Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_IA_5(3)

IA_5(3)

Canada Federal PBMM 3-1-2020 IA 5(3)

Authenticator Management

Authenticator Management | In-Person or Trusted Third-Party Registration

Shared

The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles.

To enhance security and accountability within the organization's registration procedures.

Canada_Federal_PBMM_3-1-2020_MA_1

MA_1

Canada Federal PBMM 3-1-2020 MA 1

System Maintenance Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to all personnel: a. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. 2. The organization reviews and updates the current: a. System maintenance policy at least every 3 years; and b. System maintenance procedures at least annually.

To implement System Maintenance Policy and Procedures.

Canada_Federal_PBMM_3-1-2020_MA_2

MA_2

Canada Federal PBMM 3-1-2020 MA 2

Controlled Maintenance

Shared

1. The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. 2. The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. 3. The organization requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. 4. The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs. 5. The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. 6. The organization include date and time of maintenance, name of the individual performing the maintenance; name of escort (if applicable), description of the maintenance performed; equipment removed or replaced (including identification numbers, if applicable) in organizational maintenance records.

To undertake controlled maintenance.

Canada_Federal_PBMM_3-1-2020_MA_3

MA_3

Canada Federal PBMM 3-1-2020 MA 3

Maintenance Tools

Shared

The organization approves, controls, and monitors information system maintenance tools.

To ensure proper use and mitigate security risks.

Canada_Federal_PBMM_3-1-2020_MA_4(2)

MA_4(2)

Canada Federal PBMM 3-1-2020 MA 4(2)

Non-Local Maintenance

Nonlocal Maintenance | Document Nonlocal Maintenance

Shared

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

To ensure nonlocal maintenance is documented.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

100

12.8

CIS_Controls_v8.1_12.8

CIS Controls v8.1 12.8

Network Infrastructure Management

Establish and maintain dedicated computing resources for all administrative work

Shared

1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. 2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.

To ensure administrative work is on a different system on which access to data and internet is restricted.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

102

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

100

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

4.1

CIS_Controls_v8.1_4.1

CIS Controls v8.1 4.1

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process.

Shared

1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure data integrity and safety of enterprise assets.

5.1

CIS_Controls_v8.1_5.1

CIS Controls v8.1 5.1

Account Management

Establish and maintain an inventory of accounts

Shared

1. Establish and maintain an inventory of all accounts managed in the enterprise. 2. The inventory must include both user and administrator accounts. 3. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. 4. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

To ensure accurate tracking and management of accounts.

5.4

CIS_Controls_v8.1_5.4

CIS Controls v8.1 5.4

Account Management

Restrict administrator privileges to dedicated administrator accounts.

Shared

1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. 2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

To restrict access to privileged accounts.

6.8

CIS_Controls_v8.1_6.8

CIS Controls v8.1 6.8

Access Control Management

Define and maintain role-based access control.

Shared

1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. 2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

To implement a system of role-based access control.

8.11

CIS_Controls_v8.1_8.11

CIS Controls v8.1 8.11

Audit Log Management

Conduct audit log reviews

Shared

1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis.

To ensure the integrity of the data in audit logs.

CMMC_L2_v1.9.0_AC.L1_3.1.2

8.2

CIS_Controls_v8.1_8.2

CIS Controls v8.1 8.2

Audit Log Management

Collect audit logs.

Shared

1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

To assist in troubleshooting of system issues and ensure integrity of data systems.

CMMC_L2_v1.9.0

AC.L1_3.1.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.2

Access Control

Transaction & Function Control

Shared

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

To restrict information system access.

CMMC_L3

AC.3.018

CMMC_L3_AC.3.018

CMMC L3 AC.3.018

Access Control

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in AC.1.002. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

link

CMMC_L3

CM.2.062

CMMC_L3_CM.2.062

CMMC L3 CM.2.062

Configuration Management

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

link

CSA_v4.0.12

IAM_03

CSA_v4.0.12_IAM_03

CSA Cloud Controls Matrix v4.0.12 IAM 03

Identity & Access Management

Identity Inventory

Shared

n/a

Manage, store, and review the information of system identities, and level of access.

CSA_v4.0.12

IAM_08

CSA_v4.0.12_IAM_08

CSA Cloud Controls Matrix v4.0.12 IAM 08

Identity & Access Management

User Access Review

Shared

n/a

Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_2

Cyber Essentials v3.1 2

Cyber Essentials

Secure Configuration

Shared

n/a

Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_5

Cyber Essentials v3.1 5

Cyber Essentials

Malware protection

Shared

n/a

Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

311

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

311

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

311

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

311

FBI_Criminal_Justice_Information_Services_v5.9.5_5.4

404 not found

n/a

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FFIEC_CAT_2017

3.1.2

FFIEC_CAT_2017_3.1.2

FFIEC CAT 2017 3.1.2

Cybersecurity Controls

Access and Data Management

Shared

n/a

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames.

01.c

HITRUST_CSF_v11.3_01.c

HITRUST CSF v11.3 01.c

Authorized Access to Information Systems

Control privileged access to information systems and services.

Shared

1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization.

The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.

01.q

HITRUST_CSF_v11.3_01.q

HITRUST CSF v11.3 01.q

Operating System Access Control

Prevent unauthorized access to operating systems and implement authentication technique to verify user.

Shared

1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability. 2. Multi-factor authentication to be implemented for network and local access to privileged accounts. 3. Users to be uniquely identified and authenticated for local access and remote access. 4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts.

All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

01.t

HITRUST_CSF_v11.3_01.t

HITRUST CSF v11.3 01.t

Operating System Access Control

Implement automatic sign-out of inactive sessions.

Shared

1. Automatic session time-out screen is to be enforced through technical means for all devices. 2. The time-out system to be configured to conceal information previously visible on the display with a publicly viewable image, pauses the session screen after 'x' minutes of inactivity, closes network sessions after 'x' minutes of inactivity, and requires the user to re-establish access using appropriate identification and authentication procedures.

Inactive sessions shall shut down after a defined period of inactivity.

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

114

5.15

ISO_IEC_27002_2022_5.15

ISO IEC 27002 2022 5.15

Protection, Preventive Control

Access control

Shared

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

To ensure authorized access and to prevent unauthorized access to information and other associated assets.

5.18

ISO_IEC_27002_2022_5.18

ISO IEC 27002 2022 5.18

Protection, Preventive Control

Access rights

Shared

Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

To ensure access to information and other associated assets is defined and authorized according to the business requirements.

8.2

ISO_IEC_27002_2022_8.2

ISO IEC 27002 2022 8.2

Protection, Preventive, Control

Privileged access rights

Shared

The allocation and use of privileged access rights should be restricted and managed.

To ensure only authorized users, software components and services are provided with privileged access rights.

8.3

ISO_IEC_27002_2022_8.3

ISO IEC 27002 2022 8.3

Protection, Preventive, Control

Information access restriction

Shared

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

To ensure only authorized access and to prevent unauthorized access to information and other associated assets.

NIST_CSF_v2.0

PR.AA_05

NIST_CSF_v2.0_PR.AA_05

NIST CSF v2.0 PR.AA 05

PROTECT- Identity Management, Authentication, and Access

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

Shared

n/a

To implement safeguards for managing organization’s cybersecurity risks.

.1.1

NIST_SP_800-171_R3_3.1.1

NIST 800-171 R3 3.1.1

Access Control

Account Management

Shared

a. Define the types of system accounts allowed and prohibited. b. Create, enable, modify, disable, and remove system accounts in accordance with organizational policy, procedures, prerequisites, and criteria. c. Specify authorized users of the system, group and role membership, and access authorizations (i.e., privileges). d. Authorize access to the system based on a valid access authorization and intended system usage. e. Monitor the use of system accounts. f. Disable system accounts when: 1. The accounts have expired; 2. The accounts have been inactive for [Assignment: organization-defined time period]; 3. The accounts are no longer associated with a user or individual; 4. The accounts are in violation of organizational policy; or 5. Significant risks associated with individuals are discovered. g. Notify organizational personnel or roles when: 1. Accounts are no longer required; 2. Users are terminated or transferred; and 3. System usage or need-to-know changes for an individual.

This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g.,privileged access, non-privileged access) are addressed in requirement 03.01.02. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service. Users who require administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes,organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements). Users who pose a significant security risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among human resource managers, mission/business owners, system administrators, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary.

.1.5

NIST_SP_800-171_R3_3.1.5

NIST 800-171 R3 3.1.5

Access Control

Least Privilege

Shared

Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, and establishing intrusion detection parameters. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, and access control lists.

a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. b. Authorize access to [Assignment: organization-defined security functions and security-relevant information]. c. Review the privileges assigned to roles or classes of users periodically to validate the need for such privileges. d. Reassign or remove privileges, as necessary.

.8.2

NIST_SP_800-171_R3_3.8.2

404 not found

n/a

NIST_SP_800-53_R5.1.1_AC.2.6

.9.2

NIST_SP_800-171_R3_3.9.2

NIST 800-171 R3 3.9.2

Personnel Security Control

Personnel Termination and Transfer

Shared

Security-related system property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that accountability is achieved for the organizational property. Security topics at exit interviews include reminding individuals of potential limitations on future employment and nondisclosure agreements. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. The timely execution of termination actions is essential for individuals who have been terminated for cause. Organizations may consider disabling the accounts of individuals who are being terminated prior to the individuals being notified. This requirement applies to the reassignment or transfer of individuals when the personnel action is permanent or of such extended duration as to require protection. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new identification cards, keys, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing access to official records to which individuals had access at previous work locations in previous system accounts.

a. When individual employment is terminated: 1. Disable system access within [Assignment: organization-defined time period]; 2. Terminate or revoke authenticators and credentials associated with the individual; and 3. Retrieve security-related system property. b. When individuals are reassigned or transferred to other positions in the organization: 1. Review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility; 2. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the transfer or reassignment action]; and 3. Modify access authorization to correspond with any changes in operational need.

NIST_SP_800-53_R5.1.1

AC.2.6

NIST SP 800-53 R5.1.1 AC.2.6

Access Control

Account Management | Dynamic Privilege Management

Shared

Implement [Assignment: organization-defined dynamic privilege management capabilities].

In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.

NIST_SP_800-53_R5.1.1

AC.2.7

NIST_SP_800-53_R5.1.1_AC.2.7

NIST SP 800-53 R5.1.1 AC.2.7

Access Control

Account Management | Privileged User Accounts

Shared

(a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate.

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.

NIST_SP_800-53_R5.1.1

MA.4.1

NIST_SP_800-53_R5.1.1_MA.4.1

NIST SP 800-53 R5.1.1 MA.4.1

Maintenance Control

Nonlocal Maintenance | Logging and Review

Shared

(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and (b) Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

Audit logging for nonlocal maintenance is enforced by AU-2. Audit events are defined in AU-2a.

14.1.10.C.01.

NZISM_v3.7_14.1.10.C.01.

NZISM v3.7 14.1.10.C.01.

Standard Operating Environments

14.1.10.C.01. - reduce potential vulnerabilities.

Shared

n/a

Agencies MUST reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords before or during the installation process.

14.1.10.C.02.

NZISM_v3.7_14.1.10.C.02.

NZISM v3.7 14.1.10.C.02.

Standard Operating Environments

14.1.10.C.02. - reduce potential vulnerabilities.

Shared

n/a

Agencies SHOULD reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords, before or during the installation process.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

16.1.44.C.01.

NZISM_v3.7_16.1.44.C.01.

NZISM v3.7 16.1.44.C.01.

Identification, Authentication and Passwords

16.1.44.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD develop and implement a policy to automatically logout and shutdown workstations after an appropriate time of inactivity.

16.1.45.C.01.

NZISM_v3.7_16.1.45.C.01.

NZISM v3.7 16.1.45.C.01.

Identification, Authentication and Passwords

16.1.45.C.01. - enhance overall security posture.

Shared

n/a

Agencies MUST: 1. configure systems with a session or screen lock; 2. configure the lock to activate: a. after a maximum of 10 minutes of system user inactivity; or b. if manually activated by the system user; 3. configure the lock to completely conceal all information on the screen; 4. ensure that the screen is not turned off or enters a power saving state before the screen or session lock is activated; 5. have the system user reauthenticate to unlock the system; and 6.. deny system users the ability to disable the locking mechanism.

16.1.45.C.02.

NZISM_v3.7_16.1.45.C.02.

NZISM v3.7 16.1.45.C.02.

Identification, Authentication and Passwords

16.1.45.C.02. - enhance overall security posture.

Shared

n/a

Agencies SHOULD: 1. configure systems with a session or screen lock; 2. configure the lock to activate: a. after a maximum of 15 minutes of system user inactivity; or b. if manually activated by the system user; 3. configure the lock to completely conceal all information on the screen; 4. ensure that the screen is not turned off or enters a power saving state before the screen or session lock is activated; 5. have the system user reauthenticate to unlock the system; and 6. deny system users the ability to disable the locking mechanism.

16.1.47.C.01.

NZISM_v3.7_16.1.47.C.01.

NZISM v3.7 16.1.47.C.01.

Identification, Authentication and Passwords

16.1.47.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD ensure that repeated account lockouts are investigated before reauthorising access.

16.4.32.C.02.

NZISM_v3.7_16.4.32.C.02.

NZISM v3.7 16.4.32.C.02.

Privileged Access Management

16.4.32.C.02. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Privileged Access credentials MUST NOT be issued until approval has been formally granted.

17.5.7.C.01.

NZISM_v3.7_17.5.7.C.01.

NZISM v3.7 17.5.7.C.01.

Secure Shell

17.5.7.C.01. - enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use public key-based authentication before using password-based authentication.

17.5.7.C.02.

NZISM_v3.7_17.5.7.C.02.

NZISM v3.7 17.5.7.C.02.

Secure Shell

17.5.7.C.02. - enhance overall cybersecurity posture.

Shared

n/a

Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password.

19.1.20.C.01.

NZISM_v3.7_19.1.20.C.01.

NZISM v3.7 19.1.20.C.01.

Gateways

19.1.20.C.01. - reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST authenticate system users to all classified networks accessed through gateways.

19.1.20.C.02.

NZISM_v3.7_19.1.20.C.02.

NZISM v3.7 19.1.20.C.02.

Gateways

19.1.20.C.02. - reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST ensure that only authenticated and authorised system users can use the gateway.

19.1.20.C.03.

NZISM_v3.7_19.1.20.C.03.

NZISM v3.7 19.1.20.C.03.

Gateways

19.1.20.C.03. - reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies SHOULD use multi-factor authentication for access to networks and gateways.

2.3.26.C.01.

NZISM_v3.7_2.3.26.C.01.

NZISM v3.7 2.3.26.C.01.

Using Cloud Services

2.3.26.C.01. - enhance security measures and minimise trust assumptions in cloud environments.

Shared

n/a

Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts.

20.4.4.C.01.

NZISM_v3.7_20.4.4.C.01.

NZISM v3.7 20.4.4.C.01.

Databases

20.4.4.C.01. - enhance data security and integrity.

Shared

n/a

Agencies MUST protect database files from access that bypasses the database's normal access controls.

20.4.4.C.02.

NZISM_v3.7_20.4.4.C.02.

NZISM v3.7 20.4.4.C.02.

Databases

20.4.4.C.02. - enhance data security and integrity.

Shared

n/a

Agencies SHOULD protect database files from access that bypass normal access controls.

10.2.1.2

PCI_DSS_v4.0.1_10.2.1.2

PCI DSS v4.0.1 10.2.1.2

Log and Monitor All Access to System Components and Cardholder Data

Administrative Actions Logging

Shared

n/a

Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

7.2.4

PCI_DSS_v4.0.1_7.2.4

PCI DSS v4.0.1 7.2.4

Restrict Access to System Components and Cardholder Data by Business Need to Know

All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate

Shared

n/a

Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement

7.2.5

PCI_DSS_v4.0.1_7.2.5

PCI DSS v4.0.1 7.2.5

Restrict Access to System Components and Cardholder Data by Business Need to Know

All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use

Shared

n/a

Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement

Sarbanes_Oxley_Act_(1)_2022_1

7.2.5.1

PCI_DSS_v4.0.1_7.2.5.1

PCI DSS v4.0.1 7.2.5.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate

Shared

n/a

Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

CC2.2

SOC_2023_CC2.2

SOC 2023 CC2.2

Information and Communication

Facilitate effective internal communication, including objectives and responsibilities for internal control.

Shared

n/a

Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information

CC5.2

SOC_2023_CC5.2

SOC 2023 CC5.2

Control Activities

Mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations.

Shared

n/a

Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities.

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC6.2

SOC_2023_CC6.2

SOC 2023 CC6.2

Logical and Physical Access Controls

Ensure effective access control and ensuring the security of the organization's systems and data.

Shared

n/a

1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3

SOC_2023_CC6.3

404 not found

n/a

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167