compliance controls are associated with this Policy definition 'Azure Cosmos DB accounts should have firewall rules' (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v2.0 |
NS-1 |
Azure_Security_Benchmark_v2.0_NS-1 |
Azure Security Benchmark NS-1 |
Network Security |
Implement security for internal traffic |
Customer |
Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall.
Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology).
Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.
Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos.
How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal
Adaptive Network Hardening in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening
Azure Sentinel insecure protocols workbook:https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks |
n/a |
link |
18 |
| Azure_Security_Benchmark_v2.0 |
NS-4 |
Azure_Security_Benchmark_v2.0_NS-4 |
Azure Security Benchmark NS-4 |
Network Security |
Protect applications and services from external network attacks |
Customer |
Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this:
- Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.
- Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks.
- Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks.
- Use Azure Security Center to detect misconfiguration risks related to the above.
Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/
How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview
Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection |
n/a |
link |
14 |
| Azure_Security_Benchmark_v3.0 |
NS-2 |
Azure_Security_Benchmark_v3.0_NS-2 |
Microsoft cloud security benchmark NS-2 |
Network Security |
Secure cloud services with network controls |
Shared |
**Security Principle:**
Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.
**Azure Guidance:**
Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible.
For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service.
**Implementation and additional context:**
Understand Azure Private Link:
https://docs.microsoft.com/azure/private-link/private-link-overview |
n/a |
link |
40 |
| Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
30 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
76 |
| Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
| CIS_Azure_2.0.0 |
4.5.1 |
CIS_Azure_2.0.0_4.5.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.5.1 |
4.5 |
Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks |
Shared |
Failure to whitelist the correct networks will result in a connection loss. |
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database. |
link |
1 |
| CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
95 |
| CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
97 |
| CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
95 |
| CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
89 |
| CIS_Controls_v8.1 |
8.11 |
CIS_Controls_v8.1_8.11 |
CIS Controls v8.1 8.11 |
Audit Log Management |
Conduct audit log reviews |
Shared |
1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat.
2. Conduct reviews on a weekly, or more frequent, basis.
|
To ensure the integrity of the data in audit logs. |
|
59 |
| CMMC_2.0_L2 |
AC.L2-3.1.3 |
CMMC_2.0_L2_AC.L2-3.1.3 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
| CMMC_2.0_L2 |
SC.L1-3.13.1 |
CMMC_2.0_L2_SC.L1-3.13.1 |
404 not found |
|
|
|
n/a |
n/a |
|
56 |
| CMMC_2.0_L2 |
SC.L1-3.13.5 |
CMMC_2.0_L2_SC.L1-3.13.5 |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| CMMC_2.0_L2 |
SC.L2-3.13.2 |
CMMC_2.0_L2_SC.L2-3.13.2 |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| CMMC_2.0_L2 |
SC.L2-3.13.6 |
CMMC_2.0_L2_SC.L2-3.13.6 |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
| CMMC_L2_v1.9.0 |
AC.L2_3.1.3 |
CMMC_L2_v1.9.0_AC.L2_3.1.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 |
Access Control |
Control CUI Flow |
Shared |
Control the flow of CUI in accordance with approved authorizations. |
To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations |
|
46 |
| CMMC_L2_v1.9.0 |
SC.L2_3.13.6 |
CMMC_L2_v1.9.0_SC.L2_3.13.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.6 |
System and Communications Protection |
Network Communication by Exception |
Shared |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
To minimise the attack surface and reduce the risk of unauthorized access or malicious activities on their networks. |
|
4 |
| CSA_v4.0.12 |
DCS_02 |
CSA_v4.0.12_DCS_02 |
CSA Cloud Controls Matrix v4.0.12 DCS 02 |
Datacenter Security |
Off-Site Transfer Authorization Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually. |
|
45 |
| CSA_v4.0.12 |
DSP_05 |
CSA_v4.0.12_DSP_05 |
CSA Cloud Controls Matrix v4.0.12 DSP 05 |
Data Security and Privacy Lifecycle Management |
Data Flow Documentation |
Shared |
n/a |
Create data flow documentation to identify what data is processed,
stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change. |
|
57 |
| DORA_2022_2554 |
9.3a |
DORA_2022_2554_9.3a |
DORA 2022 2554 9.3a |
9 |
Implement Secure Data Transfer Solutions for ICT Systems |
Shared |
n/a |
Leverage information and communication technology (ICT) solutions and processes that ensure the security of data transfer methods to protect against unauthorized access and data breaches. |
|
50 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
| FedRAMP_High_R4 |
AC-4 |
FedRAMP_High_R4_AC-4 |
FedRAMP High AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.
References: None. |
link |
52 |
| FedRAMP_High_R4 |
SC-7 |
FedRAMP_High_R4_SC-7 |
FedRAMP High SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
| FedRAMP_High_R4 |
SC-7(3) |
FedRAMP_High_R4_SC-7(3) |
FedRAMP High SC-7 (3) |
System And Communications Protection |
Access Points |
Shared |
n/a |
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
link |
51 |
| FedRAMP_Moderate_R4 |
AC-4 |
FedRAMP_Moderate_R4_AC-4 |
FedRAMP Moderate AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.
References: None. |
link |
52 |
| FedRAMP_Moderate_R4 |
SC-7 |
FedRAMP_Moderate_R4_SC-7 |
FedRAMP Moderate SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
| FedRAMP_Moderate_R4 |
SC-7(3) |
FedRAMP_Moderate_R4_SC-7(3) |
FedRAMP Moderate SC-7 (3) |
System And Communications Protection |
Access Points |
Shared |
n/a |
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
link |
51 |
| HITRUST_CSF_v11.3 |
01.n |
HITRUST_CSF_v11.3_01.n |
HITRUST CSF v11.3 01.n |
Network Access Control |
Prevent unauthorised access to shared networks. |
Shared |
Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. |
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
|
55 |
| HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
109 |
| HITRUST_CSF_v11.3 |
09.w |
HITRUST_CSF_v11.3_09.w |
HITRUST CSF v11.3 09.w |
Exchange of Information |
Develop and implement policies and procedures, to protect information associated with the interconnection of business information systems. |
Shared |
1. A security baseline is to be documented and implemented for interconnected systems.
2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements. |
Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. |
|
45 |
| ISO_IEC_27002_2022 |
5.14 |
ISO_IEC_27002_2022_5.14 |
ISO IEC 27002 2022 5.14 |
Protection,
Preventive Control |
Information transfer |
Shared |
To maintain the security of information transferred within an organization and with any external interested party. |
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. |
|
46 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
| New_Zealand_ISM |
18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
18. Network security |
18.1.13.C.02 Limiting network access |
|
n/a |
Agencies SHOULD implement network access controls on all networks. |
|
19 |
| NIST_SP_800-171_R2_3 |
.1.3 |
NIST_SP_800-171_R2_3.1.3 |
NIST SP 800-171 R2 3.1.3 |
Access Control |
Control the flow of CUI in accordance with approved authorizations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
link |
56 |
| NIST_SP_800-171_R2_3 |
.13.1 |
NIST_SP_800-171_R2_3.13.1 |
NIST SP 800-171 R2 3.13.1 |
System and Communications Protection |
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.
[28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans. |
link |
51 |
| NIST_SP_800-171_R2_3 |
.13.2 |
NIST_SP_800-171_R2_3.13.2 |
NIST SP 800-171 R2 3.13.2 |
System and Communications Protection |
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering. |
link |
51 |
| NIST_SP_800-171_R2_3 |
.13.5 |
NIST_SP_800-171_R2_3.13.5 |
NIST SP 800-171 R2 3.13.5 |
System and Communications Protection |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies |
link |
51 |
| NIST_SP_800-171_R2_3 |
.13.6 |
NIST_SP_800-171_R2_3.13.6 |
NIST SP 800-171 R2 3.13.6 |
System and Communications Protection |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. |
link |
22 |
| NIST_SP_800-171_R3_3 |
.1.3 |
NIST_SP_800-171_R3_3.1.3 |
NIST 800-171 R3 3.1.3 |
Access Control |
Information Flow Enforcement |
Shared |
Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also
consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement.
Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. |
|
46 |
| NIST_SP_800-171_R3_3 |
.13.6 |
NIST_SP_800-171_R3_3.13.6 |
NIST 800-171 R3 3.13.6 |
System and Communications Protection Control |
Network Communications – Deny by Default – Allow by Exception |
Shared |
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed. |
Deny network communications traffic by default and allow network communications traffic by exception. |
|
4 |
| NIST_SP_800-53_R4 |
AC-4 |
NIST_SP_800-53_R4_AC-4 |
NIST SP 800-53 Rev. 4 AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.
References: None. |
link |
52 |
| NIST_SP_800-53_R4 |
SC-7 |
NIST_SP_800-53_R4_SC-7 |
NIST SP 800-53 Rev. 4 SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
| NIST_SP_800-53_R4 |
SC-7(3) |
NIST_SP_800-53_R4_SC-7(3) |
NIST SP 800-53 Rev. 4 SC-7 (3) |
System And Communications Protection |
Access Points |
Shared |
n/a |
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
link |
51 |
| NIST_SP_800-53_R5.1.1 |
AC.4 |
NIST_SP_800-53_R5.1.1_AC.4 |
NIST SP 800-53 R5.1.1 AC.4 |
Access Control |
Information Flow Enforcement |
Shared |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). |
|
44 |
| NIST_SP_800-53_R5.1.1 |
SC.7.5 |
NIST_SP_800-53_R5.1.1_SC.7.5 |
NIST SP 800-53 R5.1.1 SC.7.5 |
System and Communications Protection |
Boundary Protection | Deny by Default — Allow by Exception |
Shared |
Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]
]. |
Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system. |
|
4 |
| NIST_SP_800-53_R5 |
AC-4 |
NIST_SP_800-53_R5_AC-4 |
NIST SP 800-53 Rev. 5 AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
link |
52 |
| NIST_SP_800-53_R5 |
SC-7 |
NIST_SP_800-53_R5_SC-7 |
NIST SP 800-53 Rev. 5 SC-7 |
System and Communications Protection |
Boundary Protection |
Shared |
n/a |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. |
link |
52 |
| NIST_SP_800-53_R5 |
SC-7(3) |
NIST_SP_800-53_R5_SC-7(3) |
NIST SP 800-53 Rev. 5 SC-7 (3) |
System and Communications Protection |
Access Points |
Shared |
n/a |
Limit the number of external network connections to the system. |
link |
51 |
| NZ_ISM_v3.5 |
GS-3 |
NZ_ISM_v3.5_GS-3 |
NZISM Security Benchmark GS-3 |
Gateway security |
19.1.12 Configuration of Gateways |
Customer |
n/a |
Gateways are essential in controlling the flow of information between security domains. Any failure, particularly at the higher classifications, may have serious consequences. Hence mechanisms for alerting personnel to situations that may give rise to information security incidents are especially important for gateways. |
link |
6 |
| NZISM_Security_Benchmark_v1.1 |
GS-3 |
NZISM_Security_Benchmark_v1.1_GS-3 |
NZISM Security Benchmark GS-3 |
Gateway security |
19.1.12 Configuration of Gateways |
Customer |
Agencies MUST ensure that gateways:
are the only communications paths into and out of internal networks;
by default, deny all connections into and out of the network;
allow only explicitly authorised connections;
are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network);
provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and
provide real-time alerts. |
Gateways are essential in controlling the flow of information between security domains. Any failure, particularly at the higher classifications, may have serious consequences. Hence mechanisms for alerting personnel to situations that may give rise to information security incidents are especially important for gateways. |
link |
6 |
| NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
77 |
| NZISM_v3.7 |
19.1.10.C.01. |
NZISM_v3.7_19.1.10.C.01. |
NZISM v3.7 19.1.10.C.01. |
Gateways |
19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. |
Shared |
n/a |
When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. |
|
46 |
| NZISM_v3.7 |
19.1.11.C.01. |
NZISM_v3.7_19.1.11.C.01. |
NZISM v3.7 19.1.11.C.01. |
Gateways |
19.1.11.C.01. - ensure network protection through gateway mechanisms. |
Shared |
n/a |
Agencies MUST ensure that:
1. all agency networks are protected from networks in other security domains by one or more gateways;
2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
|
45 |
| NZISM_v3.7 |
19.1.11.C.02. |
NZISM_v3.7_19.1.11.C.02. |
NZISM v3.7 19.1.11.C.02. |
Gateways |
19.1.11.C.02. - maintain security and integrity across domains. |
Shared |
n/a |
For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. |
|
44 |
| NZISM_v3.7 |
19.1.12.C.01. |
NZISM_v3.7_19.1.12.C.01. |
NZISM v3.7 19.1.12.C.01. |
Gateways |
19.1.12.C.01. - minimize security risks and ensure effective control over network communications |
Shared |
n/a |
Agencies MUST ensure that gateways:
1. are the only communications paths into and out of internal networks;
2. by default, deny all connections into and out of the network;
3. allow only explicitly authorised connections;
4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network);
5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and
6. provide real-time alerts. |
|
43 |
| NZISM_v3.7 |
19.1.14.C.01. |
NZISM_v3.7_19.1.14.C.01. |
NZISM v3.7 19.1.14.C.01. |
Gateways |
19.1.14.C.01. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies MUST use demilitarised zones to house systems and information directly accessed externally. |
|
37 |
| NZISM_v3.7 |
19.1.14.C.02. |
NZISM_v3.7_19.1.14.C.02. |
NZISM v3.7 19.1.14.C.02. |
Gateways |
19.1.14.C.02. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. |
|
37 |
| NZISM_v3.7 |
19.1.19.C.01. |
NZISM_v3.7_19.1.19.C.01. |
NZISM v3.7 19.1.19.C.01. |
Gateways |
19.1.19.C.01. - enhance security posture. |
Shared |
n/a |
Agencies MUST limit access to gateway administration functions. |
|
33 |
| NZISM_v3.7 |
19.2.16.C.02. |
NZISM_v3.7_19.2.16.C.02. |
NZISM v3.7 19.2.16.C.02. |
Cross Domain Solutions (CDS) |
19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.
|
Shared |
n/a |
Agencies MUST NOT implement a gateway permitting data to flow directly from:
1. a TOP SECRET network to any network below SECRET;
2. a SECRET network to an UNCLASSIFIED network; or
3. a CONFIDENTIAL network to an UNCLASSIFIED network. |
|
33 |
| NZISM_v3.7 |
19.2.18.C.01. |
NZISM_v3.7_19.2.18.C.01. |
NZISM v3.7 19.2.18.C.01. |
Cross Domain Solutions (CDS) |
19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. |
Shared |
n/a |
Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. |
|
33 |
| NZISM_v3.7 |
19.2.19.C.01. |
NZISM_v3.7_19.2.19.C.01. |
NZISM v3.7 19.2.19.C.01. |
Cross Domain Solutions (CDS) |
19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.
|
Shared |
n/a |
Trusted sources MUST be:
1. a strictly limited list derived from business requirements and the result of a security risk assessment;
2. where necessary an appropriate security clearance is held; and
3. approved by the Accreditation Authority. |
|
33 |
| NZISM_v3.7 |
19.2.19.C.02. |
NZISM_v3.7_19.2.19.C.02. |
NZISM v3.7 19.2.19.C.02. |
Cross Domain Solutions (CDS) |
19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches. |
Shared |
n/a |
Trusted sources MUST authorise all data to be exported from a security domain. |
|
28 |
| NZISM_v3.7 |
19.3.8.C.01. |
NZISM_v3.7_19.3.8.C.01. |
NZISM v3.7 19.3.8.C.01. |
Firewalls |
19.3.8.C.01. - enhance network security. |
Shared |
n/a |
All gateways MUST contain a firewall in both physical and virtual environments. |
|
12 |
| NZISM_v3.7 |
19.3.8.C.03. |
NZISM_v3.7_19.3.8.C.03. |
NZISM v3.7 19.3.8.C.03. |
Firewalls |
19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains.
Your network: Restricted and below
Their network: Unclassified
You require: EAL4 firewall
They require: N/A
Your network: Restricted and below
Their network: Restricted
You require: EAL2 or PP firewall
They require:EAL2 or PP firewall
Your network: Restricted and below
Their network: Confidential
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Secret
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Confidential
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Confidential
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Confidential
You require: EAL2 or PP firewal
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Secret
You require: EAL2 or PP firewal
They require: EAL4 firewall
Your network: Confidential
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Secret
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Confidential
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Secret
You require: EAL2 or PP firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Top Secret
You require: EAL2 or PP firewall
They require: EAL4 firewall
Your network: Top Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Top Secret
Their network: Restricted
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Confidential
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Secret
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Top Secret
You require: EAL4 firewall
They require: EAL4 firewall
|
|
18 |
| NZISM_v3.7 |
19.3.8.C.04. |
NZISM_v3.7_19.3.8.C.04. |
NZISM v3.7 19.3.8.C.04. |
Firewalls |
19.3.8.C.04. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments.
2. Shared equipment DOES NOT satisfy the requirements of this control. |
|
15 |
| NZISM_v3.7 |
19.3.9.C.01. |
NZISM_v3.7_19.3.9.C.01. |
NZISM v3.7 19.3.9.C.01. |
Firewalls |
19.3.9.C.01. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains. |
|
15 |
| PCI_DSS_v4.0.1 |
1.3.1 |
PCI_DSS_v4.0.1_1.3.1 |
PCI DSS v4.0.1 1.3.1 |
Install and Maintain Network Security Controls |
Inbound traffic to the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied |
Shared |
n/a |
Examine configuration standards for NSCs to verify that they define restricting inbound traffic to the CDE is in accordance with all elements specified in this requirement. Examine configurations of NSCs to verify that inbound traffic to the CDE is restricted in accordance with all elements specified in this requirement |
|
4 |
| PCI_DSS_v4.0.1 |
1.3.2 |
PCI_DSS_v4.0.1_1.3.2 |
PCI DSS v4.0.1 1.3.2 |
Install and Maintain Network Security Controls |
Outbound traffic from the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied |
Shared |
n/a |
Examine configuration standards for NSCs to verify that they define restricting outbound traffic from the CDE in accordance with all elements specified in this requirement. Examine configurations of NSCs to verify that outbound traffic from the CDE is restricted in accordance with all elements specified in this requirement |
|
4 |
| PCI_DSS_v4.0.1 |
1.4.2 |
PCI_DSS_v4.0.1_1.4.2 |
PCI DSS v4.0.1 1.4.2 |
Install and Maintain Network Security Controls |
Inbound traffic from untrusted networks to trusted networks is restricted to communications with system components that are authorized to provide publicly accessible services, protocols, and ports, stateful responses to communications initiated by system components in a trusted network, and all other traffic is denied |
Shared |
n/a |
Examine vendor documentation and configurations of NSCs to verify that inbound traffic from untrusted networks to trusted networks is restricted in accordance with all elements specified in this requirement |
|
4 |
| RBI_ITF_NBFC_v2017 |
5 |
RBI_ITF_NBFC_v2017_5 |
RBI IT Framework 5 |
IS Audit |
Policy for Information System Audit (IS Audit)-5 |
|
n/a |
The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization???s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc. |
link |
14 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
107 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
143 |
| SOC_2023 |
PI1.3 |
SOC_2023_PI1.3 |
SOC 2023 PI1.3 |
Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) |
Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. |
Shared |
n/a |
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. |
|
50 |
| SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
| SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
| SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
|
U.07.1 - Isolated |
U.07.1 - Isolated |
404 not found |
|
|
|
n/a |
n/a |
|
62 |