compliance controls are associated with this Policy definition 'Perform a risk assessment' (8c5d3d8d-5cba-0def-257c-5ab9ea9644dc)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CM-3 |
FedRAMP_High_R4_CM-3 |
FedRAMP High CM-3 |
Configuration Management |
Configuration Change Control |
Shared |
n/a |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12.
References: NIST Special Publication 800-128. |
link |
8 |
FedRAMP_High_R4 |
CM-4 |
FedRAMP_High_R4_CM-4 |
FedRAMP High CM-4 |
Configuration Management |
Security Impact Analysis |
Shared |
n/a |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2.
References: NIST Special Publication 800-128. |
link |
8 |
FedRAMP_High_R4 |
RA-3 |
FedRAMP_High_R4_RA-3 |
FedRAMP High RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.
Control Enhancements: None.
References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. |
link |
4 |
FedRAMP_Moderate_R4 |
CM-3 |
FedRAMP_Moderate_R4_CM-3 |
FedRAMP Moderate CM-3 |
Configuration Management |
Configuration Change Control |
Shared |
n/a |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12.
References: NIST Special Publication 800-128. |
link |
8 |
FedRAMP_Moderate_R4 |
CM-4 |
FedRAMP_Moderate_R4_CM-4 |
FedRAMP Moderate CM-4 |
Configuration Management |
Security Impact Analysis |
Shared |
n/a |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2.
References: NIST Special Publication 800-128. |
link |
8 |
FedRAMP_Moderate_R4 |
RA-3 |
FedRAMP_Moderate_R4_RA-3 |
FedRAMP Moderate RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.
Control Enhancements: None.
References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. |
link |
4 |
hipaa |
0125.05a3Organizational.2-05.a |
hipaa-0125.05a3Organizational.2-05.a |
0125.05a3Organizational.2-05.a |
01 Information Protection Program |
0125.05a3Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Annual risk assessments are performed by an independent organization. |
|
8 |
hipaa |
0618.09b1System.1-09.b |
hipaa-0618.09b1System.1-09.b |
0618.09b1System.1-09.b |
06 Configuration Management |
0618.09b1System.1-09.b 09.01 Documented Operating Procedures |
Shared |
n/a |
Changes to information assets, including systems, networks, and network services, are controlled and archived. |
|
16 |
hipaa |
0638.10k2Organizational.34569-10.k |
hipaa-0638.10k2Organizational.34569-10.k |
0638.10k2Organizational.34569-10.k |
06 Configuration Management |
0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Changes are formally controlled, documented, and enforced in order to minimize the corruption of information systems. |
|
14 |
hipaa |
0641.10k2Organizational.11-10.k |
hipaa-0641.10k2Organizational.11-10.k |
0641.10k2Organizational.11-10.k |
06 Configuration Management |
0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization does not use automated updates on critical systems. |
|
13 |
hipaa |
0643.10k3Organizational.3-10.k |
hipaa-0643.10k3Organizational.3-10.k |
0643.10k3Organizational.3-10.k |
06 Configuration Management |
0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and, (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
|
17 |
hipaa |
0672.10k3System.5-10.k |
hipaa-0672.10k3System.5-10.k |
0672.10k3System.5-10.k |
06 Configuration Management |
0672.10k3System.5-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The integrity of all virtual machine images is ensured at all times by (i) logging and raising an alert for any changes made to virtual machine images, and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity. |
|
12 |
hipaa |
069.06g2Organizational.56-06.g |
hipaa-069.06g2Organizational.56-06.g |
069.06g2Organizational.56-06.g |
06 Configuration Management |
069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The internal security organization reviews and maintains records of compliance results (e.g., organization-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and address longer term areas of concern as part of its formal risk assessment process. |
|
7 |
hipaa |
0821.09m2Organizational.2-09.m |
hipaa-0821.09m2Organizational.2-09.m |
0821.09m2Organizational.2-09.m |
08 Network Protection |
0821.09m2Organizational.2-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. |
|
18 |
hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
hipaa |
0863.09m2Organizational.910-09.m |
hipaa-0863.09m2Organizational.910-09.m |
0863.09m2Organizational.910-09.m |
08 Network Protection |
0863.09m2Organizational.910-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. |
|
25 |
hipaa |
1208.09aa3System.1-09.aa |
hipaa-1208.09aa3System.1-09.aa |
1208.09aa3System.1-09.aa |
12 Audit Logging & Monitoring |
1208.09aa3System.1-09.aa 09.10 Monitoring |
Shared |
n/a |
Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. |
|
18 |
hipaa |
1314.02e2Organizational.5-02.e |
hipaa-1314.02e2Organizational.5-02.e |
1314.02e2Organizational.5-02.e |
13 Education, Training and Awareness |
1314.02e2Organizational.5-02.e 02.03 During Employment |
Shared |
n/a |
The organization conducts an internal annual review of the effectiveness of its security and privacy education and training program, and updates the program to reflect risks identified in the organization's risk assessment. |
|
4 |
hipaa |
1635.12b1Organizational.2-12.b |
hipaa-1635.12b1Organizational.2-12.b |
1635.12b1Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. |
|
6 |
hipaa |
1637.12b2Organizational.2-12.b |
hipaa-1637.12b2Organizational.2-12.b |
1637.12b2Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. |
|
8 |
hipaa |
1638.12b2Organizational.345-12.b |
hipaa-1638.12b2Organizational.345-12.b |
1638.12b2Organizational.345-12.b |
16 Business Continuity & Disaster Recovery |
1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Business continuity risk assessments: (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and, (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. |
|
5 |
hipaa |
1704.03b1Organizational.12-03.b |
hipaa-1704.03b1Organizational.12-03.b |
1704.03b1Organizational.12-03.b |
17 Risk Management |
1704.03b1Organizational.12-03.b 03.01 Risk Management Program |
Shared |
n/a |
The organization performs risk assessments in a consistent way and at planned intervals, or when there are major changes to the organization's environment, and reviews the risk assessment results annually. |
|
2 |
ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
ISO27001-2013 |
A.12.5.1 |
ISO27001-2013_A.12.5.1 |
ISO 27001:2013 A.12.5.1 |
Operations Security |
Installation of software on operational systems |
Shared |
n/a |
Procedures shall be implemented to control the installation of software on operational systems. |
link |
18 |
ISO27001-2013 |
A.12.6.1 |
ISO27001-2013_A.12.6.1 |
ISO 27001:2013 A.12.6.1 |
Operations Security |
Management of technical vulnerabilities |
Shared |
n/a |
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
link |
12 |
ISO27001-2013 |
A.12.6.2 |
ISO27001-2013_A.12.6.2 |
ISO 27001:2013 A.12.6.2 |
Operations Security |
Restrictions on software installation |
Shared |
n/a |
Rules governing the installation of software by users shall be established and implemented. |
link |
18 |
ISO27001-2013 |
A.14.2.2 |
ISO27001-2013_A.14.2.2 |
ISO 27001:2013 A.14.2.2 |
System Acquisition, Development And Maintenance |
System change control procedures |
Shared |
n/a |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
link |
25 |
ISO27001-2013 |
A.14.2.3 |
ISO27001-2013_A.14.2.3 |
ISO 27001:2013 A.14.2.3 |
System Acquisition, Development And Maintenance |
Technical review of applications after operating platform changes |
Shared |
n/a |
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
link |
18 |
ISO27001-2013 |
A.14.2.4 |
ISO27001-2013_A.14.2.4 |
ISO 27001:2013 A.14.2.4 |
System Acquisition, Development And Maintenance |
Restrictions on changes to software packages |
Shared |
n/a |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
link |
24 |
ISO27001-2013 |
C.6.1.2.c.1 |
ISO27001-2013_C.6.1.2.c.1 |
ISO 27001:2013 C.6.1.2.c.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
c) identifies the information security risks:
- 1) apply the information security risk assessment process to identify risks associated with the loss
of confidentiality, integrity and availability for information within the scope of the information
security management system.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.6.1.2.c.2 |
ISO27001-2013_C.6.1.2.c.2 |
ISO 27001:2013 C.6.1.2.c.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
c) identifies the information security risks:
- 2) identify the risk owners.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.6.1.2.d.1 |
ISO27001-2013_C.6.1.2.d.1 |
ISO 27001:2013 C.6.1.2.d.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
d) analyses the information security risks:
- 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were
to materialize.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.6.1.2.d.2 |
ISO27001-2013_C.6.1.2.d.2 |
ISO 27001:2013 C.6.1.2.d.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
d) analyses the information security risks:
- 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1).
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.6.1.2.d.3 |
ISO27001-2013_C.6.1.2.d.3 |
ISO 27001:2013 C.6.1.2.d.3 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
d) analyses the information security risks:
- 3) determine the levels of risk.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.6.1.2.e.1 |
ISO27001-2013_C.6.1.2.e.1 |
ISO 27001:2013 C.6.1.2.e.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
e) evaluates the information security risks:
- 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a).
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.6.1.2.e.2 |
ISO27001-2013_C.6.1.2.e.2 |
ISO 27001:2013 C.6.1.2.e.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
e) evaluates the information security risks:
- 2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
ISO27001-2013 |
C.8.1 |
ISO27001-2013_C.8.1 |
ISO 27001:2013 C.8.1 |
Operation |
Operational planning and control |
Shared |
n/a |
The organization shall plan, implement and control the processes needed to meet information security
requirements, and to implement the actions determined in 6.1. The organization shall also implement
plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that
the processes have been carried out as planned.
The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced processes are determined and controlled. |
link |
21 |
ISO27001-2013 |
C.8.2 |
ISO27001-2013_C.8.2 |
ISO 27001:2013 C.8.2 |
Operation |
Information security risk assessment |
Shared |
n/a |
The organization shall perform information security risk assessments at planned intervals or when
significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
The organization shall retain documented information of the results of the information security
risk assessments. |
link |
3 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-171_R2_3 |
.11.1 |
NIST_SP_800-171_R2_3.11.1 |
NIST SP 800-171 R2 3.11.1 |
Risk Assessment |
Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments. |
link |
2 |
NIST_SP_800-171_R2_3 |
.4.3 |
NIST_SP_800-171_R2_3.4.3 |
NIST SP 800-171 R2 3.4.3 |
Configuration Management |
Track, review, approve or disapprove, and log changes to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. [SP 800-128] provides guidance on configuration change control. |
link |
15 |
NIST_SP_800-171_R2_3 |
.4.4 |
NIST_SP_800-171_R2_3.4.4 |
NIST SP 800-171 R2 3.4.4 |
Configuration Management |
Analyze the security impact of changes prior to implementation. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. [SP 800-128] provides guidance on configuration change control and security impact analysis. |
link |
8 |
NIST_SP_800-53_R4 |
CM-3 |
NIST_SP_800-53_R4_CM-3 |
NIST SP 800-53 Rev. 4 CM-3 |
Configuration Management |
Configuration Change Control |
Shared |
n/a |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12.
References: NIST Special Publication 800-128. |
link |
8 |
NIST_SP_800-53_R4 |
CM-4 |
NIST_SP_800-53_R4_CM-4 |
NIST SP 800-53 Rev. 4 CM-4 |
Configuration Management |
Security Impact Analysis |
Shared |
n/a |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2.
References: NIST Special Publication 800-128. |
link |
8 |
NIST_SP_800-53_R4 |
RA-3 |
NIST_SP_800-53_R4_RA-3 |
NIST SP 800-53 Rev. 4 RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.
Control Enhancements: None.
References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. |
link |
4 |
NIST_SP_800-53_R5 |
CM-3 |
NIST_SP_800-53_R5_CM-3 |
NIST SP 800-53 Rev. 5 CM-3 |
Configuration Management |
Configuration Change Control |
Shared |
n/a |
a. Determine and document the types of changes to the system that are configuration-controlled;
b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
c. Document configuration change decisions associated with the system;
d. Implement approved configuration-controlled changes to the system;
e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
f. Monitor and review activities associated with configuration-controlled changes to the system; and
g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (OneOrMore): [Assignment: organization-defined frequency] ;when [Assignment: organization-defined configuration change conditions] ] . |
link |
8 |
NIST_SP_800-53_R5 |
CM-4 |
NIST_SP_800-53_R5_CM-4 |
NIST SP 800-53 Rev. 5 CM-4 |
Configuration Management |
Impact Analyses |
Shared |
n/a |
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. |
link |
8 |
NIST_SP_800-53_R5 |
RA-3 |
NIST_SP_800-53_R5_RA-3 |
NIST SP 800-53 Rev. 5 RA-3 |
Risk Assessment |
Risk Assessment |
Shared |
n/a |
a. Conduct a risk assessment, including:
1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in [Selection: security and privacy plans;risk assessment report; [Assignment: organization-defined document] ] ;
d. Review risk assessment results [Assignment: organization-defined frequency];
e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. |
link |
4 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
PCI_DSS_v4.0 |
1.2.2 |
PCI_DSS_v4.0_1.2.2 |
PCI DSS v4.0 1.2.2 |
Requirement 01: Install and Maintain Network Security Controls |
Network security controls (NSCs) are configured and maintained |
Shared |
n/a |
All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1. |
link |
8 |
PCI_DSS_v4.0 |
12.3.1 |
PCI_DSS_v4.0_12.3.1 |
PCI DSS v4.0 12.3.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risks to the cardholder data environment are formally identified, evaluated, and managed |
Shared |
n/a |
Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes:
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review. |
link |
4 |
PCI_DSS_v4.0 |
12.3.2 |
PCI_DSS_v4.0_12.3.2 |
PCI DSS v4.0 12.3.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risks to the cardholder data environment are formally identified, evaluated, and managed |
Shared |
n/a |
A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:
• Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis).
• Approval of documented evidence by senior management.
• Performance of the targeted analysis of risk at least once every 12 months. |
link |
4 |
PCI_DSS_v4.0 |
5.2.3.1 |
PCI_DSS_v4.0_5.2.3.1 |
PCI DSS v4.0 5.2.3.1 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Malicious software (malware) is prevented, or detected and addressed |
Shared |
n/a |
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. |
link |
3 |
PCI_DSS_v4.0 |
5.3.5 |
PCI_DSS_v4.0_5.3.5 |
PCI DSS v4.0 5.3.5 |
Requirement 05: Protect All Systems and Networks from Malicious Software |
Anti-malware mechanisms and processes are active, maintained, and monitored |
Shared |
n/a |
Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. |
link |
8 |
PCI_DSS_v4.0 |
6.5.1 |
PCI_DSS_v4.0_6.5.1 |
PCI DSS v4.0 6.5.1 |
Requirement 06: Develop and Maintain Secure Systems and Software |
Changes to all system components are managed securely |
Shared |
n/a |
Changes to all system components in the production environment are made according to established procedures that include:
• Reason for, and description of, the change.
• Documentation of security impact.
• Documented change approval by authorized parties.
• Testing to verify that the change does not adversely impact system security.
• For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production.
• Procedures to address failures and return to a secure state. |
link |
8 |
SOC_2 |
CC3.1 |
SOC_2_CC3.1 |
SOC 2 Type 2 CC3.1 |
Risk Assessment |
COSO Principle 6 |
Shared |
The customer is responsible for implementing this recommendation. |
• Reflects Management's Choices — Operations objectives reflect management's
choices about structure, industry considerations, and performance of the entity.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives.
• Includes Operations and Financial Performance Goals — The organization reflects
the desired level of operations and financial performance for the entity within operations objectives.
• Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
External Financial Reporting Objectives
• Complies With Applicable Accounting Standards — Financial reporting objectives
are consistent with accounting principles suitable and available for that entity. The
accounting principles selected are appropriate in the circumstances.
• Considers Materiality — Management considers materiality in financial statement
presentation.
• Reflects Entity Activities — External reporting reflects the underlying transactions
and events to show qualitative characteristics and assertions.
External Nonfinancial Reporting Objectives
• Complies With Externally Established Frameworks — Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.
• Considers the Required Level of Precision — Management reflects the required
level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.
• Reflects Entity Activities — External reporting reflects the underlying transactions
and events within a range of acceptable limits.
Internal Reporting Objectives
• Reflects Management's Choices — Internal reporting provides management with
accurate and complete information regarding management's choices and information Page 22
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
needed in managing the entity.
• Considers the Required Level of Precision — Management reflects the required
level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.
• Reflects Entity Activities — Internal reporting reflects the underlying transactions
and events within a range of acceptable limits.
Compliance Objectives
• Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives |
|
7 |
SOC_2 |
CC3.2 |
SOC_2_CC3.2 |
SOC 2 Type 2 CC3.2 |
Risk Assessment |
COSO Principle 7 |
Shared |
The customer is responsible for implementing this recommendation. |
Points of focus specified in the COSO framework:
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The
entity identifies and assesses risk at the entity, subsidiary, division, operating unit,
and functional levels relevant to the achievement of objectives.
• Analyzes Internal and External Factors — Risk identification considers both internal
and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified — Identified risks are analyzed through a
process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks — Risk assessment includes considering how
the risk should be managed and whether to accept, avoid, reduce, or share the risk.
Additional points of focus specifically related to all engagements using the trust services criteria:
• Identifies and Assesses Criticality of Information Assets and Identifies Threats and
Vulnerabilities — The entity's risk identification and assessment process includes
(1) identifying information assets, including physical devices and systems, virtual
devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying
the threats to the assets from intentional (including malicious) and unintentional
acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.
• Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other
Parties — The entity's risk assessment process includes the analysis of potential
threats and vulnerabilities arising from vendors providing goods and services, as
well as threats and vulnerabilities arising from business partners, customers, and
others with access to the entity's information systems.
• Considers the Significance of the Risk — The entity’s consideration of the potential
significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and
vulnerabilities in meeting objectives; (3) assessing the likelihood of identified
threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood. |
|
11 |
SOC_2 |
CC3.3 |
SOC_2_CC3.3 |
SOC 2 Type 2 CC3.3 |
Risk Assessment |
COSO Principle 8 |
Shared |
The customer is responsible for implementing this recommendation. |
• Considers Various Types of Fraud — The assessment of fraud considers fraudulent
Page 24
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
reporting, possible loss of assets, and corruption resulting from the various ways
that fraud and misconduct can occur.
• Assesses Incentives and Pressures — The assessment of fraud risks considers incentives and pressures.
• Assesses Opportunities — The assessment of fraud risk considers opportunities for
unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting
records, or committing other inappropriate acts.
• Assesses Attitudes and Rationalizations — The assessment of fraud risk considers
how management and other personnel might engage in or justify inappropriate actions.
Additional point of focus specifically related to all engagements using the trust services criteria:
• Considers the Risks Related to the Use of IT and Access to Information — The assessment of fraud risks includes consideration of threats and vulnerabilities that
arise specifically from the use of IT and access to information |
|
1 |
SOC_2 |
CC3.4 |
SOC_2_CC3.4 |
SOC 2 Type 2 CC3.4 |
Risk Assessment |
COSO Principle 9 |
Shared |
The customer is responsible for implementing this recommendation. |
• Assesses Changes in the External Environment — The risk identification process
considers changes to the regulatory, economic, and physical environment in which
the entity operates.
• Assesses Changes in the Business Model — The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business
lines, acquired or divested business operations on the system of internal control,
rapid growth, changing reliance on foreign geographies, and new technologies.
• Assesses Changes in Leadership — The entity considers changes in management
and respective attitudes and philosophies on the system of internal control.
Page 25
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
Additional point of focus specifically related to all engagements using the trust services criteria:
• Assesses Changes in Systems and Technology — The risk identification process
considers changes arising from changes in the entity’s systems and changes in the
technology environment.
• Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships |
|
6 |
SOC_2 |
CC5.1 |
SOC_2_CC5.1 |
SOC 2 Type 2 CC5.1 |
Control Activities |
COSO Principle 10 |
Shared |
The customer is responsible for implementing this recommendation. |
• Integrates With Risk Assessment — Control activities help ensure that risk responses that address and mitigate risks are carried out.
• Considers Entity-Specific Factors — Management considers how the environment,
complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities.
• Determines Relevant Business Processes — Management determines which relevant business processes require control activities.
• Evaluates a Mix of Control Activity Types — Control activities include a range and
variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.
• Considers at What Level Activities Are Applied — Management considers control
activities at various levels in the entity.
• Addresses Segregation of Duties — Management segregates incompatible duties
and, where such segregation is not practical, management selects and develops alternative control activities. |
|
2 |
SOC_2 |
CC5.2 |
SOC_2_CC5.2 |
SOC 2 Type 2 CC5.2 |
Control Activities |
COSO Principle 11 |
Shared |
The customer is responsible for implementing this recommendation. |
• Determines Dependency Between the Use of Technology in Business Processes and
Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. |
|
18 |
SOC_2 |
CC5.3 |
SOC_2_CC5.3 |
SOC 2 Type 2 CC5.3 |
Control Activities |
COSO Principle 12 |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Policies and Procedures to Support Deployment of Management’s Directives — Management establishes control activities that are built into business
processes and employees’ day-to-day activities through policies establishing what is
expected and relevant procedures specifying actions.
• Establishes Responsibility and Accountability for Executing Policies and Procedures — Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
• Performs in a Timely Manner — Responsible personnel perform control activities in
a timely manner as defined by the policies and procedures.
• Takes Corrective Action — Responsible personnel investigate and act on matters
identified as a result of executing control activities.
• Performs Using Competent Personnel — Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
• Reassesses Policies and Procedures — Management periodically reviews control
activities to determine their continued relevance and refreshes them when necessary |
|
4 |
SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
SOC_2 |
CC9.1 |
SOC_2_CC9.1 |
SOC 2 Type 2 CC9.1 |
Risk Mitigation |
Risk mitigation activities |
Shared |
The customer is responsible for implementing this recommendation. |
• Considers Mitigation of Risks of Business Disruption — Risk mitigation activities
include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security
events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications to meet the entity's objectives
during response, mitigation, and recovery efforts.
• Considers the Use of Insurance to Mitigate Financial Impact Risks — The risk
management activities consider the use of insurance to offset the financial impact of
loss events that would otherwise impair the ability of the entity to meet its objectives |
|
3 |
SWIFT_CSCF_v2022 |
2.3 |
SWIFT_CSCF_v2022_2.3 |
SWIFT CSCF v2022 2.3 |
2. Reduce Attack Surface and Vulnerabilities |
Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. |
Shared |
n/a |
Security hardening is conducted and maintained on all in-scope components. |
link |
25 |
SWIFT_CSCF_v2022 |
7.4A |
SWIFT_CSCF_v2022_7.4A |
SWIFT CSCF v2022 7.4A |
7. Plan for Incident Response and Information Sharing |
Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. |
Shared |
n/a |
Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme. |
link |
7 |