compliance controls are associated with this Policy definition 'Keys should be the specified cryptographic type RSA or EC' (75c4f823-d65c-4f29-a733-01d0077fdbcb)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
CM_3(6) |
Canada_Federal_PBMM_3-1-2020_CM_3(6) |
Canada Federal PBMM 3-1-2020 CM 3(6) |
Configuration Change Control |
Configuration Change Control | Cryptography Management |
Shared |
The organization ensures that cryptographic mechanisms used to provide any cryptographic-based safeguards are under configuration management. |
To uphold security and integrity measures. |
|
20 |
| Canada_Federal_PBMM_3-1-2020 |
SC_12 |
Canada_Federal_PBMM_3-1-2020_SC_12 |
Canada Federal PBMM 3-1-2020 SC 12 |
Cryptographic Key Establishment and Management |
Cryptographic Key Establishment and Management |
Shared |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography. |
To enhance overall security posture and compliance with industry best practices.
|
|
29 |
| Canada_Federal_PBMM_3-1-2020 |
SC_12(1) |
Canada_Federal_PBMM_3-1-2020_SC_12(1) |
Canada Federal PBMM 3-1-2020 SC 12(1) |
Cryptographic Key Establishment and Management |
Cryptographic Key Establishment and Management | Availability |
Shared |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
To implement backup and recovery mechanisms. |
|
29 |
| CMMC_2.0_L2 |
SC.L2-3.13.10 |
CMMC_2.0_L2_SC.L2-3.13.10 |
404 not found |
|
|
|
n/a |
n/a |
|
37 |
| CMMC_2.0_L2 |
SC.L2-3.13.11 |
CMMC_2.0_L2_SC.L2-3.13.11 |
404 not found |
|
|
|
n/a |
n/a |
|
4 |
| CMMC_L2_v1.9.0 |
SC.L2_3.13.11 |
CMMC_L2_v1.9.0_SC.L2_3.13.11 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.11 |
System and Communications Protection |
CUI Encryption |
Shared |
Employ FIPS validated cryptography when used to protect the confidentiality of CUI. |
To ensure the integrity and effectiveness of cryptographic protections applied to sensitive data. |
|
19 |
| CMMC_L3 |
SC.3.177 |
CMMC_L3_SC.3.177 |
CMMC L3 SC.3.177 |
System and Communications Protection |
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. |
link |
25 |
| CMMC_L3 |
SC.3.187 |
CMMC_L3_SC.3.187 |
CMMC L3 SC.3.187 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. |
link |
8 |
| CSA_v4.0.12 |
CEK_02 |
CSA_v4.0.12_CEK_02 |
CSA Cloud Controls Matrix v4.0.12 CEK 02 |
Cryptography, Encryption & Key Management |
CEK Roles and Responsibilities |
Shared |
n/a |
Define and implement cryptographic, encryption and key management
roles and responsibilities. |
|
25 |
| CSA_v4.0.12 |
CEK_10 |
CSA_v4.0.12_CEK_10 |
CSA Cloud Controls Matrix v4.0.12 CEK 10 |
Cryptography, Encryption & Key Management |
Key Generation |
Shared |
n/a |
Generate Cryptographic keys using industry accepted cryptographic
libraries specifying the algorithm strength and the random number generator
used. |
|
24 |
| CSA_v4.0.12 |
CEK_11 |
CSA_v4.0.12_CEK_11 |
CSA Cloud Controls Matrix v4.0.12 CEK 11 |
Cryptography, Encryption & Key Management |
Key Purpose |
Shared |
n/a |
Manage cryptographic secret and private keys that are provisioned
for a unique purpose. |
|
24 |
| CSA_v4.0.12 |
CEK_12 |
CSA_v4.0.12_CEK_12 |
CSA Cloud Controls Matrix v4.0.12 CEK 12 |
Cryptography, Encryption & Key Management |
Key Rotation |
Shared |
n/a |
Rotate cryptographic keys in accordance with the calculated cryptoperiod,
which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements. |
|
22 |
| CSA_v4.0.12 |
CEK_15 |
CSA_v4.0.12_CEK_15 |
CSA Cloud Controls Matrix v4.0.12 CEK 15 |
Cryptography, Encryption & Key Management |
Key Activation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements. |
|
21 |
| CSA_v4.0.12 |
CEK_16 |
CSA_v4.0.12_CEK_16 |
CSA Cloud Controls Matrix v4.0.12 CEK 16 |
Cryptography, Encryption & Key Management |
Key Suspension |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements. |
|
23 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
64 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
62 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
62 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
60 |
| HITRUST_CSF_v11.3 |
10.c |
HITRUST_CSF_v11.3_10.c |
HITRUST CSF v11.3 10.c |
Correct Processing in Applications |
Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. |
Shared |
Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. |
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
|
35 |
| HITRUST_CSF_v11.3 |
10.g |
HITRUST_CSF_v11.3_10.g |
HITRUST CSF v11.3 10.g |
Cryptographic Controls |
Ensure key management's support to the organization’s use of cryptographic techniques. |
Shared |
1. All cryptographic keys are to be protected against modification, loss, and destruction.
2. Secret/private keys, including split-keys, are to be protected against unauthorized disclosure. |
Key management shall be in place to support the organization’s use of cryptographic techniques. |
|
7 |
| ISO_IEC_27017_2015 |
10.1.1 |
ISO_IEC_27017_2015_10.1.1 |
ISO IEC 27017 2015 10.1.1 |
Cryptography |
Policy on the use of cryptographic controls |
Shared |
For Cloud Service Customer:
The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud service provider.
When the cloud service provider offers cryptography, the cloud service customer should review any information supplied by the cloud service provider to confirm whether the cryptographic capabilities:
(i) meet the cloud service customer's policy requirements;
(ii) are compatible with any other cryptographic protection used by the cloud service customer;
(iii) apply to data at rest and in transit to, from and within the
cloud service.
For Cloud Service Provider:
The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. |
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. |
|
19 |
| ISO_IEC_27017_2015 |
18.1.5 |
ISO_IEC_27017_2015_18.1.5 |
ISO IEC 27017 2015 18.1.5 |
Compliance |
Regulation of Cryptographic Controls |
Shared |
For Cloud Service Customer:
The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations.
For Cloud Service Provider:
The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and
regulations. |
To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. |
|
19 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
431 |
| K_ISMS_P_2018 |
2.7.2 |
K_ISMS_P_2018_2.7.2 |
K ISMS P 2018 2.7.2 |
2.7 |
Establish Encryption Key Management Procedures |
Shared |
n/a |
Establish and implement procedures for securely creating, using, storing, distributing, and destroying encryption keys. Additionally, establish and implement procedures for recovering encryption keys, if necessary. |
|
48 |
| NIST_SP_800-171_R3_3 |
.13.11 |
NIST_SP_800-171_R3_3.13.11 |
NIST 800-171 R3 3.13.11 |
System and Communications Protection Control |
Cryptographic Protection |
Shared |
Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. |
Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]. |
|
19 |
| NIST_SP_800-53_R5.1.1 |
SC.12.3 |
NIST_SP_800-53_R5.1.1_SC.12.3 |
NIST SP 800-53 R5.1.1 SC.12.3 |
System and Communications Protection |
Cryptographic Key Establishment and Management | Asymmetric Keys |
Shared |
Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements]. |
[SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and [SP 800-57-3] provide guidance on cryptographic key management. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
SC.13 |
NIST_SP_800-53_R5.1.1_SC.13 |
NIST SP 800-53 R5.1.1 SC.13 |
System and Communications Protection |
Cryptographic Protection |
Shared |
a. Determine the [Assignment: organization-defined cryptographic uses]; and
b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. |
Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. |
|
19 |
| NIST_SP_800-53_R5.1.1 |
SI.7.5 |
NIST_SP_800-53_R5.1.1_SI.7.5 |
NIST SP 800-53 R5.1.1 SI.7.5 |
System and Information Integrity Control |
Software, Firmware, and Information Integrity | Automated Response to Integrity Violations |
Shared |
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]
] when integrity violations are discovered. |
Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur. |
|
4 |
| NZISM_v3.7 |
17.1.51.C.01. |
NZISM_v3.7_17.1.51.C.01. |
NZISM v3.7 17.1.51.C.01. |
Cryptographic Fundamentals |
17.1.51.C.01. - enhace overall security posture. |
Shared |
n/a |
Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. |
|
20 |
| NZISM_v3.7 |
17.1.52.C.01. |
NZISM_v3.7_17.1.52.C.01. |
NZISM v3.7 17.1.52.C.01. |
Cryptographic Fundamentals |
17.1.52.C.01. - enhace overall security posture. |
Shared |
n/a |
Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
20 |
| NZISM_v3.7 |
17.1.52.C.02. |
NZISM_v3.7_17.1.52.C.02. |
NZISM v3.7 17.1.52.C.02. |
Cryptographic Fundamentals |
17.1.52.C.02. - enhance data accessibility and integrity. |
Shared |
n/a |
Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
20 |
| NZISM_v3.7 |
17.1.53.C.03. |
NZISM_v3.7_17.1.53.C.03. |
NZISM v3.7 17.1.53.C.03. |
Cryptographic Fundamentals |
17.1.53.C.03. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
1. full disk encryption; or
2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. |
|
20 |
| NZISM_v3.7 |
17.1.53.C.04. |
NZISM_v3.7_17.1.53.C.04. |
NZISM v3.7 17.1.53.C.04. |
Cryptographic Fundamentals |
17.1.53.C.04. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
1. full disk encryption; or
2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. |
|
20 |
| NZISM_v3.7 |
17.1.54.C.01. |
NZISM_v3.7_17.1.54.C.01. |
NZISM v3.7 17.1.54.C.01. |
Cryptographic Fundamentals |
17.1.54.C.01. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.01. |
NZISM_v3.7_17.1.55.C.01. |
NZISM v3.7 17.1.55.C.01. |
Cryptographic Fundamentals |
17.1.55.C.01. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.02. |
NZISM_v3.7_17.1.55.C.02. |
NZISM v3.7 17.1.55.C.02. |
Cryptographic Fundamentals |
17.1.55.C.02. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.03. |
NZISM_v3.7_17.1.55.C.03. |
NZISM v3.7 17.1.55.C.03. |
Cryptographic Fundamentals |
17.1.55.C.03. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.04. |
NZISM_v3.7_17.1.55.C.04. |
NZISM v3.7 17.1.55.C.04. |
Cryptographic Fundamentals |
17.1.55.C.04. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. |
|
20 |
| NZISM_v3.7 |
17.1.56.C.02. |
NZISM_v3.7_17.1.56.C.02. |
NZISM v3.7 17.1.56.C.02. |
Cryptographic Fundamentals |
17.1.56.C.02. - ensure compliance with security protocols and best practices. |
Shared |
n/a |
Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment. |
|
20 |
| NZISM_v3.7 |
17.1.57.C.01. |
NZISM_v3.7_17.1.57.C.01. |
NZISM v3.7 17.1.57.C.01. |
Cryptographic Fundamentals |
17.1.57.C.01. - ensure compliance with security protocols and best practices. |
Shared |
n/a |
In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit. |
|
19 |
| NZISM_v3.7 |
17.1.58.C.01. |
NZISM_v3.7_17.1.58.C.01. |
NZISM v3.7 17.1.58.C.01. |
Cryptographic Fundamentals |
17.1.58.C.01. - ensure compliance with security protocols and best practices. |
Shared |
n/a |
Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. |
|
19 |
| NZISM_v3.7 |
17.1.58.C.02. |
NZISM_v3.7_17.1.58.C.02. |
NZISM v3.7 17.1.58.C.02. |
Cryptographic Fundamentals |
17.1.58.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. |
|
23 |
| NZISM_v3.7 |
17.1.58.C.03. |
NZISM_v3.7_17.1.58.C.03. |
NZISM v3.7 17.1.58.C.03. |
Cryptographic Fundamentals |
17.1.58.C.03. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies using HACE MUST consult the GCSB for key management requirements. |
|
17 |
| NZISM_v3.7 |
17.10.12.C.01. |
NZISM_v3.7_17.10.12.C.01. |
NZISM v3.7 17.10.12.C.01. |
Hardware Security Modules |
17.10.12.C.01. - enhance the overall security posture of the systems and the sensitive information they protect. |
Shared |
n/a |
Agencies MUST consider the use of HSMs when undertaking a security risk assessment or designing network and security architectures. |
|
15 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
| PCI_DSS_v4.0.1 |
3.5.1.1 |
PCI_DSS_v4.0.1_3.5.1.1 |
PCI DSS v4.0.1 3.5.1.1 |
Protect Stored Account Data |
Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7 |
Shared |
n/a |
Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable) to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures. Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. Examine data repositories to verify the PAN is rendered unreadable. Examine audit logs, including payment application logs, to verify the PAN is rendered unreadable |
|
19 |
| PCI_DSS_v4.0.1 |
3.6.1 |
PCI_DSS_v4.0.1_3.6.1 |
PCI DSS v4.0.1 3.6.1 |
Protect Stored Account Data |
Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: access to keys is restricted to the fewest number of custodians necessary. Key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys. Keys are stored securely in the fewest possible locations and forms |
Shared |
n/a |
Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement |
|
16 |
| PCI_DSS_v4.0.1 |
3.7.1 |
PCI_DSS_v4.0.1_3.7.1 |
PCI DSS v4.0.1 3.7.1 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define generation of strong cryptographic keys. Observe the method for generating keys to verify that strong keys are generated |
|
16 |
| PCI_DSS_v4.0.1 |
3.7.2 |
PCI_DSS_v4.0.1_3.7.2 |
PCI DSS v4.0.1 3.7.2 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys. Observe the method for distributing keys to verify that keys are distributed securely |
|
16 |
| PCI_DSS_v4.0.1 |
3.7.6 |
PCI_DSS_v4.0.1_3.7.6 |
PCI DSS v4.0.1 3.7.6 |
Protect Stored Account Data |
Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control. Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control |
|
16 |
| PCI_DSS_v4.0.1 |
4.2.1 |
PCI_DSS_v4.0.1_4.2.1 |
PCI DSS v4.0.1 4.2.1 |
Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use |
Shared |
n/a |
Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement. Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected |
|
19 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
127 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| SOC_2023 |
CC9.1 |
SOC_2023_CC9.1 |
SOC 2023 CC9.1 |
Risk Mitigation |
Enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. |
Shared |
n/a |
Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
|
18 |
| SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
| SWIFT_CSCF_2024 |
2.4A |
SWIFT_CSCF_2024_2.4A |
SWIFT Customer Security Controls Framework 2024 2.4A |
Risk Management |
Back Office Data Flow Security |
Shared |
Protection of data flows or connections between the back-office first hops as seen from the Swift or customer secure zone and the Swift infrastructure safeguards against person-in-the-middle attack, unintended disclosure, modification, and data access while in transit. |
To ensure the confidentiality, integrity, and mutual authenticity of data flowing between on-premises or remote Swift infrastructure components and the back-office first hops they connect to. |
|
24 |
| SWIFT_CSCF_2024 |
6.2 |
SWIFT_CSCF_2024_6.2 |
SWIFT Customer Security Controls Framework 2024 6.2 |
Risk Management |
Software Integrity |
Shared |
Software integrity checks provide a detective control against unexpected modification to operational software. |
To ensure the software integrity of the Swift-related components and act upon results. |
|
16 |
| SWIFT_CSCF_2024 |
6.3 |
SWIFT_CSCF_2024_6.3 |
SWIFT Customer Security Controls Framework 2024 6.3 |
Risk Management |
Database Integrity |
Shared |
Database integrity checks allow unexpected modification to records stored within the database to be detected. |
To ensure the integrity of the database records for the Swift messaging interface or the customer connector and act upon results. |
|
16 |