AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

Establish an information security program | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish an information security program
Id 84245967-7882-54f6-2d34-85059f725b47
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0263 - Establish an information security program
Additional metadata Name/Id: CMA_0263 / CMA_0263
Category: Operational
Title: Establish an information security program
Ownership: Customer
Description: Microsoft recommends that your organization establish an Information Security Management Program (ISMP) that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. It is recommended that the program identify the rationale for excluding information systems and assets and for accepting the risk of doing so. Microsoft recommends that your organization's ISMP include the following: - Overview of the program requirements and of the security program management control descriptions - Identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance - Appointment of a Chief Information Security Officer (CISO) or similar leader who will provide strategic-level guidance for the security program - Documentation of coordination among organizational entities responsible for information security - Identification of monitoring, maintenance, and improvement activities - Establishment of methods for communicating the current state of cyber security within the organizations - Development, maintenance and management of a security plan. It is recommended that the ISMP be approved by a senior official with responsibility and accountability for risks being incurred to organizational operations, organizational assets, individuals, other organizations, and the Nation. When feasible, we recommend updating the ISMP periodically and to reflect the changing regulatory landscape and according to relevant external benchmarking. Your organization may also consider conducting an independent review of the security plan prior to its implementation. Your organization may also consider implementing an information security management forum to ensure management support and provide guidance for initiatives involving information security. It is recommended to establish financial resources for implementing and managing the cyber security program. It is also recommended to determine the security classifications or classes for information systems that are consistent with the purposes of information security and with applicable regulations. These classifications can be used to determine the security measures needed to obtain expected information security levels. The UK Cyber Security for Defense Suppliers Standard requires organizations to maintain a Cyber Essentials Scheme Plus Certification to demonstrate commitment to cyber security. Revisions to the Principles for the Sound Management of Operational Risk requires organizations to develop an information and communication technology (ICT) framework. The ICT framework should be reviewed and tested on a regular basis for completeness against relevant industry standards and best practices as well as against evolving threats (i.e. Cyber). To ensure data and systems' confidentiality, integrity and availability, the Board of Directors and Senior Management should routinely evaluate the design, implementation, and effectiveness of the ICT framework.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 54 compliance controls are associated with this Policy definition 'Establish an information security program' (84245967-7882-54f6-2d34-85059f725b47)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IR-3 FedRAMP_High_R4_IR-3 FedRAMP High IR-3 Incident Response Incident Response Testing Shared n/a The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. References: NIST Special Publications 800-84, 800-115. link 3
FedRAMP_High_R4 IR-3(2) FedRAMP_High_R4_IR-3(2) FedRAMP High IR-3 (2) Incident Response Coordination With Related Plans Shared n/a The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. link 3
FedRAMP_Moderate_R4 IR-3 FedRAMP_Moderate_R4_IR-3 FedRAMP Moderate IR-3 Incident Response Incident Response Testing Shared n/a The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. References: NIST Special Publications 800-84, 800-115. link 3
FedRAMP_Moderate_R4 IR-3(2) FedRAMP_Moderate_R4_IR-3(2) FedRAMP Moderate IR-3 (2) Incident Response Coordination With Related Plans Shared n/a The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. link 3
hipaa 0101.00a1Organizational.123-00.a hipaa-0101.00a1Organizational.123-00.a 0101.00a1Organizational.123-00.a 01 Information Protection Program 0101.00a1Organizational.123-00.a 0.01 Information Security Management Program Shared n/a The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed. 5
hipaa 0102.00a2Organizational.123-00.a hipaa-0102.00a2Organizational.123-00.a 0102.00a2Organizational.123-00.a 01 Information Protection Program 0102.00a2Organizational.123-00.a 0.01 Information Security Management Program Shared n/a The information protection program is formally documented and actively monitored, reviewed, and updated to ensure program objectives continue to be met. 3
