controls Framework 2024 6.4

Access Control

Logging and Monitoring

Shared

1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring.

To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment.

SWIFT_CSCF_2024

6.5

SWIFT_CSCF_2024_6.5

404 not found

n/a

SWIFT_CSCF_v2021

6.4

SWIFT_CSCF_v2021_6.4

SWIFT CSCF v2021 6.4

Detect Anomalous Activity to Systems or Transaction Records

Logging and Monitoring

n/a

Record security events and detect anomalous actions and operations within the local SWIFT environment.

SWIFT_CSCF_v2022

6.4

SWIFT_CSCF_v2022_6.4

SWIFT CSCF v2022 6.4

6. Detect Anomalous Activity to Systems or Transaction Records

Record security events and detect anomalous actions and operations within the local SWIFT environment.

Shared

n/a

Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs.

U.15.1 - Events Logged

404 not found

n/a

U.15.3 - Events Logged

U.15.3 - Events logged

404 not found

n/a

UK_NCSC_CAF_v3.2_C

404 not found

n/a

UK_NCSC_CAF_v3.2_C1

404 not found

n/a

C1.c

UK_NCSC_CAF_v3.2_C1.c

NCSC Cyber Assurance Framework (CAF) v3.2 C1.c

Security Monitoring

Generating Alerts

Shared

1. Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. 2. A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts. 3. Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time. 4. Security alerts relating to all essential functions are prioritised and this information is used to support incident management. 5. Logs are reviewed almost continuously, in real time. 6. Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.

Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

C1.d

UK_NCSC_CAF_v3.2_C1.d

NCSC Cyber Assurance Framework (CAF) v3.2 C1.d

Security Monitoring

Identifying Security Incidents

Shared

1. Select threat intelligence sources or services using risk-based and threat-informed decisions based on the business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based info share, special interest groups). 2. Apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them. 3. Receive signature updates for all the protective technologies (e.g. AV, IDS). 4. Track the effectiveness of the intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies).

Contextualise alerts with knowledge of the threat and the systems, to identify those security incidents that require some form of response.

UK_NCSC_CAF_v3.2_C2

404 not found

n/a