compliance controls are associated with this Policy definition 'Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet' (77e8b146-0078-4fb2-b002-e112381199f0)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
AC_2(4) |
Canada_Federal_PBMM_3-1-2020_AC_2(4) |
Canada Federal PBMM 3-1-2020 AC 2(4) |
Account Management |
Account Management | Automated Audit Actions |
Shared |
1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers.
2. Related controls: AU-2, AU-12. |
To ensure accountability and transparency within the information system. |
|
52 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
33 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
| CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
99 |
| CIS_Controls_v8.1 |
12.2 |
CIS_Controls_v8.1_12.2 |
CIS Controls v8.1 12.2 |
Network Infrastructure Management |
Establish and maintain a secure network architecture |
Shared |
1. Establish and maintain a secure network architecture.
2. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. |
To ensure appropriate restrictions are placed on network architecture. |
|
16 |
| CIS_Controls_v8.1 |
12.3 |
CIS_Controls_v8.1_12.3 |
CIS Controls v8.1 12.3 |
Network Infrastructure Management |
Securely manage network infrastructure |
Shared |
1. Securely manage network infrastructure.
2. Example implementations include version-controlled-infrastructure-as�code, and the use of secure network protocols, such as SSH and HTTPS. |
To ensure proper management of network infrastructure. |
|
38 |
| CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
101 |
| CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
99 |
| CIS_Controls_v8.1 |
13.4 |
CIS_Controls_v8.1_13.4 |
CIS Controls v8.1 13.4 |
Network Monitoring and Defense |
Perform traffic filtering between network segments |
Shared |
Perform traffic filtering between network segments, where appropriate.
|
To improve network security and reduce the risk of security breaches and unauthorized access. |
|
16 |
| CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
93 |
| CIS_Controls_v8.1 |
3.12 |
CIS_Controls_v8.1_3.12 |
CIS Controls v8.1 3.12 |
Data Protection |
Segment data processing and storage based on sensitivity |
Shared |
1. Segment data processing and storage based on the sensitivity of the data.
2. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
|
To minimise the risk of unauthorized access or exposure to sensitive information and enhance data security measures. |
|
16 |
| CIS_Controls_v8.1 |
8.11 |
CIS_Controls_v8.1_8.11 |
CIS Controls v8.1 8.11 |
Audit Log Management |
Conduct audit log reviews |
Shared |
1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat.
2. Conduct reviews on a weekly, or more frequent, basis.
|
To ensure the integrity of the data in audit logs. |
|
62 |
| CMMC_L2_v1.9.0 |
AC.L2_3.1.3 |
CMMC_L2_v1.9.0_AC.L2_3.1.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 |
Access Control |
Control CUI Flow |
Shared |
Control the flow of CUI in accordance with approved authorizations. |
To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations |
|
46 |
| CMMC_L2_v1.9.0 |
SC.L2_3.13.6 |
CMMC_L2_v1.9.0_SC.L2_3.13.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.6 |
System and Communications Protection |
Network Communication by Exception |
Shared |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
To minimise the attack surface and reduce the risk of unauthorized access or malicious activities on their networks. |
|
4 |
| CSA_v4.0.12 |
DCS_02 |
CSA_v4.0.12_DCS_02 |
CSA Cloud Controls Matrix v4.0.12 DCS 02 |
Datacenter Security |
Off-Site Transfer Authorization Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually. |
|
45 |
| CSA_v4.0.12 |
DSP_05 |
CSA_v4.0.12_DSP_05 |
CSA Cloud Controls Matrix v4.0.12 DSP 05 |
Data Security and Privacy Lifecycle Management |
Data Flow Documentation |
Shared |
n/a |
Create data flow documentation to identify what data is processed,
stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change. |
|
57 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
| HITRUST_CSF_v11.3 |
01.m |
HITRUST_CSF_v11.3_01.m |
HITRUST CSF v11.3 01.m |
Network Access Control |
Ensure segregation in networks. |
Shared |
Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. |
Groups of information services, users, and information systems should be segregated on networks. |
|
48 |
| HITRUST_CSF_v11.3 |
01.n |
HITRUST_CSF_v11.3_01.n |
HITRUST CSF v11.3 01.n |
Network Access Control |
Prevent unauthorised access to shared networks. |
Shared |
Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. |
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
|
55 |
| HITRUST_CSF_v11.3 |
01.o |
HITRUST_CSF_v11.3_01.o |
HITRUST CSF v11.3 01.o |
Network Access Control |
Implement network routing controls to prevent breach of the access control policy of business applications. |
Shared |
Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured. |
Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. |
|
33 |
| HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
113 |
| HITRUST_CSF_v11.3 |
09.w |
HITRUST_CSF_v11.3_09.w |
HITRUST CSF v11.3 09.w |
Exchange of Information |
Develop and implement policies and procedures, to protect information associated with the interconnection of business information systems. |