hipaa 0113.04a1Organizational.123-04.a hipaa-0113.04a1Organizational.123-04.a 0113.04a1Organizational.123-04.a 01 Information Protection Program 0113.04a1Organizational.123-04.a 04.01 Information Security Policy Shared n/a Information security objectives, approach, scope, importance, goals, and principles for the organization’s security program are formally identified, communicated throughout the organization to users in a form that is relevant, accessible, and understandable to the intended reader; and supported by a controls framework that considers legislative, regulatory, contractual requirements, and other policy-related requirements. 3
hipaa 0114.04b1Organizational.1-04.b hipaa-0114.04b1Organizational.1-04.b 0114.04b1Organizational.1-04.b 01 Information Protection Program 0114.04b1Organizational.1-04.b 04.01 Information Security Policy Shared n/a The security policies are regularly reviewed and updated to ensure they reflect leading practices (e.g., for systems and services development and acquisition), and are communicated throughout the organization. 9
hipaa 0118.05a1Organizational.2-05.a hipaa-0118.05a1Organizational.2-05.a 0118.05a1Organizational.2-05.a 01 Information Protection Program 0118.05a1Organizational.2-05.a 05.01 Internal Organization Shared n/a Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. 8
hipaa 12102.09ab1Organizational.4-09.ab hipaa-12102.09ab1Organizational.4-09.ab 12102.09ab1Organizational.4-09.ab 12 Audit Logging & Monitoring 12102.09ab1Organizational.4-09.ab 09.10 Monitoring Shared n/a The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. 7
hipaa 1331.02e3Organizational.4-02.e hipaa-1331.02e3Organizational.4-02.e 1331.02e3Organizational.4-02.e 13 Education, Training and Awareness 1331.02e3Organizational.4-02.e 02.03 During Employment Shared n/a The organization trains workforce members on how to properly respond to perimeter security alarms. 6
hipaa 1453.05kCSPOrganizational.2-05.k hipaa-1453.05kCSPOrganizational.2-05.k 1453.05kCSPOrganizational.2-05.k 14 Third Party Assurance 1453.05kCSPOrganizational.2-05.k 05.02 External Parties Shared n/a Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. 10
hipaa 1505.11a1Organizational.13-11.a hipaa-1505.11a1Organizational.13-11.a 1505.11a1Organizational.13-11.a 15 Incident Management 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. 19
hipaa 1509.11a2Organizational.236-11.a hipaa-1509.11a2Organizational.236-11.a 1509.11a2Organizational.236-11.a 15 Incident Management 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. 17
hipaa 1510.11a2Organizational.47-11.a hipaa-1510.11a2Organizational.47-11.a 1510.11a2Organizational.47-11.a 15 Incident Management 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. 11
hipaa 1516.11c1Organizational.12-11.c hipaa-1516.11c1Organizational.12-11.c 1516.11c1Organizational.12-11.c 15 Incident Management 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The security incident response program accounts for and prepares the organization for a variety of incidents. 10
hipaa 1520.11c2Organizational.4-11.c hipaa-1520.11c2Organizational.4-11.c 1520.11c2Organizational.4-11.c 15 Incident Management 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The incident response plan is communicated to the appropriate individuals throughout the organization. 8
hipaa 1521.11c2Organizational.56-11.c hipaa-1521.11c2Organizational.56-11.c 1521.11c2Organizational.56-11.c 15 Incident Management 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. 16
hipaa 1560.11d1Organizational.1-11.d hipaa-1560.11d1Organizational.1-11.d 1560.11d1Organizational.1-11.d 15 Incident Management 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. 8
hipaa 1562.11d2Organizational.2-11.d hipaa-1562.11d2Organizational.2-11.d 1562.11d2Organizational.2-11.d 15 Incident Management 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization coordinates incident handling activities with contingency planning activities. 12
ISO27001-2013 A.18.1.1 ISO27001-2013_A.18.1.1 ISO 27001:2013 A.18.1.1 Compliance Identification applicable legislation and contractual requirements Shared n/a All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. link 30
ISO27001-2013 A.18.1.4 ISO27001-2013_A.18.1.4 ISO 27001:2013 A.18.1.4 Compliance Privacy and protection of personally identifiable information Shared n/a Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. link 6
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
ISO27001-2013 A.5.1.2 ISO27001-2013_A.5.1.2 ISO 27001:2013 A.5.1.2 Information Security Policies Review of the policies for information security Shared n/a The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. link 29
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 C.4.3.a ISO27001-2013_C.4.3.a ISO 27001:2013 C.4.3.a Context of the organization Determining the scope of the information security management system Shared n/a The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: a) the external and internal issues referred to in 4.1; The scope shall be available as documented information. link 3
ISO27001-2013 C.4.3.b ISO27001-2013_C.4.3.b ISO 27001:2013 C.4.3.b Context of the organization Determining the scope of the information security management system Shared n/a The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: b) the requirements referred to in 4.2. The scope shall be available as documented information. link 3
ISO27001-2013 C.5.1.b ISO27001-2013_C.5.1.b ISO 27001:2013 C.5.1.b Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: b) ensuring the integration of the information security management system requirements into the organization’s processes. link 28
ISO27001-2013 C.5.1.e ISO27001-2013_C.5.1.e ISO 27001:2013 C.5.1.e Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: e) ensuring that the information security management system achieves its intended outcome(s). link 3
ISO27001-2013 C.5.1.g ISO27001-2013_C.5.1.g ISO 27001:2013 C.5.1.g Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: g) promoting continual improvement. link 3
ISO27001-2013 C.5.2.c ISO27001-2013_C.5.2.c ISO 27001:2013 C.5.2.c Leadership Policy Shared n/a Top management shall establish an information security policy that: c) includes a commitment to satisfy applicable requirements related to information security. link 23
ISO27001-2013 C.5.2.d ISO27001-2013_C.5.2.d ISO 27001:2013 C.5.2.d Leadership Policy Shared n/a Top management shall establish an information security policy that: d) includes a commitment to continual improvement of the information security management system. link 23
ISO27001-2013 C.5.3.b ISO27001-2013_C.5.3.b ISO 27001:2013 C.5.3.b Leadership Organizational roles, responsibilities and authorities Shared n/a Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for: b) reporting on the performance of the information security management system to top management. NOTE Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organization. link 2
ISO27001-2013 C.6.2.e ISO27001-2013_C.6.2.e ISO 27001:2013 C.6.2.e Planning Information security objectives and planning to achieve them Shared n/a The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: e) be updated as appropriate. The organization shall retain documented information on the information security objectives. link 2
ISO27001-2013 C.9.3.c.1 ISO27001-2013_C.9.3.c.1 ISO 27001:2013 C.9.3.c.1 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 1) nonconformities and corrective actions. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 6
mp.info.1 Personal data mp.info.1 Personal data 404 not found n/a n/a 33
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .12.4 NIST_SP_800-171_R2_3.12.4 NIST SP 800-171 R2 3.12.4 Security Assessment Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans. link 8
NIST_SP_800-171_R2_3 .6.3 NIST_SP_800-171_R2_3.6.3 NIST SP 800-171 R2 3.6.3 Incident response Test the organizational incident response capability. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities. link 3
NIST_SP_800-53_R4 IR-3 NIST_SP_800-53_R4_IR-3 NIST SP 800-53 Rev. 4 IR-3 Incident Response Incident Response Testing Shared n/a The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. References: NIST Special Publications 800-84, 800-115. link 3
NIST_SP_800-53_R4 IR-3(2) NIST_SP_800-53_R4_IR-3(2) NIST SP 800-53 Rev. 4 IR-3 (2) Incident Response Coordination With Related Plans Shared n/a The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. link 3
NIST_SP_800-53_R5 IR-3 NIST_SP_800-53_R5_IR-3 NIST SP 800-53 Rev. 5 IR-3 Incident Response Incident Response Testing Shared n/a Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. link 3
NIST_SP_800-53_R5 IR-3(2) NIST_SP_800-53_R5_IR-3(2) NIST SP 800-53 Rev. 5 IR-3 (2) Incident Response Coordination with Related Plans Shared n/a Coordinate incident response testing with organizational elements responsible for related plans. link 3
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
PCI_DSS_v4.0 12.1.2 PCI_DSS_v4.0_12.1.2 PCI DSS v4.0 12.1.2 Requirement 12: Support Information Security with Organizational Policies and Programs A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current Shared n/a The information security policy is: • Reviewed at least once every 12 months. • Updated as needed to reflect changes to business objectives or risks to the environment. link 2
PCI_DSS_v4.0 12.4.1 PCI_DSS_v4.0_12.4.1 PCI DSS v4.0 12.4.1 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS compliance is managed Shared n/a Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: • Overall accountability for maintaining PCI DSS compliance. • Defining a charter for a PCI DSS compliance program and communication to executive management. link 5
PCI_DSS_v4.0 12.5.3 PCI_DSS_v4.0_12.5.3 PCI DSS v4.0 12.5.3 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS scope is documented and validated Shared n/a Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management. link 2
SOC_2 CC7.5 SOC_2_CC7.5 SOC 2 Type 2 CC7.5 System Operations Recovery from identified security incidents Shared The customer is responsible for implementing this recommendation. • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results 19
SWIFT_CSCF_v2022 11.2 SWIFT_CSCF_v2022_11.2 SWIFT CSCF v2022 11.2 11. Monitor in case of Major Disaster Ensure a consistent and effective approach for the management of incidents (Problem Management). Shared n/a Ensure a consistent and effective approach for the management of incidents (Problem Management). link 20
SWIFT_CSCF_v2022 9.1 SWIFT_CSCF_v2022_9.1 SWIFT CSCF v2022 9.1 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. Shared n/a Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 84245967-7882-54f6-2d34-85059f725b47
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC