last sync: 2025-Mar-14 18:30:15 UTC

Email notification for high severity alerts should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Email notification for high severity alerts should be enabled
Id 6e2593d9-add6-4083-9c9b-4b7d2188c899
Version 1.2.0
Details on versioning
Versioning Versions supported for Versioning: 3
1.0.1
1.1.0
1.2.0
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.0.1'
Repository: Azure-Policy 6e2593d9-add6-4083-9c9b-4b7d2188c899
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (4)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/securityContacts/alertNotifications Microsoft.Security
Microsoft.Security
securityContacts
securityContacts
properties.alertNotifications
properties.alertNotifications.state
False
True
properties.alertNotifications.state
False
False
Microsoft.Security/securityContacts/isEnabled Microsoft.Security securityContacts properties.isEnabled True False
Microsoft.Security/securityContacts/notificationsSources[*] Microsoft.Security securityContacts properties.notificationsSources[*] True False
Microsoft.Security/securityContacts/notificationsSources[*].sourceType Microsoft.Security securityContacts properties.notificationsSources[*].sourceType True False
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 147 compliance controls are associated with this Policy definition 'Email notification for high severity alerts should be enabled' (6e2593d9-add6-4083-9c9b-4b7d2188c899)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 IR-2 Azure_Security_Benchmark_v2.0_IR-2 Azure Security Benchmark IR-2 Incident Response Preparation - setup incident notification Customer Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs. How to set the Azure Security Center security contact: https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details n/a link 3
Azure_Security_Benchmark_v3.0 IR-2 Azure_Security_Benchmark_v3.0_IR-2 Microsoft cloud security benchmark IR-2 Incident Response Preparation - setup incident notification Shared **Security Principle:** Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. **Azure Guidance:** Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs. **Implementation and additional context:** How to set the Microsoft Defender for Cloud security contact: https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details n/a link 3
C.05.5 - Monitored and reported C.05.5 - Monitored and reported 404 not found n/a n/a 3
Canada_Federal_PBMM_3-1-2020 AC_1 Canada_Federal_PBMM_3-1-2020_AC_1 Canada Federal PBMM 3-1-2020 AC 1 Access Control Policy and Procedures Access Control Policy and Procedures Shared 1. The organization develops, documents, and disseminates to personnel or roles with access control responsibilities: a. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the access control policy and associated access controls. 2. The organization reviews and updates the current: a. Access control policy at least every 3 years; and b. Access control procedures at least annually. To establish and maintain effective access control measures. 16
Canada_Federal_PBMM_3-1-2020 AC_17(100) Canada_Federal_PBMM_3-1-2020_AC_17(100) Canada Federal PBMM 3-1-2020 AC 17(100) Remote Access Remote Access | Remote Access to Privileged Accounts using Dedicated Management Console Shared Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed). To reduce the risk of unauthorized access or compromise of privileged accounts. 16
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 53
Canada_Federal_PBMM_3-1-2020 AC_2(7) Canada_Federal_PBMM_3-1-2020_AC_2(7) Canada Federal PBMM 3-1-2020 AC 2(7) Account Management Account Management | Role-Based Schemes Shared 1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; 2. The organization monitors privileged role assignments; and 3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate. To strengthen the security posture and safeguard sensitive data and critical resources. 19
Canada_Federal_PBMM_3-1-2020 AC_2(9) Canada_Federal_PBMM_3-1-2020_AC_2(9) Canada Federal PBMM 3-1-2020 AC 2(9) Account Management Account Management | Restrictions on Use of Shared Groups / Accounts Shared The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts. To maintain security and accountability. 14
Canada_Federal_PBMM_3-1-2020 AC_3 Canada_Federal_PBMM_3-1-2020_AC_3 Canada Federal PBMM 3-1-2020 AC 3 Access Enforcement Access Enforcement Shared The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. To mitigate the risk of unauthorized access. 33
Canada_Federal_PBMM_3-1-2020 AC_6 Canada_Federal_PBMM_3-1-2020_AC_6 Canada Federal PBMM 3-1-2020 AC 6 Least Privilege Least Privilege Shared The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. To mitigate the risk of unauthorized access, data breaches, and system compromises. 17
Canada_Federal_PBMM_3-1-2020 AC_6(2) Canada_Federal_PBMM_3-1-2020_AC_6(2) Canada Federal PBMM 3-1-2020 AC 6(2) Least Privilege Least Privilege | Non-Privileged Access for Non-Security Functions Shared The organization requires that users of information system accounts, or roles, with access to any security function, use non-privileged accounts or roles, when accessing non-security functions. To enhance security measures and minimise the risk of unauthorized access or misuse of privileges. 17
Canada_Federal_PBMM_3-1-2020 AU_9(4) Canada_Federal_PBMM_3-1-2020_AU_9(4) Canada Federal PBMM 3-1-2020 AU 9(4) Protection of Audit Information Protection of Audit Information | Access by Subset of Privileged Users Shared The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users. To enhance security and maintain the integrity of audit processes. 8
Canada_Federal_PBMM_3-1-2020 CA_2(2) Canada_Federal_PBMM_3-1-2020_CA_2(2) Canada Federal PBMM 3-1-2020 CA 2(2) Security Assessments Security Assessments | Specialized Assessments Shared The organization includes as part of security control assessments that they will be announced and done at least annually and include at least vulnerability scanning and penetration testing. To comprehensively evaluate security controls and identify potential weaknesses or vulnerabilities in the information system. 6
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 CP_4 Canada_Federal_PBMM_3-1-2020_CP_4 Canada Federal PBMM 3-1-2020 CP 4 Contingency Plan Testing and Exercises Contingency Plan Testing Shared 1. The organization tests the contingency plan for the information system at least annually for moderate impact systems; at least every three years for low impact systems using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan. 2. The organization reviews the contingency plan test results. 3. The organization initiates corrective actions, if needed. To enhance preparedness and resilience. 6
Canada_Federal_PBMM_3-1-2020 IR_9(1) Canada_Federal_PBMM_3-1-2020_IR_9(1) Canada Federal PBMM 3-1-2020 IR 9(1) Information Spillage Response Information Spillage Response | Responsible Personnel Shared The organization assigns incident response personnel as documented within the Incident Management Plan with responsibility for responding to information spills. To assign a personnel for information spillage response. 6
Canada_Federal_PBMM_3-1-2020 IR_9(3) Canada_Federal_PBMM_3-1-2020_IR_9(3) Canada Federal PBMM 3-1-2020 IR 9(3) Information Spillage Response Information Spillage Response | Post-Spill Operations Shared The organization implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. To ensure plan is in place for post-spill operations. 6
Canada_Federal_PBMM_3-1-2020 IR_9(4) Canada_Federal_PBMM_3-1-2020_IR_9(4) Canada Federal PBMM 3-1-2020 IR 9(4) Information Spillage Response Information Spillage Response | Exposure to Unauthorized Personnel Shared The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations. To mitigate the risk of information spillage. 4
Canada_Federal_PBMM_3-1-2020 MP_2 Canada_Federal_PBMM_3-1-2020_MP_2 404 not found n/a n/a 5
CIS_Azure_1.1.0 2.18 CIS_Azure_1.1.0_2.18 CIS Microsoft Azure Foundations Benchmark recommendation 2.18 2 Security Center Ensure that 'Send email notification for high severity alerts' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable emailing security alerts to the security contact. link 1
CIS_Azure_1.3.0 2.14 CIS_Azure_1.3.0_2.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.14 2 Security Center Ensure that 'Notify about alerts with the following severity' is set to 'High' Shared The customer is responsible for implementing this recommendation. Enables emailing security alerts to the subscription owner or other designated security contact. link 1
CIS_Azure_1.4.0 2.14 CIS_Azure_1.4.0_2.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.14 2 Microsoft Defender for Cloud Ensure That 'Notify about alerts with the following severity' is Set to 'High' Shared The customer is responsible for implementing this recommendation. Enables emailing security alerts to the subscription owner or other designated security contact. link 1
CIS_Azure_2.0.0 2.1.20 CIS_Azure_2.0.0_2.1.20 CIS Microsoft Azure Foundations Benchmark recommendation 2.1.20 2.1 Ensure That 'Notify about alerts with the following severity' is Set to 'High' Shared n/a Enables emailing security alerts to the subscription owner or other designated security contact. Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk. link 1
CIS_Azure_Foundations_v2.1.0 2.1.19 CIS_Azure_Foundations_v2.1.0_2.1.19 CIS Azure Foundations v2.1.0 2.1.19 Security Monitoring Ensure That 'Notify about alerts with the following severity' is Set to 'High' Shared n/a Configure alert notifications to be sent for high-severity issues only. 3
CIS_Controls_v8.1 CIS_Controls_v8.1_ 404 not found n/a n/a 1
CIS_Controls_v8.1 13.11 CIS_Controls_v8.1_13.11 CIS Controls v8.1 13.11 Network Monitoring and Defense Tune security event alerting thresholds Shared Tune security event alerting thresholds monthly, or more frequently. To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. 50
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
CMMC_2.0_L2 IR.L2-3.6.2 CMMC_2.0_L2_IR.L2-3.6.2 404 not found n/a n/a 3
CMMC_2.0_L2 SI.L2-3.14.3 CMMC_2.0_L2_SI.L2-3.14.3 404 not found n/a n/a 11
CMMC_2.0_L2 SI.L2-3.14.6 CMMC_2.0_L2_SI.L2-3.14.6 404 not found n/a n/a 25
CMMC_L2_v1.9.0 AT.L2_3.2.3 CMMC_L2_v1.9.0_AT.L2_3.2.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AT.L2 3.2.3 Awareness and Training Insider Threat Awareness Shared Provide security awareness training on recognizing and reporting potential indicators of insider threat. To enhance the organization's ability to detect and mitigate internal security risks. 2
CMMC_L2_v1.9.0 AU.L2_3.3.8 CMMC_L2_v1.9.0_AU.L2_3.3.8 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.8 Audit and Accountability Audit Protection Shared Protect audit information and audit logging tools from unauthorized access, modification, and deletion. To ensure the integrity and confidentiality of the data collected for monitoring and analysis purposes. 4
CMMC_L2_v1.9.0 SI.L2_3.14.3 CMMC_L2_v1.9.0_SI.L2_3.14.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3 System and Information Integrity Security Alerts & Advisories Shared Monitor system security alerts and advisories and take action in response. To proactively defend against emerging threats and minimize the risk of security incidents or breaches. 20
CMMC_L2_v1.9.0 SI.L2_3.14.6 CMMC_L2_v1.9.0_SI.L2_3.14.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6 System and Information Integrity Monitor Communications for Attacks Shared Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. To protect systems and data from unauthorized access or compromise. 20
CMMC_L2_v1.9.0 SI.L2_3.14.7 CMMC_L2_v1.9.0_SI.L2_3.14.7 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7 System and Information Integrity Identify Unauthorized Use Shared Identify unauthorized use of organizational systems. To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access. 19
CMMC_L3 IR.2.092 CMMC_L3_IR.2.092 CMMC L3 IR.2.092 Incident Response Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. link 3
CMMC_L3 IR.2.093 CMMC_L3_IR.2.093 CMMC L3 IR.2.093 Incident Response Detect and report events. Shared Microsoft and the customer share responsibilities for implementing this requirement. The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine whether an event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects. link 17
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 HRS_06 CSA_v4.0.12_HRS_06 CSA Cloud Controls Matrix v4.0.12 HRS 06 Human Resources Employment Termination Shared n/a Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment. 17
CSA_v4.0.12 IAM_12 CSA_v4.0.12_IAM_12 CSA Cloud Controls Matrix v4.0.12 IAM 12 Identity & Access Management Safeguard Logs Integrity Shared n/a Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures. 42
CSA_v4.0.12 LOG_09 CSA_v4.0.12_LOG_09 CSA Cloud Controls Matrix v4.0.12 LOG 09 Logging and Monitoring Log Protection Shared n/a The information system protects audit records from unauthorized access, modification, and deletion. 4
CSA_v4.0.12 TVM_04 CSA_v4.0.12_TVM_04 CSA Cloud Controls Matrix v4.0.12 TVM 04 Threat & Vulnerability Management Detection Updates Shared n/a Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis. 50
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_10 EU_2555_(NIS2)_2022_10 EU 2022/2555 (NIS2) 2022 10 Computer security incident response teams (CSIRTs) Shared n/a Requires Member States to designate or establish CSIRTs. 3
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 69
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 67
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_13 EU_2555_(NIS2)_2022_13 EU 2022/2555 (NIS2) 2022 13 Cooperation at national level Shared n/a Requires cooperation between competent authorities, single points of contact, and CSIRTs at the national level. 3
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_23 EU_2555_(NIS2)_2022_23 EU 2022/2555 (NIS2) 2022 23 Reporting obligations Shared n/a Requires essential and important entities to notify significant incidents to their CSIRT or competent authority. 3
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 67
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_9 EU_2555_(NIS2)_2022_9 EU 2022/2555 (NIS2) 2022 9 National cyber crisis management frameworks Shared n/a Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. 14
EU_GDPR_2016_679_Art. 33 EU_GDPR_2016_679_Art._33 EU General Data Protection Regulation (GDPR) 2016/679 Art. 33 Chapter 4 - Controller and processor Notification of a personal data breach to the supervisory authority Shared n/a n/a 2
EU_GDPR_2016_679_Art. 34 EU_GDPR_2016_679_Art._34 EU General Data Protection Regulation (GDPR) 2016/679 Art. 34 Chapter 4 - Controller and processor Communication of a personal data breach to the data subject Shared n/a n/a 2
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 65
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .3 FBI_Criminal_Justice_Information_Services_v5.9.5_5.3 404 not found n/a n/a 3
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .4 FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 404 not found n/a n/a 42
FedRAMP_High_R4 IR-4 FedRAMP_High_R4_IR-4 FedRAMP High IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 24
FedRAMP_High_R4 IR-5 FedRAMP_High_R4_IR-5 FedRAMP High IR-5 Incident Response Incident Monitoring Shared n/a The organization tracks and documents information system security incidents. Supplemental Guidance: Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: NIST Special Publication 800-61. link 13
FedRAMP_Moderate_R4 IR-4 FedRAMP_Moderate_R4_IR-4 FedRAMP Moderate IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 24
FedRAMP_Moderate_R4 IR-5 FedRAMP_Moderate_R4_IR-5 FedRAMP Moderate IR-5 Incident Response Incident Monitoring Shared n/a The organization tracks and documents information system security incidents. Supplemental Guidance: Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: NIST Special Publication 800-61. link 13
FFIEC_CAT_2017 3.2.3 FFIEC_CAT_2017_3.2.3 FFIEC CAT 2017 3.2.3 Cybersecurity Controls Event Detection Shared n/a - A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access. 35
FFIEC_CAT_2017 5.3.1 FFIEC_CAT_2017_5.3.1 FFIEC CAT 2017 5.3.1 Cyber Incident Management and Resilience Escalation and Reporting Shared n/a - A process exists to contact personnel who are responsible for analyzing and responding to an incident. - Procedures exist to notify customers, regulators, and law enforcement as required or necessary when the institution becomes aware of an incident involving the unauthorized access to or use of sensitive customer information. - The institution prepares an annual report of security incidents or violations for the board or an appropriate board committee. - Incidents are classified, logged, and tracked. 2
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 114
HITRUST_CSF_v11.3 09.ac HITRUST_CSF_v11.3_09.ac HITRUST CSF v11.3 09.ac Monitoring To protect logging systems and log information against tampering and unauthorized access. Shared 1. To prevent unauthorized access and tampering, access to logging systems and log information is to be restricted and protected. 2. Authorized and unauthorized access attempts to audit system is to be logged and modification of audit trails of access to the audit system is to be disallowed. 3. File-integrity monitoring or change-detection software on logs is to implemented and alerts to be generated to change any existing log data. 4. External-facing technology logs on are to be stored on an internal network server. Logging systems and log information shall be protected against tampering and unauthorized access. 4
HITRUST_CSF_v11.3 11.a HITRUST_CSF_v11.3_11.a HITRUST CSF v11.3 11.a Reporting Information Security Incidents and Weaknesses To ensure information security events and weaknesses associated with information systems are handled in a manner allowing timely corrective action to be taken. Shared A designated and widely known point of contact is to be established within the organization to promptly report information security events, ensuring availability and timely responses; additionally, a maintained list of third-party contacts, such as information security officers' email addresses, facilitates for the reporting of security incidents. Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible. 11
ISO_IEC_27002_2022 8.15 ISO_IEC_27002_2022_8.15 ISO IEC 27002 2022 8.15 Detection Control Logging Shared Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 30
ISO_IEC_27002_2022 8.16 ISO_IEC_27002_2022_8.16 ISO IEC 27002 2022 8.16 Response, Detection, Corrective Control Monitoring activities Shared Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. To detect anomalous behaviour and potential information security incidents. 20
New_Zealand_ISM 07.2.22.C.01 New_Zealand_ISM_07.2.22.C.01 New_Zealand_ISM_07.2.22.C.01 07. Information Security Incidents 07.2.22.C.01 Outsourcing and information security incidents n/a Agencies that outsource their information technology services and functions MUST ensure that the service provider advises and consults with the agency when an information security incident occurs. 3
NIS2 IR._Incident_Response_2 NIS2_IR._Incident_Response_2 NIS2_IR._Incident_Response_2 IR. Incident Response Incident handling n/a Where essential or important entities become aware of a significant incident, they should be required to submit an early warning without undue delay and in any event within 24 hours. That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident, with the aim, in particular, of updating information submitted through the early warning and indicating an initial assessment of the significant incident, including its severity and impact, as well as indicators of compromise, where available. A final report should be submitted not later than one month after the incident notification. The early warning should only include the information necessary to make the CSIRT, or where applicable the competent authority, aware of the significant incident and allow the entity concerned to seek assistance, if required. Such early warning, where applicable, should indicate whether the significant incident is suspected of being caused by unlawful or malicious acts, and whether it is likely to have a cross-border impact. Member States should ensure that the obligation to submit that early warning, or the subsequent incident notification, does not divert the notifying entity’s resources from activities related to incident handling that should be prioritised, in order to prevent incident reporting obligations from either diverting resources from significant incident response handling or otherwise compromising the entity’s efforts in that respect. 27.12.2022 EN Official Journal of the European Union L 333/99 In the event of an ongoing incident at the time of the submission of the final report, Member States should ensure that entities concerned provide a progress report at that time, and a final report within one month of their handling of the significant incident 34
NIST_CSF_v2.0 DE.CM NIST_CSF_v2.0_DE.CM 404 not found n/a n/a 20
NIST_SP_800-171_R2_3 .14.3 NIST_SP_800-171_R2_3.14.3 NIST SP 800-171 R2 3.14.3 System and Information Integrity Monitor system security alerts and advisories and take action in response. Shared Microsoft and the customer share responsibilities for implementing this requirement. There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. [SP 800-161] provides guidance on supply chain risk management. link 14
NIST_SP_800-171_R2_3 .14.6 NIST_SP_800-171_R2_3.14.6 NIST SP 800-171 R2 3.14.6 System and Information Integrity Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Shared Microsoft and the customer share responsibilities for implementing this requirement. System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems. link 27
NIST_SP_800-171_R2_3 .6.2 NIST_SP_800-171_R2_3.6.2 NIST SP 800-171 R2 3.6.2 Incident response Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. Shared Microsoft and the customer share responsibilities for implementing this requirement. Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. [SP 800-61] provides guidance on incident handling. link 3
NIST_SP_800-171_R3_3 .14.6 NIST_SP_800-171_R3_3.14.6 NIST 800-171 R3 3.14.6 System and Information Integrity Control System Monitoring Shared System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives. Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements. a. Monitor the system to detect: 1. Attacks and indicators of potential attacks; and 2. Unauthorized connections. b. Identify unauthorized use of the system. c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions. 18
NIST_SP_800-171_R3_3 .2.1 NIST_SP_800-171_R3_3.2.1 404 not found n/a n/a 2
NIST_SP_800-171_R3_3 .3.8 NIST_SP_800-171_R3_3.3.8 404 not found n/a n/a 4
NIST_SP_800-171_R3_3 .6.2 NIST_SP_800-171_R3_3.6.2 404 not found n/a n/a 3
NIST_SP_800-53_R4 IR-4 NIST_SP_800-53_R4_IR-4 NIST SP 800-53 Rev. 4 IR-4 Incident Response Incident Handling Shared n/a The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61. link 24
NIST_SP_800-53_R4 IR-5 NIST_SP_800-53_R4_IR-5 NIST SP 800-53 Rev. 4 IR-5 Incident Response Incident Monitoring Shared n/a The organization tracks and documents information system security incidents. Supplemental Guidance: Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: NIST Special Publication 800-61. link 13
NIST_SP_800-53_R4 IR-6(2) NIST_SP_800-53_R4_IR-6(2) NIST SP 800-53 Rev. 4 IR-6 (2) Incident Response Vulnerabilities Related to Incidents Customer n/a The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles]. link 3
NIST_SP_800-53_R4 SI-4(12) NIST_SP_800-53_R4_SI-4(12) NIST SP 800-53 Rev. 4 SI-4 (12) System and Information Integrity Automated Alerts Customer n/a The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]. link 3
NIST_SP_800-53_R5.1.1 AU.9 NIST_SP_800-53_R5.1.1_AU.9 NIST SP 800-53 R5.1.1 AU.9 Audit and Accountability Control Protection of Audit Information Shared a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. 4
NIST_SP_800-53_R5.1.1 IR.6 NIST_SP_800-53_R5.1.1_IR.6 NIST SP 800-53 R5.1.1 IR.6 Incident Response Control Incident Reporting Shared a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and b. Report incident information to [Assignment: organization-defined authorities]. The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products. 2
NIST_SP_800-53_R5.1.1 SI.4 NIST_SP_800-53_R5.1.1_SI.4 NIST SP 800-53 R5.1.1 SI.4 System and Information Integrity Control System Monitoring Shared a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency] ]. System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 17
NIST_SP_800-53_R5 IR-4 NIST_SP_800-53_R5_IR-4 NIST SP 800-53 Rev. 5 IR-4 Incident Response Incident Handling Shared n/a a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. link 24
NIST_SP_800-53_R5 IR-5 NIST_SP_800-53_R5_IR-5 NIST SP 800-53 Rev. 5 IR-5 Incident Response Incident Monitoring Shared n/a Track and document incidents. link 13
NIST_SP_800-53_R5 IR-6(2) NIST_SP_800-53_R5_IR-6(2) NIST SP 800-53 Rev. 5 IR-6 (2) Incident Response Vulnerabilities Related to Incidents Customer n/a Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles]. link 3
NIST_SP_800-53_R5 SI-4(12) NIST_SP_800-53_R5_SI-4(12) NIST SP 800-53 Rev. 5 SI-4 (12) System and Information Integrity Automated Organization-generated Alerts Customer n/a Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]. link 3
NL_BIO_Cloud_Theme C.05.5(2) NL_BIO_Cloud_Theme_C.05.5(2) NL_BIO_Cloud_Theme_C.05.5(2) C.05 Security Monitoring Reporting Monitored and reported n/a Demonstrably, follow-up is given to improvement proposals from analysis reports. 3
NZ_ISM_v3.5 ISM-4 NZ_ISM_v3.5_ISM-4 NZISM Security Benchmark ISM-4 Information security monitoring 6.2.6 Resolving vulnerabilities Customer n/a Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue. link 7
NZISM_v3.7 14.3.12.C.01. NZISM_v3.7_14.3.12.C.01. NZISM v3.7 14.3.12.C.01. Web Applications 14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. Shared n/a Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. 81
NZISM_v3.7 16.1.31.C.01. NZISM_v3.7_16.1.31.C.01. NZISM v3.7 16.1.31.C.01. Identification, Authentication and Passwords 16.1.31.C.01. - To promote security and accountability within the agency's systems. Shared n/a Agencies MUST: 1. develop, implement and maintain a set of policies and procedures covering all system users: a. identification; b. authentication; c. authorisation; d. privileged access identification and management; and 2. make their system users aware of the agency's policies and procedures. 26
NZISM_v3.7 16.6.10.C.01. NZISM_v3.7_16.6.10.C.01. NZISM v3.7 16.6.10.C.01. Event Logging and Auditing 16.6.10.C.01. - To enhance system security and accountability. Shared n/a Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users. 33
NZISM_v3.7 16.6.10.C.02. NZISM_v3.7_16.6.10.C.02. NZISM v3.7 16.6.10.C.02. Event Logging and Auditing 16.6.10.C.02. - To enhance system security and accountability. Shared n/a Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency. 50
NZISM_v3.7 16.6.11.C.01. NZISM_v3.7_16.6.11.C.01. NZISM v3.7 16.6.11.C.01. Event Logging and Auditing 16.6.11.C.01. - To enhance system security and accountability. Shared n/a For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification. 50
NZISM_v3.7 16.6.12.C.01. NZISM_v3.7_16.6.12.C.01. NZISM v3.7 16.6.12.C.01. Event Logging and Auditing 16.6.12.C.01. - To maintain integrity of the data. Shared n/a Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period. 50
NZISM_v3.7 16.6.12.C.02. NZISM_v3.7_16.6.12.C.02. NZISM v3.7 16.6.12.C.02. Event Logging and Auditing 16.6.12.C.02. - To enhance system security and accountability. Shared n/a Agencies MUST configure systems to save event logs to separate secure servers as soon as possible after each event occurs. 2
NZISM_v3.7 16.6.12.C.03. NZISM_v3.7_16.6.12.C.03. NZISM v3.7 16.6.12.C.03. Event Logging and Auditing 16.6.12.C.03. - To maintain integrity of the data. Shared n/a Agencies SHOULD ensure that: 1. systems are configured to save event logs to a separate secure log server; and 2. event log data is archived in a manner that maintains its integrity. 2
NZISM_v3.7 16.6.13.C.01. NZISM_v3.7_16.6.13.C.01. NZISM v3.7 16.6.13.C.01. Event Logging and Auditing 16.6.13.C.01. - To maintain integrity of the data. Shared n/a Event logs MUST be archived and retained for an appropriate period as determined by the agency. 2
NZISM_v3.7 16.6.13.C.02. NZISM_v3.7_16.6.13.C.02. NZISM v3.7 16.6.13.C.02. Event Logging and Auditing 16.6.13.C.02. - To maintain transparency, integrity, and legality in handling sensitive information and mitigate potential risks associated with data breaches or unauthorized access. Shared n/a Disposal or archiving of DNS, proxy, event, systems and other operational logs MUST be in accordance with the provisions of the relevant legislation. 2
NZISM_v3.7 16.6.6.C.01. NZISM_v3.7_16.6.6.C.01. NZISM v3.7 16.6.6.C.01. Event Logging and Auditing 16.6.6.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST maintain system management logs for the life of a system. 50
NZISM_v3.7 16.6.7.C.01. NZISM_v3.7_16.6.7.C.01. NZISM v3.7 16.6.7.C.01. Event Logging and Auditing 16.6.7.C.01. - To facilitate effective monitoring, troubleshooting, and auditability of system operations. Shared n/a A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities. 50
NZISM_v3.7 16.6.9.C.01. NZISM_v3.7_16.6.9.C.01. NZISM v3.7 16.6.9.C.01. Event Logging and Auditing 16.6.9.C.01. - To enhance system security and accountability. Shared n/a Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency. 48
NZISM_v3.7 19.1.20.C.01. NZISM_v3.7_19.1.20.C.01. NZISM v3.7 19.1.20.C.01. Gateways 19.1.20.C.01. - To reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST authenticate system users to all classified networks accessed through gateways. 24
NZISM_v3.7 19.1.20.C.02. NZISM_v3.7_19.1.20.C.02. NZISM v3.7 19.1.20.C.02. Gateways 19.1.20.C.02. - To reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST ensure that only authenticated and authorised system users can use the gateway. 15
NZISM_v3.7 19.1.20.C.03. NZISM_v3.7_19.1.20.C.03. NZISM v3.7 19.1.20.C.03. Gateways 19.1.20.C.03. - To reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD use multi-factor authentication for access to networks and gateways. 9
op.exp.7 Incident management op.exp.7 Incident management 404 not found n/a n/a 103
PCI_DSS_v4.0.1 10.3.2 PCI_DSS_v4.0.1_10.3.2 PCI DSS v4.0.1 10.3.2 Log and Monitor All Access to System Components and Cardholder Data Protection of Audit Logs Shared n/a Audit log files are protected to prevent modifications by individuals. 4
PCI_DSS_v4.0.1 10.3.4 PCI_DSS_v4.0.1_10.3.4 PCI DSS v4.0.1 10.3.4 Log and Monitor All Access to System Components and Cardholder Data Log Integrity Monitoring Shared n/a File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. 28
PCI_DSS_v4.0.1 11.5.1 PCI_DSS_v4.0.1_11.5.1 PCI DSS v4.0.1 11.5.1 Test Security of Systems and Networks Regularly Intrusion Detection/Prevention Shared n/a Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date 23
PCI_DSS_v4.0.1 11.5.1.1 PCI_DSS_v4.0.1_11.5.1.1 PCI DSS v4.0.1 11.5.1.1 Test Security of Systems and Networks Regularly Covert Malware Detection Shared n/a Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. 21
PCI_DSS_v4.0.1 11.5.2 PCI_DSS_v4.0.1_11.5.2 PCI DSS v4.0.1 11.5.2 Test Security of Systems and Networks Regularly Change-Detection Mechanism Deployment Shared n/a A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly. 31
PCI_DSS_v4.0.1 9.5.1 PCI_DSS_v4.0.1_9.5.1 PCI DSS v4.0.1 9.5.1 Restrict Physical Access to Cardholder Data Protection Measures for POI Devices Against Tampering and Unauthorized Substitution Shared n/a POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: • Maintaining a list of POI devices. • Periodically inspecting POI devices to look for tampering or unauthorized substitution. • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. 9
PCI_DSS_v4.0.1 9.5.1.3 PCI_DSS_v4.0.1_9.5.1.3 PCI DSS v4.0.1 9.5.1.3 Restrict Physical Access to Cardholder Data Training for POI Environment Security Shared n/a Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: • Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices. • Procedures to ensure devices are not installed, replaced, or returned without verification. • Being aware of suspicious behavior around devices. • Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel 2
RBI_CSF_Banks_v2016 19.2 RBI_CSF_Banks_v2016_19.2 Incident Response & Management Responding To Cyber-Incidents:-19.2 n/a Have written incident response procedures including the roles of staff / outsourced staff handling such incidents; Response strategies shall consider readiness to meet various incident scenarios based on situational awareness and potential/post impact, consistent communication & co-ordination with stakeholders during response; 3
RBI_CSF_Banks_v2016 19.6 RBI_CSF_Banks_v2016_19.6 Incident Response & Management Recovery From Cyber - Incidents-19.6 n/a Such testing shall also include testing of crisis communication to customers and other internal and external stakeholders, reputation management. Adequate capacity shall be planned and maintained, in consideration thereof. The following may be considered: 4
RBI_CSF_Banks_v2016 19.6b RBI_CSF_Banks_v2016_19.6b Incident Response & Management Recovery From Cyber - Incidents-19.6b n/a Establish and implement a Security Operations Centre for centralised and coordinated monitoring and management of security related incidents. 4
RBI_CSF_Banks_v2016 19.6c RBI_CSF_Banks_v2016_19.6c Incident Response & Management Recovery From Cyber - Incidents-19.6c n/a Establish and implement systems to collect and share threat information from local/national/international sources following legally accepted/defined means/process 3
RBI_CSF_Banks_v2016 20.1 RBI_CSF_Banks_v2016_20.1 Risk Based Transaction Monitoring Risk Based Transaction Monitoring-20.1 n/a Risk based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system across all -delivery channels. 6
RBI_CSF_Banks_v2016 4.7 RBI_CSF_Banks_v2016_4.7 Network Management And Security Anomaly Detection-4.7 n/a Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints. 13
RBI_CSF_Banks_v2016 4.9 RBI_CSF_Banks_v2016_4.9 Network Management And Security Security Operation Centre-4.9 n/a Security Operation Centre to monitor the logs of various network activities and should have the capability to escalate any abnormal / undesirable activities. 15
RBI_ITF_NBFC_v2017 1 RBI_ITF_NBFC_v2017_1 RBI IT Framework 1 IT Governance IT Governance-1 n/a IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC???s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry. link 9
RBI_ITF_NBFC_v2017 3.1.f RBI_ITF_NBFC_v2017_3.1.f RBI IT Framework 3.1.f Information and Cyber Security Maker-checker-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure reliability of information. link 20
RMiT_v1.0 11.18 RMiT_v1.0_11.18 RMiT 11.18 Security Operations Centre (SOC) Security Operations Centre (SOC) - 11.18 Shared n/a The SOC must be able to perform the following functions: (a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM); (b) incident coordination and response; (c) vulnerability management; (d) threat hunting; (e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and (f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers. link 11
RMiT_v1.0 Appendix_5.7 RMiT_v1.0_Appendix_5.7 RMiT Appendix 5.7 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.7 Customer n/a Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls; (d) endpoint protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. link 21
SOC_2 CC2.2 SOC_2_CC2.2 SOC 2 Type 2 CC2.2 Communication and Information COSO Principle 14 Shared The customer is responsible for implementing this recommendation. • Communicates Internal Control Information — A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. • Communicates With the Board of Directors — Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of • Communicates Responsibilities — Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters — Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. • Communicates Objectives and Changes to Objectives — The entity communicates its objectives and changes to those objectives to personnel in a timely manner. • Communicates Information to Improve Security Knowledge and Awareness — The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program 9
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SOC_2 CC7.4 SOC_2_CC7.4 SOC 2 Type 2 CC7.4 System Operations Security incidents response Shared The customer is responsible for implementing this recommendation. Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. • Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. • Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents. • Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. • Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. • Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. • Obtains Understanding of Nature of Incident and Determines Containment Strategy — An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. • Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. • Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident-response program. • Evaluates the Effectiveness of Incident Response — The design of incident-response activities is evaluated for effectiveness on a periodic basis. • Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. • Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements 17
SOC_2 CC7.5 SOC_2_CC7.5 SOC 2 Type 2 CC7.5 System Operations Recovery from identified security incidents Shared The customer is responsible for implementing this recommendation. • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results 19
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 111
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SWIFT_CSCF_2024 11.3 SWIFT_CSCF_2024_11.3 404 not found n/a n/a 2
SWIFT_CSCF_2024 2.9 SWIFT_CSCF_2024_2.9 SWIFT Customer Security Controls Framework 2024 2.9 Transaction Controls Transaction Business Controls Shared 1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions. 2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity. To ensure outbound transaction activity within the expected bounds of normal business. 25
SWIFT_CSCF_2024 6.4 SWIFT_CSCF_2024_6.4 SWIFT Customer Security Controls Framework 2024 6.4 Access Control Logging and Monitoring Shared 1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. 42
SWIFT_CSCF_2024 6.5 SWIFT_CSCF_2024_6.5 404 not found n/a n/a 22
SWIFT_CSCF_v2021 7.1 SWIFT_CSCF_v2021_7.1 SWIFT CSCF v2021 7.1 Plan for Incident Response and Information Sharing Cyber Incident Response Planning n/a Ensure a consistent and effective approach for the management of cyber incidents. link 3
SWIFT_CSCF_v2022 7.1 SWIFT_CSCF_v2022_7.1 SWIFT CSCF v2022 7.1 7. Plan for Incident Response and Information Sharing Ensure a consistent and effective approach for the management of cyber incidents. Shared n/a The user has a defined and tested cyber-incident response plan. link 8
UK_NCSC_CAF_v3.2 C UK_NCSC_CAF_v3.2_C 404 not found n/a n/a 18
UK_NCSC_CAF_v3.2 C1 UK_NCSC_CAF_v3.2_C1 404 not found n/a n/a 19
UK_NCSC_CAF_v3.2 C1.c UK_NCSC_CAF_v3.2_C1.c NCSC Cyber Assurance Framework (CAF) v3.2 C1.c Security Monitoring Generating Alerts Shared 1. Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. 2. A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts. 3. Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time. 4. Security alerts relating to all essential functions are prioritised and this information is used to support incident management. 5. Logs are reviewed almost continuously, in real time. 6. Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms. Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. 22
UK_NCSC_CAF_v3.2 C1.d UK_NCSC_CAF_v3.2_C1.d NCSC Cyber Assurance Framework (CAF) v3.2 C1.d Security Monitoring Identifying Security Incidents Shared 1. Select threat intelligence sources or services using risk-based and threat-informed decisions based on the business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based info share, special interest groups). 2. Apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them. 3. Receive signature updates for all the protective technologies (e.g. AV, IDS). 4. Track the effectiveness of the intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies). Contextualise alerts with knowledge of the threat and the systems, to identify those security incidents that require some form of response. 21
UK_NCSC_CAF_v3.2 C2 UK_NCSC_CAF_v3.2_C2 404 not found n/a n/a 19
UK_NCSC_CAF_v3.2 C2.b UK_NCSC_CAF_v3.2_C2.b NCSC Cyber Assurance Framework (CAF) v3.2 C2.b Proactive Security Event Discovery Proactive Attack Discovery Shared 1. Routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches. 2. Have justified confidence in the effectiveness of the searches for system abnormalities indicative of malicious activity. Use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. 19
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: NIS2 32ff9e30-4725-4ca7-ba3a-904a7721ee87 Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v2.1.0 fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-05-13 17:44:58 change Minor (1.1.0 > 1.2.0)
2024-04-08 17:52:20 change Minor (1.0.1 > 1.1.0)
2020-12-11 15:42:52 change Patch (1.0.0 > 1.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC