Az Policy Advertizer

CMMC_L2_v1.9.0_CM.L2_3.4.1

C.04.7 - Evaluated

404 not found

n/a

CMMC_2.0_L2

CM.L2-3.4.1

CMMC_2.0_L2_CM.L2-3.4.1

404 not found

n/a

CMMC_2.0_L2

CM.L2-3.4.2

CMMC_2.0_L2_CM.L2-3.4.2

404 not found

n/a

CMMC_L2_v1.9.0

CM.L2_3.4.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1

Configuration Management

System Baselining

Shared

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

To ensure consistency, security, and compliance with organizational standards and requirements.

CMMC_L2_v1.9.0

CM.L2_3.4.2

CMMC_L2_v1.9.0_CM.L2_3.4.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2

Configuration Management

Security Configuration Enforcement

Shared

Establish and enforce security configuration settings for information technology products employed in organizational systems.

To mitigate vulnerabilities and enhance overall security posture.

CMMC_L2_v1.9.0

CM.L2_3.4.6

CMMC_L2_v1.9.0_CM.L2_3.4.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6

Configuration Management

Least Functionality

Shared

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

To reduce the risk of unauthorized access or exploitation of system vulnerabilities.

AIS_02

CSA_v4.0.12_AIS_02

CSA Cloud Controls Matrix v4.0.12 AIS 02

Application & Interface Security

Application Security Baseline Requirements

Shared

n/a

Establish, document and maintain baseline requirements for securing different applications.

CCC_02

CSA_v4.0.12_CCC_02

CSA Cloud Controls Matrix v4.0.12 CCC 02

Change Control and Configuration Management

Quality Testing

Shared

n/a

Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.

CCC_03

CSA_v4.0.12_CCC_03

CSA Cloud Controls Matrix v4.0.12 CCC 03

Change Control and Configuration Management

Change Management Technology

Shared

n/a

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

CCC_04

CSA_v4.0.12_CCC_04

CSA Cloud Controls Matrix v4.0.12 CCC 04

Change Control and Configuration Management

Unauthorized Change Protection

Shared

n/a

Restrict the unauthorized addition, removal, update, and management of organization assets.

CCC_09

CSA_v4.0.12_CCC_09

CSA Cloud Controls Matrix v4.0.12 CCC 09

Change Control and Configuration Management

Change Restoration

Shared

n/a

Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.

IAM_07

CSA_v4.0.12_IAM_07

CSA Cloud Controls Matrix v4.0.12 IAM 07

Identity & Access Management

User Access Changes and Revocation

Shared

n/a

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

TVM_04

CSA_v4.0.12_TVM_04

CSA Cloud Controls Matrix v4.0.12 TVM 04

Threat & Vulnerability Management

Detection Updates

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

UEM_03

CSA_v4.0.12_UEM_03

CSA Cloud Controls Matrix v4.0.12 UEM 03

Universal Endpoint Management

Compatibility

Shared

n/a

Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications.

UEM_05

CSA_v4.0.12_UEM_05

CSA Cloud Controls Matrix v4.0.12 UEM 05

Universal Endpoint Management

Endpoint Management

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_1

Cyber Essentials v3.1 1

Cyber Essentials

Firewalls

Shared

n/a

Aim: to make sure that only secure and necessary network services can be accessed from the internet.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_3

Cyber Essentials v3.1 3

Cyber Essentials

Security Update Management

Shared

n/a

Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_5

Cyber Essentials v3.1 5

Cyber Essentials

Malware protection

Shared

n/a

Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FedRAMP_High_R4

CM-6

FedRAMP_High_R4_CM-6

FedRAMP High CM-6

Configuration Management

Configuration Settings

Shared

n/a

The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov.

FedRAMP_Moderate_R4

CM-6

FedRAMP_Moderate_R4_CM-6

FedRAMP Moderate CM-6

Configuration Management

Configuration Settings

Shared

n/a

FFIEC_CAT_2017

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

09.j

HITRUST_CSF_v11.3_09.j

HITRUST CSF v11.3 09.j

Protection Against Malicious and Mobile Code

Ensure that integrity of information and software is protected from malicious or unauthorized code

Shared

1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures. 2. Automatic periodic scans of information systems is to be implemented. 3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented. 4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use. 5. Anti-malware audit logs checks to be performed. 6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls.

Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

09.m

HITRUST_CSF_v11.3_09.m

HITRUST CSF v11.3 09.m

Network Security Management

Ensure the protection of information in networks and protection of the supporting network infrastructure.

Shared

1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points. 2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes. 3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized.

Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit.

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

ISO_IEC_27002_2022

8.9

ISO_IEC_27002_2022_8.9

ISO IEC 27002 2022 8.9

Protection, Preventive Control

Configuration management

Shared

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

NIST_SP_800-171_R2_3

.4.1

NIST_SP_800-171_R2_3.4.1

NIST SP 800-171 R2 3.4.1

Configuration Management

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management.

NIST_SP_800-171_R2_3

.4.2

NIST_SP_800-171_R2_3.4.2

NIST SP 800-171 R2 3.4.2

Configuration Management

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings.

NIST_SP_800-171_R3_3

.4.1

NIST_SP_800-171_R3_3.4.1

404 not found

n/a

NIST_SP_800-171_R3_3

.4.2

NIST_SP_800-171_R3_3.4.2

404 not found

n/a

NIST_SP_800-171_R3_3

.4.6

NIST_SP_800-171_R3_3.4.6

404 not found

n/a

NIST_SP_800-53_R4

CM-6

NIST_SP_800-53_R4_CM-6

NIST SP 800-53 Rev. 4 CM-6

Configuration Management

Configuration Settings

Shared

n/a

NIST_SP_800-53_R5.1.1_CM.2

NIST_SP_800-53_R5.1.1

CM.2

NIST SP 800-53 R5.1.1 CM.2

Configuration Management Control

Baseline Configuration

Shared

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: Assignment organization-defined circumstances]; and 3. When system components are installed or upgraded.

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

NIST_SP_800-53_R5.1.1

CM.6

NIST_SP_800-53_R5.1.1_CM.6

NIST SP 800-53 R5.1.1 CM.6

Configuration Management Control

Configuration Settings

Shared

a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

NIST_SP_800-53_R5.1.1

CM.7

NIST_SP_800-53_R5.1.1_CM.7

NIST SP 800-53 R5.1.1 CM.7

Configuration Management Control

Least Functionality

Shared

a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

NIST_SP_800-53_R5

CM-6

NIST_SP_800-53_R5_CM-6

NIST SP 800-53 Rev. 5 CM-6

Configuration Management

Configuration Settings

Shared

n/a

12.4.4.C.01.

NZISM_v3.7_12.4.4.C.01.

NZISM v3.7 12.4.4.C.01.

Product Patching and Updating

12.4.4.C.01. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update.

12.4.4.C.02.

NZISM_v3.7_12.4.4.C.02.

NZISM v3.7 12.4.4.C.02.

Product Patching and Updating

12.4.4.C.02. - minimise the risk of disruptions or vulnerabilities introduced by the patches.

Shared

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

12.4.4.C.04.

NZISM_v3.7_12.4.4.C.04.

NZISM v3.7 12.4.4.C.04.

Product Patching and Updating

12.4.4.C.04. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update.

12.4.4.C.05.

NZISM_v3.7_12.4.4.C.05.

NZISM v3.7 12.4.4.C.05.

Product Patching and Updating

12.4.4.C.05. - reduce the potential attack surface for malicious actors.

Shared

n/a

Agencies SHOULD apply all non-critical security patches as soon as possible.

12.4.4.C.06.

NZISM_v3.7_12.4.4.C.06.

NZISM v3.7 12.4.4.C.06.

Product Patching and Updating

12.4.4.C.06. - maintain the integrity and effectiveness of the patching process.

Shared

n/a

Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process.

14.1.8.C.01.

NZISM_v3.7_14.1.8.C.01.

NZISM v3.7 14.1.8.C.01.

Standard Operating Environments

14.1.8.C.01. - minimise vulnerabilities and enhance system security

Shared

n/a

Agencies SHOULD develop a hardened SOE for workstations and servers, covering: 1. removal of unneeded software and operating system components; 2. removal or disabling of unneeded services, ports and BIOS settings; 3. disabling of unused or undesired functionality in software and operating systems; 4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required; 5. installation of antivirus and anti-malware software; 6. installation of software-based firewalls limiting inbound and outbound network connections; 7. configuration of either remote logging or the transfer of local event logs to a central server; and 8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records.

17.8.10.C.01.

NZISM_v3.7_17.8.10.C.01.

NZISM v3.7 17.8.10.C.01.

Internet Protocol Security (IPSec)

17.8.10.C.01. - enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use tunnel mode for IPSec connections.

17.8.10.C.02.

NZISM_v3.7_17.8.10.C.02.

NZISM v3.7 17.8.10.C.02.

Internet Protocol Security (IPSec)

17.8.10.C.02. - enhance overall cybersecurity posture.

Shared

n/a

Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections.

22.3.11.C.01.

NZISM_v3.7_22.3.11.C.01.

NZISM v3.7 22.3.11.C.01.

Virtual Local Area Networks

22.3.11.C.01. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches MUST be disabled.

22.3.11.C.02.

NZISM_v3.7_22.3.11.C.02.

NZISM v3.7 22.3.11.C.02.

Virtual Local Area Networks

22.3.11.C.02. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches SHOULD be disabled.

PCI_DSS_v4.0.1

1.2.5

PCI_DSS_v4.0.1_1.2.5

PCI DSS v4.0.1 1.2.5

Install and Maintain Network Security Controls

All services, protocols, and ports allowed are identified, approved, and have a defined business need

Shared

n/a

Examine documentation to verify that a list exists of all allowed services, protocols, and ports, including business justification and approval for each. Examine configuration settings for NSCs to verify that only approved services, protocols, and ports are in use

PCI_DSS_v4.0.1

2.2.1

PCI_DSS_v4.0.1_2.2.1

PCI DSS v4.0.1 2.2.1

Apply Secure Configurations to All System Components

Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment

Shared

n/a

Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment

PCI_DSS_v4.0.1

2.2.4

PCI_DSS_v4.0.1_2.2.4

PCI DSS v4.0.1 2.2.4

Apply Secure Configurations to All System Components

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled

Shared

n/a

Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled

RBI_CSF_Banks_v2016

13.1

RBI_CSF_Banks_v2016_13.1

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.1

n/a

Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise.

RBI_CSF_Banks_v2016

17.1

RBI_CSF_Banks_v2016_17.1

Audit Log Settings

Audit Log Settings-17.1

n/a

Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software , ensuring that logs include minimum information to uniquely identify the log for example by including a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or event and/or transaction.

SOC_2

CC6.8

SOC_2_CC6.8

SOC 2 Type 2 CC6.8

Logical and Physical Access Controls

Prevent or detect against unauthorized or malicious software

Shared

The customer is responsible for implementing this recommendation.

Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.

SOC_2

CC8.1

SOC_2_CC8.1

SOC 2 Type 2 CC8.1

Change Management

Changes to infrastructure, data, and software

Shared

The customer is responsible for implementing this recommendation.

Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC6.7

SOC_2023_CC6.7

404 not found

n/a

CC6.8

SOC_2023_CC6.8

SOC 2023 CC6.8

Logical and Physical Access Controls

Mitigate the risk of cybersecurity threats, safeguard critical systems and data, and maintain operational continuity and integrity.

Shared

n/a

Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213