Shared |
1. A security baseline is to be documented and implemented for interconnected systems.
2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements. |
Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. |
|
45 |
| ISO_IEC_27002_2022 |
5.14 |
ISO_IEC_27002_2022_5.14 |
ISO IEC 27002 2022 5.14 |
Protection,
Preventive Control |
Information transfer |
Shared |
To maintain the security of information transferred within an organization and with any external interested party. |
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. |
|
46 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
| NIST_SP_800-171_R3_3 |
.1.3 |
NIST_SP_800-171_R3_3.1.3 |
NIST 800-171 R3 3.1.3 |
Access Control |
Information Flow Enforcement |
Shared |
Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also
consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement.
Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. |
|
46 |
| NIST_SP_800-171_R3_3 |
.13.6 |
NIST_SP_800-171_R3_3.13.6 |
NIST 800-171 R3 3.13.6 |
System and Communications Protection Control |
Network Communications – Deny by Default – Allow by Exception |
Shared |
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed. |
Deny network communications traffic by default and allow network communications traffic by exception. |
|
4 |
| NIST_SP_800-53_R5.1.1 |
AC.4 |
NIST_SP_800-53_R5.1.1_AC.4 |
NIST SP 800-53 R5.1.1 AC.4 |
Access Control |
Information Flow Enforcement |
Shared |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). |
|
44 |
| NIST_SP_800-53_R5.1.1 |
AC.4.4 |
NIST_SP_800-53_R5.1.1_AC.4.4 |
NIST SP 800-53 R5.1.1 AC.4.4 |
Access Control |
Information Flow Enforcement | Flow Control of Encrypted Information |
Shared |
Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information;
[Assignment: organization-defined procedure or method]
]. |
Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms. |
|
16 |
| NIST_SP_800-53_R5.1.1 |
AC.4.6 |
NIST_SP_800-53_R5.1.1_AC.4.6 |
NIST SP 800-53 R5.1.1 AC.4.6 |
Access Control |
Information Flow Enforcement | Metadata |
Shared |
Enforce information flow control based on [Assignment: organization-defined metadata]. |
Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance). |
|
16 |
| NIST_SP_800-53_R5.1.1 |
SC.7.5 |
NIST_SP_800-53_R5.1.1_SC.7.5 |
NIST SP 800-53 R5.1.1 SC.7.5 |
System and Communications Protection |
Boundary Protection | Deny by Default — Allow by Exception |
Shared |
Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]
]. |
Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system. |
|
4 |
| NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
81 |
| NZISM_v3.7 |
19.1.10.C.01. |
NZISM_v3.7_19.1.10.C.01. |
NZISM v3.7 19.1.10.C.01. |
Gateways |
19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. |
Shared |
n/a |
When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. |
|
50 |
| NZISM_v3.7 |
19.1.11.C.01. |
NZISM_v3.7_19.1.11.C.01. |
NZISM v3.7 19.1.11.C.01. |
Gateways |
19.1.11.C.01. - ensure network protection through gateway mechanisms. |
Shared |
n/a |
Agencies MUST ensure that:
1. all agency networks are protected from networks in other security domains by one or more gateways;
2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
|
49 |
| NZISM_v3.7 |
19.1.11.C.02. |
NZISM_v3.7_19.1.11.C.02. |
NZISM v3.7 19.1.11.C.02. |
Gateways |
19.1.11.C.02. - maintain security and integrity across domains. |
Shared |
n/a |
For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. |
|
48 |
| NZISM_v3.7 |
19.1.12.C.01. |
NZISM_v3.7_19.1.12.C.01. |
NZISM v3.7 19.1.12.C.01. |
Gateways |
19.1.12.C.01. - minimize security risks and ensure effective control over network communications |
Shared |
n/a |
Agencies MUST ensure that gateways:
1. are the only communications paths into and out of internal networks;
2. by default, deny all connections into and out of the network;
3. allow only explicitly authorised connections;
4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network);
5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and
6. provide real-time alerts. |
|
47 |
| NZISM_v3.7 |
19.1.14.C.01. |
NZISM_v3.7_19.1.14.C.01. |
NZISM v3.7 19.1.14.C.01. |
Gateways |
19.1.14.C.01. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies MUST use demilitarised zones to house systems and information directly accessed externally. |
|
40 |
| NZISM_v3.7 |
19.1.14.C.02. |
NZISM_v3.7_19.1.14.C.02. |
NZISM v3.7 19.1.14.C.02. |
Gateways |
19.1.14.C.02. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. |
|
39 |
| NZISM_v3.7 |
19.1.19.C.01. |
NZISM_v3.7_19.1.19.C.01. |
NZISM v3.7 19.1.19.C.01. |
Gateways |
19.1.19.C.01. - enhance security posture. |
Shared |
n/a |
Agencies MUST limit access to gateway administration functions. |
|
34 |
| NZISM_v3.7 |
19.2.16.C.02. |
NZISM_v3.7_19.2.16.C.02. |
NZISM v3.7 19.2.16.C.02. |
Cross Domain Solutions (CDS) |
19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.
|
Shared |
n/a |
Agencies MUST NOT implement a gateway permitting data to flow directly from:
1. a TOP SECRET network to any network below SECRET;
2. a SECRET network to an UNCLASSIFIED network; or
3. a CONFIDENTIAL network to an UNCLASSIFIED network. |
|
34 |
| NZISM_v3.7 |
19.2.18.C.01. |
NZISM_v3.7_19.2.18.C.01. |
NZISM v3.7 19.2.18.C.01. |
Cross Domain Solutions (CDS) |
19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. |
Shared |
n/a |
Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. |
|
34 |
| NZISM_v3.7 |
19.2.19.C.01. |
NZISM_v3.7_19.2.19.C.01. |
NZISM v3.7 19.2.19.C.01. |
Cross Domain Solutions (CDS) |
19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.
|
Shared |
n/a |
Trusted sources MUST be:
1. a strictly limited list derived from business requirements and the result of a security risk assessment;
2. where necessary an appropriate security clearance is held; and
3. approved by the Accreditation Authority. |
|
34 |
| NZISM_v3.7 |
19.2.19.C.02. |
NZISM_v3.7_19.2.19.C.02. |
NZISM v3.7 19.2.19.C.02. |
Cross Domain Solutions (CDS) |
19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches. |
Shared |
n/a |
Trusted sources MUST authorise all data to be exported from a security domain. |
|
29 |
| NZISM_v3.7 |
19.3.8.C.01. |
NZISM_v3.7_19.3.8.C.01. |
NZISM v3.7 19.3.8.C.01. |
Firewalls |
19.3.8.C.01. - enhance network security. |
Shared |
n/a |
All gateways MUST contain a firewall in both physical and virtual environments. |
|
12 |
| NZISM_v3.7 |
19.3.8.C.03. |
NZISM_v3.7_19.3.8.C.03. |
NZISM v3.7 19.3.8.C.03. |
Firewalls |
19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains.
Your network: Restricted and below
Their network: Unclassified
You require: EAL4 firewall
They require: N/A
Your network: Restricted and below
Their network: Restricted
You require: EAL2 or PP firewall
They require:EAL2 or PP firewall
Your network: Restricted and below
Their network: Confidential
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Secret
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Confidential
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Confidential
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Confidential
You require: EAL2 or PP firewal
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Secret
You require: EAL2 or PP firewal
They require: EAL4 firewall
Your network: Confidential
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Secret
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Confidential
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Secret
You require: EAL2 or PP firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Top Secret
You require: EAL2 or PP firewall
They require: EAL4 firewall
Your network: Top Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Top Secret
Their network: Restricted
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Confidential
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Secret
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Top Secret
You require: EAL4 firewall
They require: EAL4 firewall
|
|
19 |
| NZISM_v3.7 |
19.3.8.C.04. |
NZISM_v3.7_19.3.8.C.04. |
NZISM v3.7 19.3.8.C.04. |
Firewalls |
19.3.8.C.04. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments.
2. Shared equipment DOES NOT satisfy the requirements of this control. |
|
15 |
| NZISM_v3.7 |
19.3.9.C.01. |
NZISM_v3.7_19.3.9.C.01. |
NZISM v3.7 19.3.9.C.01. |
Firewalls |
19.3.9.C.01. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains. |
|
15 |
| PCI_DSS_v4.0.1 |
1.3.1 |
PCI_DSS_v4.0.1_1.3.1 |
PCI DSS v4.0.1 1.3.1 |
Install and Maintain Network Security Controls |
Inbound traffic to the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied |
Shared |
n/a |
Examine configuration standards for NSCs to verify that they define restricting inbound traffic to the CDE is in accordance with all elements specified in this requirement. Examine configurations of NSCs to verify that inbound traffic to the CDE is restricted in accordance with all elements specified in this requirement |
|
4 |
| PCI_DSS_v4.0.1 |
1.3.2 |
PCI_DSS_v4.0.1_1.3.2 |
PCI DSS v4.0.1 1.3.2 |
Install and Maintain Network Security Controls |
Outbound traffic from the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied |
Shared |
n/a |
Examine configuration standards for NSCs to verify that they define restricting outbound traffic from the CDE in accordance with all elements specified in this requirement. Examine configurations of NSCs to verify that outbound traffic from the CDE is restricted in accordance with all elements specified in this requirement |
|
4 |
| PCI_DSS_v4.0.1 |
1.4.2 |
PCI_DSS_v4.0.1_1.4.2 |
PCI DSS v4.0.1 1.4.2 |
Install and Maintain Network Security Controls |
Inbound traffic from untrusted networks to trusted networks is restricted to communications with system components that are authorized to provide publicly accessible services, protocols, and ports, stateful responses to communications initiated by system components in a trusted network, and all other traffic is denied |
Shared |
n/a |
Examine vendor documentation and configurations of NSCs to verify that inbound traffic from untrusted networks to trusted networks is restricted in accordance with all elements specified in this requirement |
|
4 |
| RMiT_v1.0 |
Appendix_5.6 |
RMiT_v1.0_Appendix_5.6 |
RMiT Appendix 5.6 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.6 |
Customer |
n/a |
Ensure security controls for remote access to server include the following:
(a) restrict access to only hardened and locked down end-point devices;
(b) use secure tunnels such as TLS and VPN IPSec;
(c) deploy ‘gateway’ server with adequate perimeter defences and protection such as firewall, IPS and antivirus; and
(d) close relevant ports immediately upon expiry of remote access. |
link |
19 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
111 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
| SOC_2023 |
PI1.3 |
SOC_2023_PI1.3 |
SOC 2023 PI1.3 |
Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) |
Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. |
Shared |
n/a |
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. |
|
50 |
| SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
| SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
| SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |