compliance controls are associated with this Policy definition 'Storage Accounts should use a virtual network service endpoint' (60d21c4f-21a3-4d94-85f4-b924e6aeeda4)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v1.0 |
1.1 |
Azure_Security_Benchmark_v1.0_1.1 |
Azure Security Benchmark 1.1 |
Network Security |
Protect resources using Network Security Groups or Azure Firewall on your Virtual Network |
Customer |
Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service.
Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall.
General Information on Private Link:
https://docs.microsoft.com/azure/private-link/private-link-overview
How to create a Virtual Network:
https://docs.microsoft.com/azure/virtual-network/quick-create-portal
How to create an NSG with a security configuration:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal |
n/a |
link |
20 |
Canada_Federal_PBMM_3-1-2020 |
RA_5(1) |
Canada_Federal_PBMM_3-1-2020_RA_5(1) |
Canada Federal PBMM 3-1-2020 RA 5(1) |
Vulnerability Scanning |
Vulnerability Scanning | Update Tool Capability |
Shared |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
To employ vulnerability scanning tools. |
|
21 |
Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
88 |
CIS_Controls_v8.1 |
12.7 |
CIS_Controls_v8.1_12.7 |
CIS Controls v8.1 12.7 |
Network Infrastructure Management |
Ensure remote devices utilize a VPN and are connecting to an enterprise's AAA infrastructure. |
Shared |
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.
|
To create a layer of security to ensure protection of data. |
|
7 |
CIS_Controls_v8.1 |
6.3 |
CIS_Controls_v8.1_6.3 |
CIS Controls v8.1 6.3 |
Access Control Management |
Require MFA for externally-exposed applications |
Shared |
1. Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
2. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard. |
To ensure unauthorised persons are unable to access approved applications. |
|
7 |
CIS_Controls_v8.1 |
6.4 |
CIS_Controls_v8.1_6.4 |
CIS Controls v8.1 6.4 |
Access Control Management |
Require MFA for remote network access |
Shared |
Require MFA for remote network access. |
To authenticate users accessing network remotely and ensure safety of enterprise data. |
|
7 |
CMMC_L2_v1.9.0 |
AC.L1_3.1.20 |
CMMC_L2_v1.9.0_AC.L1_3.1.20 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20 |
Access Control |
External Connections |
Shared |
Verify and control/limit connections to and use of external information systems. |
To enhance security and minimise potential risks associated with external access. |
|
27 |
CMMC_L2_v1.9.0 |
AC.L2_3.1.13 |
CMMC_L2_v1.9.0_AC.L2_3.1.13 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.13 |
Access Control |
Remote Access Confidentiality |
Shared |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
To enhance security by encrypting data transmitted over the network. |
|
4 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
17 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.2 |
CMMC_L2_v1.9.0_CM.L2_3.4.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 |
Configuration Management |
Security Configuration Enforcement |
Shared |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
To mitigate vulnerabilities and enhance overall security posture. |
|
11 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.6 |
CMMC_L2_v1.9.0_CM.L2_3.4.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 |
Configuration Management |
Least Functionality |
Shared |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
To reduce the risk of unauthorized access or exploitation of system vulnerabilities. |
|
11 |
CMMC_L2_v1.9.0 |
PE.L2_3.10.6 |
CMMC_L2_v1.9.0_PE.L2_3.10.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6 |
Physical Protection |
Alternative Work Sites |
Shared |
Enforce safeguarding measures for CUI at alternate work sites. |
To ensure that sensitive information is protected even when employees are working remotely or at off site locations. |
|
11 |
CMMC_L2_v1.9.0 |
SC.L2_3.13.7 |
CMMC_L2_v1.9.0_SC.L2_3.13.7 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.7 |
System and Communications Protection |
Split Tunneling |
Shared |
Prevent remote devices from simultaneously establishing non remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
To mitigate security risks. |
|
23 |
CSA_v4.0.12 |
AIS_02 |
CSA_v4.0.12_AIS_02 |
CSA Cloud Controls Matrix v4.0.12 AIS 02 |
Application & Interface Security |
Application Security Baseline Requirements |
Shared |
n/a |
Establish, document and maintain baseline requirements for securing
different applications. |
|
11 |
CSA_v4.0.12 |
CCC_02 |
CSA_v4.0.12_CCC_02 |
CSA Cloud Controls Matrix v4.0.12 CCC 02 |
Change Control and Configuration Management |
Quality Testing |
Shared |
n/a |
Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards. |
|
12 |
CSA_v4.0.12 |
CCC_03 |
CSA_v4.0.12_CCC_03 |
CSA Cloud Controls Matrix v4.0.12 CCC 03 |
Change Control and Configuration Management |
Change Management Technology |
Shared |
n/a |
Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced). |
|
31 |
CSA_v4.0.12 |
CCC_09 |
CSA_v4.0.12_CCC_09 |
CSA Cloud Controls Matrix v4.0.12 CCC 09 |
Change Control and Configuration Management |
Change Restoration |
Shared |
n/a |
Define and implement a process to proactively roll back changes to
a previous known good state in case of errors or security concerns. |
|
11 |
CSA_v4.0.12 |
HRS_04 |
CSA_v4.0.12_HRS_04 |
CSA Cloud Controls Matrix v4.0.12 HRS 04 |
Human Resources |
Remote and Home Working Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to protect information accessed, processed or stored
at remote sites and locations. Review and update the policies and procedures
at least annually. |
|
7 |
CSA_v4.0.12 |
UEM_03 |
CSA_v4.0.12_UEM_03 |
CSA Cloud Controls Matrix v4.0.12 UEM 03 |
Universal Endpoint Management |
Compatibility |
Shared |
n/a |
Define and implement a process for the validation of the endpoint
device's compatibility with operating systems and applications. |
|
11 |
CSA_v4.0.12 |
UEM_05 |
CSA_v4.0.12_UEM_05 |
CSA Cloud Controls Matrix v4.0.12 UEM 05 |
Universal Endpoint Management |
Endpoint Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data. |
|
11 |
Cyber_Essentials_v3.1 |
1 |
Cyber_Essentials_v3.1_1 |
Cyber Essentials v3.1 1 |
Cyber Essentials |
Firewalls |
Shared |
n/a |
Aim: to make sure that only secure and necessary network services can be accessed from the internet. |
|
37 |
Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
hipaa |
0805.01m1Organizational.12-01.m |
hipaa-0805.01m1Organizational.12-01.m |
0805.01m1Organizational.12-01.m |
08 Network Protection |
0805.01m1Organizational.12-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. |
|
12 |
hipaa |
0806.01m2Organizational.12356-01.m |
hipaa-0806.01m2Organizational.12356-01.m |
0806.01m2Organizational.12356-01.m |
08 Network Protection |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |
|
13 |
hipaa |
0867.09m3Organizational.17-09.m |
hipaa-0867.09m3Organizational.17-09.m |
0867.09m3Organizational.17 - 09.m |
Network Controls |
Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends). |
Customer |
n/a |
Wireless access is not implemented for Azure datacenter or service provision environments. Therefore, this requirement is not applicable. |
|
1 |
hipaa |
0894.01m2Organizational.7-01.m |
hipaa-0894.01m2Organizational.7-01.m |
0894.01m2Organizational.7-01.m |
08 Network Protection |
0894.01m2Organizational.7-01.m 01.04 Network Access Control |
Shared |
n/a |
Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. |
|
19 |
HITRUST_CSF_v11.3 |
01.i |
HITRUST_CSF_v11.3_01.i |
HITRUST CSF v11.3 01.i |
Network Access Control |
To implement role based access to internal and external network services. |
Shared |
1. It is to be determined who is allowed access to which network and what networked services.
2. The networks and network services to which users have authorized access is to be specified. |
Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment. |
|
11 |
HITRUST_CSF_v11.3 |
01.j |
HITRUST_CSF_v11.3_01.j |
HITRUST CSF v11.3 01.j |
Network Access Control |
To prevent unauthorized access to networked services. |
Shared |
1.External access to systems to be strictly regulated and tightly controlled.
2. External access to sensitive systems to be automatically deactivated immediately after use.
3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents.
4. Dial-up connections to be encrypted. |
Appropriate authentication methods shall be used to control access by remote users. |
|
16 |
HITRUST_CSF_v11.3 |
01.n |
HITRUST_CSF_v11.3_01.n |
HITRUST CSF v11.3 01.n |
Network Access Control |
To prevent unauthorised access to shared networks. |
Shared |
Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. |
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
|
55 |
HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
34 |
ISO_IEC_27002_2022 |
6.7 |
ISO_IEC_27002_2022_6.7 |
ISO IEC 27002 2022 6.7 |
Protection,
Preventive, Control |
Remote working |
Shared |
Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
|
To ensure the security of information when personnel are working remotely. |
|
11 |
ISO_IEC_27002_2022 |
8.9 |
ISO_IEC_27002_2022_8.9 |
ISO IEC 27002 2022 8.9 |
Protection,
Preventive Control |
Configuration management |
Shared |
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
|
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. |
|
21 |
NIST_SP_800-171_R3_3 |
.1.12 |
NIST_SP_800-171_R3_3.1.12 |
NIST 800-171 R3 3.1.12 |
Access Control |
Remote Access |
Shared |
Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. |
a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.
b. Authorize each type of remote system access prior to establishing such connections.
c. Route remote access to the system through authorized and managed access control points.
d. Authorize remote execution of privileged commands and remote access to security-relevant information. |
|
15 |
NIST_SP_800-171_R3_3 |
.1.18 |
NIST_SP_800-171_R3_3.1.18 |
NIST 800-171 R3 3.1.18 |
Access Control |
Access Control for Mobile Devices |
Shared |
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields). |
a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices.
b. Authorize the connection of mobile devices to the system.
c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices. |
|
28 |
NIST_SP_800-171_R3_3 |
.13.9 |
NIST_SP_800-171_R3_3.13.9 |
NIST 800-171 R3 3.13.9 |
System and Communications Protection Control |
Network Disconnect |
Shared |
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses. |
Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity. |
|
27 |
NIST_SP_800-171_R3_3 |
.4.1 |
NIST_SP_800-171_R3_3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
9 |
NIST_SP_800-53_R5.1.1 |
AC.17 |
NIST_SP_800-53_R5.1.1_AC.17 |
NIST SP 800-53 R5.1.1 AC.17 |
Access Control |
Remote Access |
Shared |
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections. |
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3. |
|
11 |
NIST_SP_800-53_R5.1.1 |
AC.17.2 |
NIST_SP_800-53_R5.1.1_AC.17.2 |
NIST SP 800-53 R5.1.1 AC.17.2 |
Access Control |
Remote Access | Protection of Confidentiality and Integrity Using Encryption |
Shared |
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions. |
|
4 |
NIST_SP_800-53_R5.1.1 |
CM.2 |
NIST_SP_800-53_R5.1.1_CM.2 |
NIST SP 800-53 R5.1.1 CM.2 |
Configuration Management Control |
Baseline Configuration |
Shared |
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system:
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: Assignment organization-defined circumstances]; and
3. When system components are installed or upgraded. |
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. |
|
9 |
NIST_SP_800-53_R5.1.1 |
SC.7.3 |
NIST_SP_800-53_R5.1.1_SC.7.3 |
NIST SP 800-53 R5.1.1 SC.7.3 |
System and Communications Protection |
Boundary Protection | Access Points |
Shared |
Limit the number of external network connections to the system. |
Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system. |
|
25 |
NIST_SP_800-53_R5.1.1 |
SC.7.7 |
NIST_SP_800-53_R5.1.1_SC.7.7 |
NIST SP 800-53 R5.1.1 SC.7.7 |
System and Communications Protection |
Boundary Protection | Split Tunneling for Remote Devices |
Shared |
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. |
Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control. |
|
4 |
NIST_SP_800-53_R5.1.1 |
SC.7.8 |
NIST_SP_800-53_R5.1.1_SC.7.8 |
NIST SP 800-53 R5.1.1 SC.7.8 |
System and Communications Protection |
Boundary Protection | Route Traffic to Authenticated Proxy Servers |
Shared |
Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation). |
|
1 |
NZISM_v3.7 |
14.1.13.C.01. |
NZISM_v3.7_14.1.13.C.01. |
NZISM v3.7 14.1.13.C.01. |
Standard Operating Environments |
14.1.13.C.01. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD review all software applications to determine whether they attempt to establish any unauthorised or unplanned external connections. |
|
9 |
NZISM_v3.7 |
14.1.13.C.02. |
NZISM_v3.7_14.1.13.C.02. |
NZISM v3.7 14.1.13.C.02. |
Standard Operating Environments |
14.1.13.C.02. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. |
Shared |
n/a |
If automated outbound connection functionality is included, agencies SHOULD make a business decision to determine whether to permit or deny these connections, including an assessment of the security risks involved in doing so. |
|
9 |
NZISM_v3.7 |
14.1.13.C.03. |
NZISM_v3.7_14.1.13.C.03. |
NZISM v3.7 14.1.13.C.03. |
Standard Operating Environments |
14.1.13.C.03. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. |
Shared |
n/a |
If automated outbound connection functionality is included, agencies SHOULD consider the implementation of Data Loss Prevention (DLP) technologies. |
|
9 |
NZISM_v3.7 |
14.1.14.C.01. |
NZISM_v3.7_14.1.14.C.01. |
NZISM v3.7 14.1.14.C.01. |
Standard Operating Environments |
14.1.14.C.01. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD limit information that could be disclosed outside the agency about what software, and software versions are installed on their systems. |
|
9 |
NZISM_v3.7 |
14.1.9.C.02. |
NZISM_v3.7_14.1.9.C.02. |
NZISM v3.7 14.1.9.C.02. |
Standard Operating Environments |
14.1.9.C.02. - To maintaining the integrity and reliability of servers and workstations within the agency's environment |
Shared |
n/a |
Agencies SHOULD ensure that for all servers and workstations:
1. malware detection heuristics are set to a high level;
2. malware pattern signatures are checked for updates on at least a daily basis;
3. malware pattern signatures are updated as soon as possible after vendors make them available;
4. all disks and systems are regularly scanned for malicious code; and
5. the use of End Point Agents is considered. |
|
9 |
NZISM_v3.7 |
14.2.4.C.01. |
NZISM_v3.7_14.2.4.C.01. |
NZISM v3.7 14.2.4.C.01. |
Application Allow listing |
14.2.4.C.01. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD implement application allow listing as part of the SOE for workstations, servers and any other network device. |
|
25 |
NZISM_v3.7 |
14.2.7.C.04. |
NZISM_v3.7_14.2.7.C.04. |
NZISM v3.7 14.2.7.C.04. |
Application Allow listing |
14.2.7.C.04. - To minimise the risk of unauthorized or malicious executables running on their systems. |
Shared |
n/a |
Agencies SHOULD restrict the decision whether to run an executable based on the following, in the order of preference shown:
1. validates cryptographic hash;
2. executable absolute path;
3. digital signature; and
4. parent folder. |
|
9 |
NZISM_v3.7 |
14.2.7.C.05. |
NZISM_v3.7_14.2.7.C.05. |
NZISM v3.7 14.2.7.C.05. |
Application Allow listing |
14.2.7.C.05. - To enhance the security posture. |
Shared |
n/a |
Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application allow listing controls. |
|
9 |
NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
81 |
NZISM_v3.7 |
16.5.10.C.01. |
NZISM_v3.7_16.5.10.C.01. |
NZISM v3.7 16.5.10.C.01. |
Remote Access |
16.5.10.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system. |
|
11 |
NZISM_v3.7 |
16.5.10.C.02. |
NZISM_v3.7_16.5.10.C.02. |
NZISM v3.7 16.5.10.C.02. |
Remote Access |
16.5.10.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD authenticate both the remote system user and device during the authentication process. |
|
21 |
NZISM_v3.7 |
16.5.11.C.01. |
NZISM_v3.7_16.5.11.C.01. |
NZISM v3.7 16.5.11.C.01. |
Remote Access |
16.5.11.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. |
|
11 |
NZISM_v3.7 |
16.5.11.C.02. |
NZISM_v3.7_16.5.11.C.02. |
NZISM v3.7 16.5.11.C.02. |
Remote Access |
16.5.11.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. |
|
11 |
NZISM_v3.7 |
16.5.12.C.01. |
NZISM_v3.7_16.5.12.C.01. |
NZISM v3.7 16.5.12.C.01. |
Remote Access |
16.5.12.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies SHOULD establish VPN connections for all remote access connections. |
|
11 |
NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
PCI_DSS_v4.0.1 |
1.2.1 |
PCI_DSS_v4.0.1_1.2.1 |
PCI DSS v4.0.1 1.2.1 |
Install and Maintain Network Security Controls |
Configuration standards for NSC rulesets are defined, implemented, and maintained |
Shared |
n/a |
Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards |
|
11 |
PCI_DSS_v4.0.1 |
1.2.7 |
PCI_DSS_v4.0.1_1.2.7 |
PCI DSS v4.0.1 1.2.7 |
Install and Maintain Network Security Controls |
Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective |
Shared |
n/a |
Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated |
|
11 |
RMiT_v1.0 |
10.39 |
RMiT_v1.0_10.39 |
RMiT 10.39 |
Network Resilience |
Network Resilience - 10.39 |
Shared |
n/a |
A financial institution must implement appropriate safeguards to minimise the risk of a system compromise in one entity affecting other entities within the group. Safeguards implemented may include establishing logical network segmentation for the financial institution from other entities within the group. |
link |
3 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
SOC_2023 |
C1.1 |
SOC_2023_C1.1 |
SOC 2023 C1.1 |
Additional Criteria for Confidentiality |
To preserve trust, compliance, and competitive advantage. |
Shared |
n/a |
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. |
|
11 |
SOC_2023 |
CC1.3 |
SOC_2023_CC1.3 |
SOC 2023 CC1.3 |
Control Environment |
To enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. |
Shared |
n/a |
1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers.
2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. |
|
13 |
SOC_2023 |
CC2.2 |
SOC_2023_CC2.2 |
SOC 2023 CC2.2 |
Information and Communication |
To facilitate effective internal communication, including objectives and responsibilities for internal control. |
Shared |
n/a |
Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information |
|
28 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
SOC_2023 |
CC5.2 |
SOC_2023_CC5.2 |
SOC 2023 CC5.2 |
Control Activities |
To mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations. |
Shared |
n/a |
Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities. |
|
15 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
SOC_2023 |
CC7.1 |
SOC_2023_CC7.1 |
SOC 2023 CC7.1 |
Systems Operations |
To maintain a proactive approach to cybersecurity and mitigate risks effectively. |
Shared |
n/a |
To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. |
|
11 |
SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
To maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
SOC_2023 |
CC7.5 |
SOC_2023_CC7.5 |
SOC 2023 CC7.5 |
Systems Operations |
To ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents. |
Shared |
n/a |
The entity identifies, develops, and implements activities to recover from identified security incidents. |
|
12 |
SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
SOC_2023 |
CC9.2 |
SOC_2023_CC9.2 |
SOC 2023 CC9.2 |
Risk Mitigation |
To ensure effective risk management throughout the supply chain and business ecosystem. |
Shared |
n/a |
Entity assesses and manages risks associated with vendors and business partners. |
|
43 |
SOC_2023 |
PI1.3 |
SOC_2023_PI1.3 |
SOC 2023 PI1.3 |
Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) |
To enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. |
Shared |
n/a |
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. |
|
50 |
SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
SWIFT_CSCF_2024 |
2.6 |
SWIFT_CSCF_2024_2.6 |
SWIFT Customer Security Controls Framework 2024 2.6 |
Risk Management |
Operator Session Confidentiality and Integrity |
Shared |
1. Operator sessions, through the jump server when accessing the on-premises or remote (that is hosted or operated by a third party, or both) Swift infrastructure, pose a unique threat because unusual or unexpected activity is more difficult to detect during interactive sessions than it is during application-to-application activity.
2. Therefore, it is important to protect the integrity and confidentiality of these operator sessions to reduce any opportunity for misuse or password theft. When used, access to the virtualisation layer (virtualisation or cloud management console) must be similarly protected. |
To protect the confidentiality and integrity of interactive operator sessions that connect to the on- premises or remote (operated by a service provider or outsourcing agent) Swift infrastructure or to a service provider or outsourcing agent Swift-related applications. |
|
12 |
SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
SWIFT_CSCF_v2021 |
1.1 |
SWIFT_CSCF_v2021_1.1 |
SWIFT CSCF v2021 1.1 |
SWIFT Environment Protection |
SWIFT Environment Protection |
|
n/a |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
link |
28 |
SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
19 |
SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
24 |