Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_1

AC_1

Canada Federal PBMM 3-1-2020 AC 1

Access Control Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with access control responsibilities: a. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the access control policy and associated access controls. 2. The organization reviews and updates the current: a. Access control policy at least every 3 years; and b. Access control procedures at least annually.

To establish and maintain effective access control measures.

Canada_Federal_PBMM_3-1-2020_AC_17(100)

AC_17(100)

Canada Federal PBMM 3-1-2020 AC 17(100)

Remote Access

Remote Access | Remote Access to Privileged Accounts using Dedicated Management Console

Shared

Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed).

To reduce the risk of unauthorized access or compromise of privileged accounts.

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_AC_2(7)

AC_2(7)

Canada Federal PBMM 3-1-2020 AC 2(7)

Account Management

Account Management | Role-Based Schemes

Shared

1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; 2. The organization monitors privileged role assignments; and 3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate.

To strengthen the security posture and safeguard sensitive data and critical resources.

Canada_Federal_PBMM_3-1-2020_AC_2(9)

AC_2(9)

Canada Federal PBMM 3-1-2020 AC 2(9)

Account Management

Account Management | Restrictions on Use of Shared Groups / Accounts

Shared

The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.

To maintain security and accountability.

Canada_Federal_PBMM_3-1-2020_AC_3

AC_3

Canada Federal PBMM 3-1-2020 AC 3

Access Enforcement

Shared

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

To mitigate the risk of unauthorized access.

Canada_Federal_PBMM_3-1-2020_AC_6

AC_6

Canada Federal PBMM 3-1-2020 AC 6

Least Privilege

Shared

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

To mitigate the risk of unauthorized access, data breaches, and system compromises.

Canada_Federal_PBMM_3-1-2020_AC_6(1)

AC_6(1)

Canada Federal PBMM 3-1-2020 AC 6(1)

Least Privilege

Least Privilege | Authorize Access to Security Functions

Shared

The organization explicitly authorizes access to all security functions not publicly accessible and all security-relevant information not publicly available.

To ensure appropriate oversight and control over critical security measures and information.

Canada_Federal_PBMM_3-1-2020_AC_6(10)

AC_6(10)

Canada Federal PBMM 3-1-2020 AC 6(10)

Least Privilege

Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions

Shared

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

To mitigate the risk of unauthorized access or malicious activities.

Canada_Federal_PBMM_3-1-2020_AC_6(2)

AC_6(2)

Canada Federal PBMM 3-1-2020 AC 6(2)

Least Privilege

Least Privilege | Non-Privileged Access for Non-Security Functions

Shared

The organization requires that users of information system accounts, or roles, with access to any security function, use non-privileged accounts or roles, when accessing non-security functions.

To enhance security measures and minimise the risk of unauthorized access or misuse of privileges.

Canada_Federal_PBMM_3-1-2020_AC_6(5)

AC_6(5)

Canada Federal PBMM 3-1-2020 AC 6(5)

Least Privilege

Least Privilege | Privileged Accounts

Shared

The organization restricts privileged accounts on the information system to the minimum number of personnel required to securely administer, manage, and protect the information systems.

To reduce the potential attack surface and enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_AC_6(9)

AC_6(9)

Canada Federal PBMM 3-1-2020 AC 6(9)

Least Privilege

Least Privilege | Auditing Use of Privileged Functions

Shared

The information system audits the execution of privileged functions.

To enhance oversight and detect potential security breaches or unauthorized activities.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(2)

SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

CIS_Azure_1.1.0

5.1.1

CIS_Azure_1.1.0_5.1.1

CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1

5 Logging and Monitoring

Ensure that a Log Profile exists

Shared

The customer is responsible for implementing this recommendation.

Enable log profile for exporting activity logs.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

101

13.11

CIS_Controls_v8.1_13.11

CIS Controls v8.1 13.11

Network Monitoring and Defense

Tune security event alerting thresholds

Shared

Tune security event alerting thresholds monthly, or more frequently.

To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

3.14

CIS_Controls_v8.1_3.14

CIS Controls v8.1 3.14

Data Protection

Log sensitive data access

Shared

Log sensitive data access, including modification and disposal.

To enhance accountability, traceability, and security measures within the enterprise.

8.1

CIS_Controls_v8.1_8.1

CIS Controls v8.1 8.1

Audit Log Management

Establish and maintain an audit log management process

Shared

1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. 2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. 3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure appropriate management of audit log systems.

8.11

CIS_Controls_v8.1_8.11

CIS Controls v8.1 8.11

Audit Log Management

Conduct audit log reviews

Shared

1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis.

