compliance controls are associated with this Policy definition 'Keys using RSA cryptography should have a specified minimum key size' (82067dbb-e53b-4e06-b631-546d197452d9)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
30 |
| Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
| CMMC_2.0_L2 |
SC.L2-3.13.10 |
CMMC_2.0_L2_SC.L2-3.13.10 |
404 not found |
|
|
|
n/a |
n/a |
|
37 |
| CMMC_2.0_L2 |
SC.L2-3.13.11 |
CMMC_2.0_L2_SC.L2-3.13.11 |
404 not found |
|
|
|
n/a |
n/a |
|
4 |
| CMMC_L3 |
SC.3.177 |
CMMC_L3_SC.3.177 |
CMMC L3 SC.3.177 |
System and Communications Protection |
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. |
link |
25 |
| CMMC_L3 |
SC.3.187 |
CMMC_L3_SC.3.187 |
CMMC L3 SC.3.187 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. |
link |
8 |
| CSA_v4.0.12 |
CEK_02 |
CSA_v4.0.12_CEK_02 |
CSA Cloud Controls Matrix v4.0.12 CEK 02 |
Cryptography, Encryption & Key Management |
CEK Roles and Responsibilities |
Shared |
n/a |
Define and implement cryptographic, encryption and key management
roles and responsibilities. |
|
25 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.6 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.6 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6 |
Policy and Implementation - Identification And Authentication |
Identification And Authentication |
Shared |
Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft. |
1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity.
2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources. |
|
19 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
431 |
| K_ISMS_P_2018 |
2.7.2 |
K_ISMS_P_2018_2.7.2 |
K ISMS P 2018 2.7.2 |
2.7 |
Establish Encryption Key Management Procedures |
Shared |
n/a |
Establish and implement procedures for securely creating, using, storing, distributing, and destroying encryption keys. Additionally, establish and implement procedures for recovering encryption keys, if necessary. |
|
48 |
| New_Zealand_ISM |
17.2.19.C.01 |
New_Zealand_ISM_17.2.19.C.01 |
New_Zealand_ISM_17.2.19.C.01 |
17. Cryptography |
17.2.19.C.01 Using DH |
|
n/a |
Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 3072 bits. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
IA.7 |
NIST_SP_800-53_R5.1.1_IA.7 |
NIST SP 800-53 R5.1.1 IA.7 |
Identification and Authentication Control |
Cryptographic Module Authentication |
Shared |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. |
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. |
|
2 |
| NZISM_v3.7 |
17.1.51.C.01. |
NZISM_v3.7_17.1.51.C.01. |
NZISM v3.7 17.1.51.C.01. |
Cryptographic Fundamentals |
17.1.51.C.01. - enhace overall security posture. |
Shared |
n/a |
Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. |
|
20 |
| NZISM_v3.7 |
17.1.52.C.01. |
NZISM_v3.7_17.1.52.C.01. |
NZISM v3.7 17.1.52.C.01. |
Cryptographic Fundamentals |
17.1.52.C.01. - enhace overall security posture. |
Shared |
n/a |
Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
20 |
| NZISM_v3.7 |
17.1.52.C.02. |
NZISM_v3.7_17.1.52.C.02. |
NZISM v3.7 17.1.52.C.02. |
Cryptographic Fundamentals |
17.1.52.C.02. - enhance data accessibility and integrity. |
Shared |
n/a |
Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
20 |
| NZISM_v3.7 |
17.1.53.C.03. |
NZISM_v3.7_17.1.53.C.03. |
NZISM v3.7 17.1.53.C.03. |
Cryptographic Fundamentals |
17.1.53.C.03. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
1. full disk encryption; or
2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. |
|
20 |
| NZISM_v3.7 |
17.1.53.C.04. |
NZISM_v3.7_17.1.53.C.04. |
NZISM v3.7 17.1.53.C.04. |
Cryptographic Fundamentals |
17.1.53.C.04. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
1. full disk encryption; or
2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. |
|
20 |
| NZISM_v3.7 |
17.1.54.C.01. |
NZISM_v3.7_17.1.54.C.01. |
NZISM v3.7 17.1.54.C.01. |
Cryptographic Fundamentals |
17.1.54.C.01. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.01. |
NZISM_v3.7_17.1.55.C.01. |
NZISM v3.7 17.1.55.C.01. |
Cryptographic Fundamentals |
17.1.55.C.01. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.02. |
NZISM_v3.7_17.1.55.C.02. |
NZISM v3.7 17.1.55.C.02. |
Cryptographic Fundamentals |
17.1.55.C.02. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.03. |
NZISM_v3.7_17.1.55.C.03. |
NZISM v3.7 17.1.55.C.03. |
Cryptographic Fundamentals |
17.1.55.C.03. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. |
|
20 |
| NZISM_v3.7 |
17.1.55.C.04. |
NZISM_v3.7_17.1.55.C.04. |
NZISM v3.7 17.1.55.C.04. |
Cryptographic Fundamentals |
17.1.55.C.04. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. |
Shared |
n/a |
Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. |
|
20 |
| NZISM_v3.7 |
17.1.56.C.02. |
NZISM_v3.7_17.1.56.C.02. |
NZISM v3.7 17.1.56.C.02. |
Cryptographic Fundamentals |
17.1.56.C.02. - ensure compliance with security protocols and best practices. |
Shared |
n/a |
Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment. |
|
20 |
| NZISM_v3.7 |
17.1.57.C.01. |
NZISM_v3.7_17.1.57.C.01. |
NZISM v3.7 17.1.57.C.01. |
Cryptographic Fundamentals |
17.1.57.C.01. - ensure compliance with security protocols and best practices. |
Shared |
n/a |
In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit. |
|
19 |
| NZISM_v3.7 |
17.1.58.C.01. |
NZISM_v3.7_17.1.58.C.01. |
NZISM v3.7 17.1.58.C.01. |
Cryptographic Fundamentals |
17.1.58.C.01. - ensure compliance with security protocols and best practices. |
Shared |
n/a |
Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. |
|
19 |
| NZISM_v3.7 |
17.1.58.C.02. |
NZISM_v3.7_17.1.58.C.02. |
NZISM v3.7 17.1.58.C.02. |
Cryptographic Fundamentals |
17.1.58.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. |
|
23 |
| NZISM_v3.7 |
17.1.58.C.03. |
NZISM_v3.7_17.1.58.C.03. |
NZISM v3.7 17.1.58.C.03. |
Cryptographic Fundamentals |
17.1.58.C.03. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies using HACE MUST consult the GCSB for key management requirements. |
|
17 |
| NZISM_v3.7 |
17.10.12.C.01. |
NZISM_v3.7_17.10.12.C.01. |
NZISM v3.7 17.10.12.C.01. |
Hardware Security Modules |
17.10.12.C.01. - enhance the overall security posture of the systems and the sensitive information they protect. |
Shared |
n/a |
Agencies MUST consider the use of HSMs when undertaking a security risk assessment or designing network and security architectures. |
|
15 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |