Az Policy Advertizer

Azure_Security_Benchmark_v1.0

9.2

Azure_Security_Benchmark_v1.0_9.2

Azure Security Benchmark 9.2

Data Recovery

Perform complete system backups and backup any customer managed keys

Customer

Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault. How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ How to backup key vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0

n/a

Azure_Security_Benchmark_v2.0

BR-1

Azure_Security_Benchmark_v2.0_BR-1

Azure Security Benchmark BR-1

Backup and Recovery

Ensure regular automated backups

Customer

Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period. For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore. Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore

n/a

Azure_Security_Benchmark_v2.0

BR-2

Azure_Security_Benchmark_v2.0_BR-2

Azure Security Benchmark BR-2

Backup and Recovery

Encrypt backup data

Customer

Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope. Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted. Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks

n/a

Azure_Security_Benchmark_v3.0

BR-1

Azure_Security_Benchmark_v3.0_BR-1

Microsoft cloud security benchmark BR-1

Backup and Recovery

Ensure regular automated backups

Shared

**Security Principle:** Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. **Azure Guidance:** For Azure Backup supported resources, enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server, HANA databases, or File Shares) on the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. For resources not supported by Azure Backup, enable the backup as part of its resource creation. Where applicable, use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. **Implementation and additional context:** How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ Auto-Enable Backup on VM Creation using Azure Policy: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup

n/a

Azure_Security_Benchmark_v3.0

BR-2

Azure_Security_Benchmark_v3.0_BR-2

Microsoft cloud security benchmark BR-2

Backup and Recovery

Protect backup and recovery data

Shared

**Security Principle:** Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. **Azure Guidance:** Use Azure RBAC and multi-factor-authentication to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the Azure Key Vault is also in the backup scope. If you use customer-managed key options, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. Safeguard backup data from accidental or malicious deletion (such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable cross-region restore to ensure backup data is restorable when there is a disaster in primary region. Note: If you use resource's native backup feature or backup services other than Azure Backup, refer to the Azure Security Benchmark (and service baselines) to implement the above controls. **Implementation and additional context:** Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks Azure Backup - set cross region restore https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore

n/a

Canada_Federal_PBMM_3-1-2020_AU_9(2)

AU_9(2)

Canada Federal PBMM 3-1-2020 AU 9(2)

Protection of Audit Information

Protection of Audit Information | Audit Backup on Separate Physical Systems / Components

Shared

The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited.

To ensure redundancy and resilience of audit data against potential system failures or compromises.

Canada_Federal_PBMM_3-1-2020_CM_2(3)

CM_2(3)

Canada Federal PBMM 3-1-2020 CM 2(3)

Baseline Configuration

Baseline Configuration | Retention of Previous Configurations

Shared

The organization retains the two most recent precious versions of baseline configurations of the information system to support rollback.

To mitigate risks and minimize disruptions to system functionality and operational continuity.

Canada_Federal_PBMM_3-1-2020_CM_8

CM_8

Canada Federal PBMM 3-1-2020 CM 8

Information System Component Inventory

Shared

1. The organization develops and documents an inventory of information system components that accurately reflects the current information system. 2. The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. 3. The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. 4. The organization develops and documents an inventory of information system components that includes unique asset identifier, NetBIOS name, baseline configuration name, OS Name, OS Version, system owner information. 5. The organization reviews and updates the information system component inventory at least monthly.

To enable efficient decision-making and risk mitigation strategies.

Canada_Federal_PBMM_3-1-2020_CP_10

CP_10

Canada Federal PBMM 3-1-2020 CP 10

Information System Recovery and Reconstitution

Shared

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

To ensure the restoration of normal operations following a disruption, compromise, or failure, maintaining continuity of essential missions and business functions.

Canada_Federal_PBMM_3-1-2020_CP_6

CP_6

Canada Federal PBMM 3-1-2020 CP 6

Alternate Storage Site

Shared

1. The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. 2. The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

To ensure ensuring security measures match those of the primary site.

Canada_Federal_PBMM_3-1-2020_CP_6(1)

CP_6(1)

Canada Federal PBMM 3-1-2020 CP 6(1)

Alternate Storage Site

Alternate Storage Site | Separation from Primary Site

Shared

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

To mitigate vulnerability to common threats.

Canada_Federal_PBMM_3-1-2020_CP_6(3)

CP_6(3)

Canada Federal PBMM 3-1-2020 CP 6(3)

Alternate Storage Site

Alternate Storage Site | Accessibility

Shared

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

To mitigate vulnerability to common threats.

Canada_Federal_PBMM_3-1-2020_CP_7

CP_7

Canada Federal PBMM 3-1-2020 CP 7

Alternate Processing Site

Alternative Processing Site

Shared

1. The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. 2. The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. 3. The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.

To mitigate vulnerability to common threats.

Canada_Federal_PBMM_3-1-2020_CP_7(1)

CP_7(1)

Canada Federal PBMM 3-1-2020 CP 7(1)

Alternate Processing Site

Alternative Processing Site | Separation from Primary Site

Shared

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

To mitigate vulnerability to common threats.

Canada_Federal_PBMM_3-1-2020_CP_7(3)

CP_7(3)

Canada Federal PBMM 3-1-2020 CP 7(3)

Alternate Processing Site

Alternative Processing Site | Priority of Service

Shared

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

To minimize downtime and maintain operational continuity.

Canada_Federal_PBMM_3-1-2020_CP_9

CP_9

Canada Federal PBMM 3-1-2020 CP 9

Information System Backup

Shared

1. The organization conducts backups of user-level information contained in the information system daily incremental; weekly full. 2. The organization conducts backups of system-level information contained in the information system daily incremental; weekly full. 3. The organization conducts backups of information system documentation including security-related documentation daily incremental; weekly full. 4. The organization protects the confidentiality, integrity, and availability of backup information at storage locations. AA. The organization determines retention periods for essential business information and archived backups.

To ensure the confidentiality, integrity, and availability of backup data at storage locations.

Canada_Federal_PBMM_3-1-2020_CP_9(1)

CP_9(1)

Canada Federal PBMM 3-1-2020 CP 9(1)

Information System Backup

Information System Backup | Testing for Reliability / Integrity

Shared

The organization tests backup information at least annually to verify media reliability and information integrity.

To ensure the reliability of media and the integrity of information.

Canada_Federal_PBMM_3-1-2020_CP_9(2)

CP_9(2)

Canada Federal PBMM 3-1-2020 CP 9(2)

Information System Backup

Information System Backup | Test Restoration using Sampling

Shared

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

To ensure the reliability and effectiveness of the backup process in real-world scenarios.

Canada_Federal_PBMM_3-1-2020_CP_9(3)

CP_9(3)

Canada Federal PBMM 3-1-2020 CP 9(3)

Information System Backup

Information System Backup | Separate Storage for Critical Information

Shared

The organization stores backup copies of all operating system and critical software code in a separate facility or in a fire-rated container that is not collocated with the operational system.

To ensure essential components remain protected from potential damage or loss in the event of a disaster affecting the operational system.

Canada_Federal_PBMM_3-1-2020_CP_9(5)

CP_9(5)

Canada Federal PBMM 3-1-2020 CP 9(5)

Information System Backup

Information System Backup | Transfer to Alternate Storage Site

Shared

The organization transfers information system backup information to the alternate storage site at organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.

To facilitate timely restoration of critical systems and data in the event of a disruption.

Canada_Federal_PBMM_3-1-2020_SI_16

SI_16

404 not found

n/a

CMMC_2.0_L2

MP.L2-3.8.9

CMMC_2.0_L2_MP.L2-3.8.9

404 not found

n/a

CMMC_L2_v1.9.0

MP.L2_3.8.9

CMMC_L2_v1.9.0_MP.L2_3.8.9

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L2 3.8.9

Media Protection

Protect Backups

Shared

Protect the confidentiality of backup CUI at storage locations.

To safeguard backup data from unauthorized access or disclosure.

CMMC_L3

RE.2.137

CMMC_L3_RE.2.137

CMMC L3 RE.2.137

Recovery

Regularly perform and test data back-ups.

Customer

The customer is responsible for implementing this requirement.

Backups are used to recover data in the event of a hardware or software failure. Backups should be performed and tested regularly based on an organizational defined frequency.

CMMC_L3

RE.3.139

CMMC_L3_RE.3.139

CMMC L3 RE.3.139

Recovery

Regularly perform complete, comprehensive and resilient data backups as organizationally-defined.

Customer

The customer is responsible for implementing this requirement.

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.

DORA_2022_2554

9.3b

DORA_2022_2554_9.3b

DORA 2022 2554 9.3b

Minimize Risks of Data Corruption and Loss in ICT Processes

Shared

n/a

Implement information and communication technology (ICT) processes that minimize the risk of data corruption or loss, unauthorized access, and technical flaws that may disrupt business activities.

DORA_2022_2554

9.3c

DORA_2022_2554_9.3c

DORA 2022 2554 9.3c

Prevent Data Availability and Integrity Issues in ICT Systems

Shared

n/a

Implement measures in information and communication technology (ICT) to prevent issues related to data availability, authenticity, integrity, confidentiality breaches, and data loss.

DORA_2022_2554

9.3d

DORA_2022_2554_9.3d

DORA 2022 2554 9.3d

Protect Data from Oversight Risks in ICT Operations

Shared

n/a

Confirm that data is protected from risks arising from oversight and management practices in information and communication technology (ICT) operations, including poor administration, processing-related risks, and human-error.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

189

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_9

EU 2022/2555 (NIS2) 2022 9

National cyber crisis management frameworks

Shared

n/a

Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

FedRAMP_High_R4

CP-6

FedRAMP_High_R4_CP-6

FedRAMP High CP-6

Contingency Planning

Alternate Storage Site

Shared

n/a

The organization: a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. References: NIST Special Publication 800-34.

FedRAMP_High_R4

CP-6(1)

FedRAMP_High_R4_CP-6(1)

FedRAMP High CP-6 (1)

Contingency Planning

Separation From Primary Site

Shared

n/a

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3.

FedRAMP_High_R4

CP-9

FedRAMP_High_R4_CP-9

FedRAMP High CP-9

Contingency Planning

Information System Backup

Shared

n/a

The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34.

FedRAMP_Moderate_R4

CP-6

FedRAMP_Moderate_R4_CP-6

FedRAMP Moderate CP-6

Contingency Planning

Alternate Storage Site

Shared

n/a

FedRAMP_Moderate_R4_CP-6(1)

FedRAMP_Moderate_R4

CP-6(1)

FedRAMP Moderate CP-6 (1)

Contingency Planning

Separation From Primary Site

Shared

n/a

FedRAMP_Moderate_R4

CP-9

FedRAMP_Moderate_R4_CP-9

FedRAMP Moderate CP-9

Contingency Planning

Information System Backup

Shared

n/a

hipaa-1617.09l1Organizational.23-09.l

hipaa

1617.09l1Organizational.23-09.l

1617.09l1Organizational.23-09.l

16 Business Continuity & Disaster Recovery

1617.09l1Organizational.23-09.l 09.05 Information Back-Up

Shared

n/a

A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements.

hipaa

1622.09l2Organizational.23-09.l

hipaa-1622.09l2Organizational.23-09.l

1622.09l2Organizational.23-09.l

16 Business Continuity & Disaster Recovery

1622.09l2Organizational.23-09.l 09.05 Information Back-Up

Shared

n/a

The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster.

HITRUST_CSF_v11.3

09.l

HITRUST_CSF_v11.3_09.l

HITRUST CSF v11.3 09.l

Information Back-Up

Ensure the maintenance, integrity, and availability of organizational information.

Shared

1. Restoration procedures are to be tested regularly at appropriate intervals in accordance with an agreed-upon backup policy. 2. Inventory records for the backup copies are to be maintained, and is to include the content of the backup copies, and the current location of the backup copies. 3. Full backups are to be performed weekly to separate media and incremental. 4. Differential backups are to be performed daily to separate media.

Back-up copies of information and software shall be taken and tested regularly.

K_ISMS_P_2018

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

408

K_ISMS_P_2018

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

385

K_ISMS_P_2018

2.9.3

K_ISMS_P_2018_2.9.3

K ISMS P 2018 2.9.3

2.9

Establish Backup Recovery Procedures for Information Systems and Ensure Timely Recovery

Shared

n/a

Establish and implement backup recovery procedures for the information system such as backup targets, backup cycles, backup methods, storage places, storage periods, and vaulting. Ensure timely recovery of information systems following an incident.

NIS2

BR._Backup_and_Recovery_3

NIS2_BR._Backup_and_Recovery_3

BR. Backup and Recovery

Business continuity and crisis management

n/a

Directive (EU) 2016/1148 of the European Parliament and the Council (4) aimed to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents, thus contributing to the Union’s security and to the effective functioning of its economy and society.

NIST_SP_800-171_R2_3

.8.9

NIST_SP_800-171_R2_3.8.9

NIST SP 800-171 R2 3.8.9

Media Protection

Protect the confidentiality of backup CUI at storage locations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.

NIST_SP_800-53_R4

CP-6

NIST_SP_800-53_R4_CP-6

NIST SP 800-53 Rev. 4 CP-6

Contingency Planning

Alternate Storage Site

Shared

n/a

NIST_SP_800-53_R4_CP-6(1)

NIST_SP_800-53_R4

CP-6(1)

NIST SP 800-53 Rev. 4 CP-6 (1)

Contingency Planning

Separation From Primary Site

Shared

n/a

NIST_SP_800-53_R4

CP-9

NIST_SP_800-53_R4_CP-9

NIST SP 800-53 Rev. 4 CP-9

Contingency Planning

Information System Backup

Shared

n/a

NIST_SP_800-53_R5.1.1_CP.9.5

NIST_SP_800-53_R5.1.1

CP.9.5

NIST SP 800-53 R5.1.1 CP.9.5

Contingency Planning Control

System Backup | Transfer to Alternate Storage Site

Shared

Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media.

NIST_SP_800-53_R5.1.1

CP.9.6

NIST_SP_800-53_R5.1.1_CP.9.6

NIST SP 800-53 R5.1.1 CP.9.6

Contingency Planning Control

System Backup | Redundant Secondary System

Shared

Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site.

NIST_SP_800-53_R5.1.1

SC.36.2

NIST_SP_800-53_R5.1.1_SC.36.2

NIST SP 800-53 R5.1.1 SC.36.2

System and Communications Protection

Distributed Processing and Storage | Synchronization

Shared

Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components].

SC-36 and CP-9(6) require the duplication of systems or system components in distributed locations. The synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed.

NIST_SP_800-53_R5

CP-6

NIST_SP_800-53_R5_CP-6

NIST SP 800-53 Rev. 5 CP-6

Contingency Planning

Alternate Storage Site

Shared

n/a

a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.

NIST_SP_800-53_R5_CP-6(1)

NIST_SP_800-53_R5

CP-6(1)

NIST SP 800-53 Rev. 5 CP-6 (1)

Contingency Planning

Separation from Primary Site

Shared

n/a

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

NIST_SP_800-53_R5

CP-9

NIST_SP_800-53_R5_CP-9

NIST SP 800-53 Rev. 5 CP-9

Contingency Planning

System Backup

Shared

n/a

a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information.

NZISM_v3.7

19.1.20.C.01.

NZISM_v3.7_19.1.20.C.01.

NZISM v3.7 19.1.20.C.01.

Gateways

19.1.20.C.01. - reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST authenticate system users to all classified networks accessed through gateways.

NZISM_v3.7

19.1.20.C.02.

NZISM_v3.7_19.1.20.C.02.

NZISM v3.7 19.1.20.C.02.

Gateways

19.1.20.C.02. - reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST ensure that only authenticated and authorised system users can use the gateway.

NZISM_v3.7

19.1.20.C.03.

NZISM_v3.7_19.1.20.C.03.

NZISM v3.7 19.1.20.C.03.

Gateways

19.1.20.C.03. - reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD use multi-factor authentication for access to networks and gateways.

op.cont.3 Periodic tests

404 not found

n/a

op.cont.4 Alternative means

404 not found

n/a

op.exp.3 Security configuration management

404 not found

n/a

123

RBI_CSF_Banks_v2016

13.3

RBI_CSF_Banks_v2016_13.3

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.3

n/a

Consider implementing whitelisting of internet websites/systems.

RBI_CSF_Banks_v2016

19.5

RBI_CSF_Banks_v2016_19.5

Incident Response & Management

Recovery From Cyber - Incidents-19.5

n/a

Banks shall ensure such capabilities in all interconnected systems and networks including those of vendors and partners and readiness demonstrated through collaborative & co-ordinated resilience testing that meet the bank???s recovery time objectives.

5.2

RBI_ITF_NBFC_v2017_5.2

RBI IT Framework 5.2

IS Audit

Coverage-5.2

n/a

IS Audit should cover effectiveness of policy and oversight of IT systems, evaluating adequacy of processes and internal controls, recommend corrective action to address deficiencies and follow-up. IS Audit should also evaluate the effectiveness of business continuity planning, disaster recovery set up and ensure that BCP is effectively implemented in the organization. During the process of IS Audit, due importance shall be given to compliance of all the applicable legal and statutory requirements.

RBI_ITF_NBFC_v2017_6

RBI IT Framework 6

Business Continuity Planning

Business Continuity Planning (BCP) and Disaster Recovery-6

n/a

BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features

6.2

RBI_ITF_NBFC_v2017_6.2

RBI IT Framework 6.2

Business Continuity Planning

Recovery strategy / Contingency Plan-6.2

n/a

NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster.

6.3

RBI_ITF_NBFC_v2017_6.3

RBI IT Framework 6.3

Business Continuity Planning

Recovery strategy / Contingency Plan-6.3

n/a

NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers.

RMiT_v1.0

10.19

RMiT_v1.0_10.19

RMiT 10.19

Cryptography

Cryptography - 10.19

Shared

n/a

A financial institution must ensure cryptographic controls are based on the effective implementation of suitable cryptographic protocols. The protocols shall include secret and public cryptographic key protocols, both of which shall reflect a high degree of protection to the applicable secret or private cryptographic keys. The selection of such protocols must be based on recognised international standards and tested accordingly. Commensurate with the level of risk, secret cryptographic key and private-cryptographic key storage and encryption/decryption computation must be undertaken in a protected environment, supported by a hardware security module (HSM) or trusted execution environment (TEE).

RMiT_v1.0

10.51

RMiT_v1.0_10.51

RMiT 10.51

Cloud Services

Cloud Services - 10.51

Shared

n/a

A financial institution is required to consult the Bank prior to the use of public cloud for critical systems. The financial institution is expected to demonstrate that specific risks associated with the use of cloud services for critical systems have been adequately considered and addressed. The risk assessment shall address the risks outlined in paragraph 10.49 as well as the following areas: (a) the adequacy of the overarching cloud adoption strategy of the financial institution including: (i) board oversight over cloud strategy and cloud operational management; (ii) senior management roles and responsibilities on cloud management; (iii) conduct of day-to-day operational management functions; (iv) management and oversight by the financial institution of cloud service providers; (v) quality of risk management and internal control functions; and (vi) strength of in-house competency and experience; (b) the availability of independent, internationally recognised certifications of the cloud service providers, at a minimum, in the following areas: (i) information security management framework, including cryptographic modules such as used for encryption and decryption of user data; and (ii) cloud-specific security controls for protection of customer and counterparty or proprietary information including payment transaction data in use, in storage and in transit; and (c) the degree to which the selected cloud configuration adequately addresses the following attributes: (i) geographical redundancy; (ii) high availability; (iii) scalability; (iv) portability; (v) interoperability; and (vi) strong recovery and resumption capability including appropriate alternate Internet path to protect against potential Internet faults.

RMiT_v1.0

10.53

RMiT_v1.0_10.53

RMiT 10.53

Cloud Services

Cloud Services - 10.53

Shared

n/a

A financial institution must implement appropriate safeguards on customer and counterparty information and proprietary data when using cloud services to protect against unauthorised disclosure and access. This shall include retaining ownership, control and management of all data pertaining to customer and counterparty information, proprietary data and services hosted on the cloud, including the relevant cryptographic keys management.

Sarbanes_Oxley_Act_(1)_2022_1

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

SOC_2

A1.2

SOC_2_A1.2

SOC 2 Type 2 A1.2

Additional Criteria For Availability

Environmental protections, software, data back-up processes, and recovery infrastructure

Shared

The customer is responsible for implementing this recommendation.

Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.

SOC_2

PI1.5

SOC_2_PI1.5

SOC 2 Type 2 PI1.5

Additional Criteria For Processing Integrity

Store inputs and outputs completely, accurately, and timely

Shared

The customer is responsible for implementing this recommendation.

• Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications. • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner

SOC_2023

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

214

SOC_2023

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

225

SOC_2023

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

209

SWIFT_CSCF_v2021

6.3

SWIFT_CSCF_v2021_6.3

SWIFT CSCF v2021 6.3

Detect Anomalous Activity to Systems or Transaction Records

Database Integrity

n/a

Ensure the integrity of the database records for the SWIFT messaging interface and act upon results