To ensure the integrity of the data in audit logs.

8.2

CIS_Controls_v8.1_8.2

CIS Controls v8.1 8.2

Audit Log Management

Collect audit logs.

Shared

1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

To assist in troubleshooting of system issues and ensure integrity of data systems.

8.3

CIS_Controls_v8.1_8.3

CIS Controls v8.1 8.3

Audit Log Management

Ensure adequate audit log storage

Shared

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.

To ensure all important and required logs can be stored for retrieval as and when required.

8.5

CIS_Controls_v8.1_8.5

CIS Controls v8.1 8.5

Audit Log Management

Collect detailed audit logs.

Shared

1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

To ensure that audit logs contain all pertinent information that might be required in a forensic investigation.

8.7

CIS_Controls_v8.1_8.7

CIS Controls v8.1 8.7

Audit Log Management

Collect URL request audit logs

Shared

Collect URL request audit logs on enterprise assets, where appropriate and supported.

To maintain an audit trail of all URL requests made.

8.8

CIS_Controls_v8.1_8.8

CIS Controls v8.1 8.8

Audit Log Management

Collect command-line audit logs

Shared

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals.

To ensure recording of the commands and arguments used by a process.

CMMC_L2_v1.9.0_AU.L2_3.3.2

8.9

CIS_Controls_v8.1_8.9

CIS Controls v8.1 8.9

Audit Log Management

Centralize audit logs

Shared

Centralize, to the extent possible, audit log collection and retention across enterprise assets.

To optimize and simply the process of audit log management.

CMMC_L2_v1.9.0

AU.L2_3.3.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.2

Audit and Accountability

User Accountability

Shared

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

To ensure that the actions of individual system users can be uniquely traced back to them.

CMMC_L2_v1.9.0

AU.L2_3.3.3

CMMC_L2_v1.9.0_AU.L2_3.3.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3

Audit and Accountability

Event Review

Shared

Review and update logged events.

To enhance the effectiveness of security measures.

CMMC_L2_v1.9.0

AU.L2_3.3.7

CMMC_L2_v1.9.0_AU.L2_3.3.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.7

Audit and Accountability

Authoritative Time Source

Shared

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

To ensure accurate time stamping of audit records for reliable monitoring, analysis, and reporting of system activity.

AU.2.041

CMMC_L3_AU.2.041

CMMC L3 AU.2.041

Audit and Accountability

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).

AU.2.042

CMMC_L3_AU.2.042

CMMC L3 AU.2.042

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.

CM.2.065

CMMC_L3_CM.2.065

CMMC L3 CM.2.065

Configuration Management

Track, review, approve or disapprove, and log changes to organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes.

SI.2.216

CMMC_L3_SI.2.216

CMMC L3 SI.2.216

System and Information Integrity

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.

SI.2.217

CMMC_L3_SI.2.217

CMMC L3 SI.2.217

System and Information Integrity

Identify unauthorized use of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.

CSA_v4.0.12

LOG_05

CSA_v4.0.12_LOG_05

CSA Cloud Controls Matrix v4.0.12 LOG 05

Logging and Monitoring

Audit Logs Monitoring and Response

Shared

n/a

Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.

CSA_v4.0.12

LOG_07

CSA_v4.0.12_LOG_07

CSA Cloud Controls Matrix v4.0.12 LOG 07

Logging and Monitoring

Logging Scope

Shared

n/a

Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.4

404 not found

n/a

FFIEC_CAT_2017

2.2.1

FFIEC_CAT_2017_2.2.1

FFIEC CAT 2017 2.2.1

Threat Intelligence and Collaboration

Monitoring and Analyzing

Shared

n/a

- Audit log records and other security event logs are reviewed and retained in a secure manner. - Computer event logs are used for investigations once an event has occurred.

FFIEC_CAT_2017

3.2.2

FFIEC_CAT_2017_3.2.2

FFIEC CAT 2017 3.2.2

Cybersecurity Controls

Anomalous Activity Detection

Shared

n/a

- The institution is able to detect anomalous activities through monitoring across the environment. - Customer transactions generating anomalous activity alerts are monitored and reviewed. - Logs of physical and/or logical access are reviewed following events. - Access to critical systems by third parties is monitored for unauthorized or unusual activity. - Elevated privileges are monitored.

HITRUST_CSF_v11.3

09.aa

HITRUST_CSF_v11.3_09.aa

HITRUST CSF v11.3 09.aa

Monitoring

Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements.

Shared

1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information.

Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

HITRUST_CSF_v11.3

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

113

HITRUST_CSF_v11.3

11.a

HITRUST_CSF_v11.3_11.a

HITRUST CSF v11.3 11.a

Reporting Information Security Incidents and Weaknesses

Ensure information security events and weaknesses associated with information systems are handled in a manner allowing timely corrective action to be taken.

Shared

A designated and widely known point of contact is to be established within the organization to promptly report information security events, ensuring availability and timely responses; additionally, a maintained list of third-party contacts, such as information security officers' email addresses, facilitates for the reporting of security incidents.

Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible.

ISO_IEC_27001_2022

9.1

ISO_IEC_27001_2022_9.1

ISO IEC 27001 2022 9.1

Performance Evaluation

Monitoring, measurement, analysis and evaluation

Shared

1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results.

Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system.

ISO_IEC_27002_2022

8.15

ISO_IEC_27002_2022_8.15

ISO IEC 27002 2022 8.15

Detection Control

Logging

Shared

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations.

NIST_CSF_v2.0

DE.AE_03

NIST_CSF_v2.0_DE.AE_03

NIST CSF v2.0 DE.AE 03

DETECT-Adverse Event Analysis

Information is correlated from multiple sources.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

.3.1

NIST_SP_800-171_R3_3.3.1

404 not found

n/a

.3.2

NIST_SP_800-171_R3_3.3.2

404 not found

n/a

.3.5

NIST_SP_800-171_R3_3.3.5

404 not found

n/a

NIST_SP_800-53_R5.1.1_AU.12

.3.7

NIST_SP_800-171_R3_3.3.7

404 not found

n/a

NIST_SP_800-53_R5.1.1

AU.12

NIST SP 800-53 R5.1.1 AU.12

Audit and Accountability Control

Audit Record Generation

Shared

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

NIST_SP_800-53_R5.1.1

AU.3

NIST_SP_800-53_R5.1.1_AU.3

NIST SP 800-53 R5.1.1 AU.3

Audit and Accountability Control

Content of Audit Records

Shared

Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

NIST_SP_800-53_R5.1.1

AU.6

NIST_SP_800-53_R5.1.1_AU.6

NIST SP 800-53 R5.1.1 AU.6

Audit and Accountability Control

Audit Record Review, Analysis, and Reporting

Shared

a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

14.1.12.C.01.

NZISM_v3.7_14.1.12.C.01.

NZISM v3.7 14.1.12.C.01.

Standard Operating Environments

14.1.12.C.01. - reduce the risk of security incidents and safeguard sensitive information from unauthorized access or tampering

Shared

n/a

Agencies SHOULD: 1. characterise all servers whose functions are critical to the agency, and those identified as being at a high security risk of compromise; 2. store the characterisation information securely off the server in a manner that maintains integrity; 3. update the characterisation information after every legitimate change to a system as part of the change control process; 4. as part of the agency's ongoing audit schedule, compare the stored characterisation information against current characterisation information to determine whether a compromise, or a legitimate but incorrectly completed system modification, has occurred; 5. perform the characterisation from a trusted environment rather than the standard operating system wherever possible; and 6. resolve any detected changes in accordance with the agency's information security incident management procedures.

14.1.8.C.01.

NZISM_v3.7_14.1.8.C.01.

NZISM v3.7 14.1.8.C.01.

Standard Operating Environments

14.1.8.C.01. - minimise vulnerabilities and enhance system security

Shared

n/a

Agencies SHOULD develop a hardened SOE for workstations and servers, covering: 1. removal of unneeded software and operating system components; 2. removal or disabling of unneeded services, ports and BIOS settings; 3. disabling of unused or undesired functionality in software and operating systems; 4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required; 5. installation of antivirus and anti-malware software; 6. installation of software-based firewalls limiting inbound and outbound network connections; 7. configuration of either remote logging or the transfer of local event logs to a central server; and 8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records.

16.6.10.C.01.

NZISM_v3.7_16.6.10.C.01.

NZISM v3.7 16.6.10.C.01.

Event Logging and Auditing

16.6.10.C.01. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users.

16.6.10.C.02.

NZISM_v3.7_16.6.10.C.02.

NZISM v3.7 16.6.10.C.02.

Event Logging and Auditing

16.6.10.C.02. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency.

16.6.11.C.01.

NZISM_v3.7_16.6.11.C.01.

NZISM v3.7 16.6.11.C.01.

Event Logging and Auditing

16.6.11.C.01. - enhance system security and accountability.

Shared

n/a

For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification.

16.6.12.C.01.

NZISM_v3.7_16.6.12.C.01.

NZISM v3.7 16.6.12.C.01.

Event Logging and Auditing

16.6.12.C.01. - maintain integrity of the data.

Shared

n/a

Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period.

16.6.6.C.01.

NZISM_v3.7_16.6.6.C.01.

NZISM v3.7 16.6.6.C.01.

Event Logging and Auditing

16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST maintain system management logs for the life of a system.

16.6.7.C.01.

NZISM_v3.7_16.6.7.C.01.

NZISM v3.7 16.6.7.C.01.

Event Logging and Auditing

16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations.

Shared

n/a

A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities.

16.6.9.C.01.

NZISM_v3.7_16.6.9.C.01.

NZISM v3.7 16.6.9.C.01.

Event Logging and Auditing

16.6.9.C.01. - enhance system security and accountability.

Shared

n/a

Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency.

10.2.1.2

PCI_DSS_v4.0.1_10.2.1.2

PCI DSS v4.0.1 10.2.1.2

Log and Monitor All Access to System Components and Cardholder Data

Administrative Actions Logging

Shared

n/a

Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

10.2.2

PCI_DSS_v4.0.1_10.2.2

PCI DSS v4.0.1 10.2.2

Log and Monitor All Access to System Components and Cardholder Data

Details for Auditable Events

Shared

n/a

Audit logs record the following details for each auditable event: • User identification. • Type of event. • Date and time. • Success and failure indication. • Origination of event. • Identity or name of affected data, system component, resource, or service (for example, name and protocol).

10.4.1

PCI_DSS_v4.0.1_10.4.1

PCI DSS v4.0.1 10.4.1

Log and Monitor All Access to System Components and Cardholder Data

Daily Audit Log Review

Shared

n/a

The following audit logs are reviewed at least once daily: • All security events. • Logs of all system components that store, process, or transmit CHD and/or SAD. • Logs of all critical system components. • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).

10.4.1.1

PCI_DSS_v4.0.1_10.4.1.1

PCI DSS v4.0.1 10.4.1.1

Log and Monitor All Access to System Components and Cardholder Data

Automated Log Review Mechanisms

Shared

n/a

Automated mechanisms are used to perform audit log reviews.

10.4.2

PCI_DSS_v4.0.1_10.4.2

PCI DSS v4.0.1 10.4.2

Log and Monitor All Access to System Components and Cardholder Data

Periodic Review of Other Logs

Shared

n/a

Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.

10.4.2.1

PCI_DSS_v4.0.1_10.4.2.1

PCI DSS v4.0.1 10.4.2.1

Log and Monitor All Access to System Components and Cardholder Data

Frequency of Log Reviews

Shared

n/a

The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1

10.4.3

PCI_DSS_v4.0.1_10.4.3

PCI DSS v4.0.1 10.4.3

Log and Monitor All Access to System Components and Cardholder Data

Addressing Log Anomalies

Shared

n/a

Exceptions and anomalies identified during the review process are addressed.

RBI_CSF_Banks_v2016

16.2

RBI_CSF_Banks_v2016_16.2

Maintenance, Monitoring, And Analysis Of Audit Logs

Maintenance, Monitoring, And Analysis Of Audit Logs-16.2

n/a

Manage and analyse audit logs in a systematic manner so as to detect, understand or recover from an attack.

RBI_ITF_NBFC_v2017

3.1.c

RBI_ITF_NBFC_v2017_3.1.c

RBI IT Framework 3.1.c

Information and Cyber Security

Role based Access Control-3.1

n/a

The IS Policy must provide for a IS framework with the following basic tenets: Role based Access Control ??? Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.

RBI_ITF_NBFC_v2017

3.1.g

RBI_ITF_NBFC_v2017_3.1.g

RBI IT Framework 3.1.g

Information and Cyber Security

Trails-3.1

n/a

The IS Policy must provide for a IS framework with the following basic tenets: Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.

RMiT_v1.0

10.66

RMiT_v1.0_10.66

RMiT 10.66

Security of Digital Services

Security of Digital Services - 10.66

Shared

n/a

A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

CC.5.3

SOC_2023_CC.5.3

404 not found

n/a

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC4.1

SOC_2023_CC4.1

SOC 2023 CC4.1

Monitoring Activities

Enhance the ability to manage risks and achieve objectives.

Shared

n/a

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.2

SOC_2023_CC4.2

SOC 2023 CC4.2

Monitoring Activities

Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives.

Shared

n/a

The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors.

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213