Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_CM_3

CM_3

Canada Federal PBMM 3-1-2020 CM 3

Configuration Change Control

Shared

1. The organization determines the types of changes to the information system that are configuration-controlled. 2. The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. 3. The organization documents configuration change decisions associated with the information system. 4. The organization implements approved configuration-controlled changes to the information system. 5. The organization retains records of configuration-controlled changes to the information system for at least 90 days. 6. The organization audits and reviews activities associated with configuration-controlled changes to the information system. 7. The organization coordinates and provides oversight for configuration change control activities through a central communication process that includes organizational governance bodies that convenes at least annually.

To ensure systematic control and oversight of configuration changes to the information system, mitigating risks and maintaining system integrity.

Canada_Federal_PBMM_3-1-2020_CM_6

CM_6

Canada Federal PBMM 3-1-2020 CM 6

Configuration Settings

Shared

1. The organization establishes and documents configuration settings for information technology products employed within the information system using checklists from one or more of the following: a. Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA) that reflect the most restrictive mode consistent with operational requirements. 2. The organization implements the configuration settings. 3. The organization identifies, documents, and approves any deviations from established configuration settings for any configurable information system components. 4. The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

To ensure systematic configuration management of information technology products.

Canada_Federal_PBMM_3-1-2020_CM_6(1)

CM_6(1)

Canada Federal PBMM 3-1-2020 CM 6(1)

Configuration Settings

Configuration Settings | Automated Central Management / Application / Verification

Shared

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for organization-defined information system components.

To enhance efficiency, consistency, and security in configuration management processes.

Canada_Federal_PBMM_3-1-2020_CM_6(2)

CM_6(2)

Canada Federal PBMM 3-1-2020 CM 6(2)

Configuration Settings

Configuration Settings | Respond to Unauthorized Changes

Shared

The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

To ensure prompt detection, mitigation, and resolution of potential security risks.

Canada_Federal_PBMM_3-1-2020_CM_7

CM_7

Canada Federal PBMM 3-1-2020 CM 7

Least Functionality

Shared

1. The organization configures the information system to provide only essential capabilities. 2. The organization prohibits or restricts the use of identified functions, ports, protocols, and/or services following one or more standards from Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), or Defense Information Systems Agency (DISA).

To minimise the attack surface of the information system.

Canada_Federal_PBMM_3-1-2020_CM_7(1)

CM_7(1)

Canada Federal PBMM 3-1-2020 CM 7(1)

Least Functionality

Least Functionality | Periodic Review

Shared

1. The organization reviews the information system at least annually to identify unnecessary and/or non-secure functions, ports, protocols, and services; and 2. The organization disables all functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

To strengthen overall cybersecurity posture.

Canada_Federal_PBMM_3-1-2020_CM_9

CM_9

Canada Federal PBMM 3-1-2020 CM 9

Configuration Management Plan

Shared

1. The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. 2. The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. 3. The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management; and 4. The organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

To protect configuration items throughout their lifecycle while safeguarding the integrity of the configuration management plan.

Canada_Federal_PBMM_3-1-2020_SA_10

SA_10

Canada Federal PBMM 3-1-2020 SA 10

Developer Configuration Management

Shared

1. The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service development, implementation, and operation. 2. The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to all items under configuration management; 3. The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service; 4. The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes; and 5. The organization requires the developer of the information system, system component, or information system service to track security flaws and flaw resolution within the system, component, or service and report findings to the Chief Information Officer or delegate.

To ensure systematic management of system integrity and security throughout the development lifecycle.

Canada_Federal_PBMM_3-1-2020_SA_4(9)

SA_4(9)

Canada Federal PBMM 3-1-2020 SA 4(9)

Acquisition Process

Acquisition Process | Functions / Ports / Protocols / Services in Use

Shared

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

To facilitate early identification and assessment of potential security risks.

Canada_Federal_PBMM_3-1-2020_SA_9(2)

SA_9(2)

Canada Federal PBMM 3-1-2020 SA 9(2)

External Information System Services

External Information System Services | Identification of Functions / Ports / Protocols / Services

Shared

The organization requires providers of all external information systems and services to identify the functions, ports, protocols, and other services required for the use of such services.

To manage security risks and ensure the secure and efficient operation of external systems and services.

12.5

CIS_Controls_v8.1_12.5

CIS Controls v8.1 12.5

Network Infrastructure Management

Centralize network authentication, authorization and auditing (AAA)

Shared

Centralize network AAA.

To ensure that all network AAA is centralized to maintain standardisation and integrity of AAA.

13.11

CIS_Controls_v8.1_13.11

CIS Controls v8.1 13.11

Network Monitoring and Defense

Tune security event alerting thresholds

Shared

Tune security event alerting thresholds monthly, or more frequently.

To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness.

3.14

CIS_Controls_v8.1_3.14

CIS Controls v8.1 3.14

Data Protection

Log sensitive data access

Shared

Log sensitive data access, including modification and disposal.

To enhance accountability, traceability, and security measures within the enterprise.

4.2

CIS_Controls_v8.1_4.2

CIS Controls v8.1 4.2

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process for network infrastructure.

Shared

1. Establish and maintain a secure configuration process for network devices. 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure integrity of network devices and that they are up to date with the latest security updates.

8.1

CIS_Controls_v8.1_8.1

CIS Controls v8.1 8.1

Audit Log Management

Establish and maintain an audit log management process

Shared

1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. 2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. 3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure appropriate management of audit log systems.

8.2

CIS_Controls_v8.1_8.2

CIS Controls v8.1 8.2

Audit Log Management

Collect audit logs.

Shared

1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

To assist in troubleshooting of system issues and ensure integrity of data systems.

8.5

CIS_Controls_v8.1_8.5

CIS Controls v8.1 8.5

Audit Log Management

Collect detailed audit logs.

Shared

1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

To ensure that audit logs contain all pertinent information that might be required in a forensic investigation.

8.7

CIS_Controls_v8.1_8.7

CIS Controls v8.1 8.7

Audit Log Management

Collect URL request audit logs

Shared

Collect URL request audit logs on enterprise assets, where appropriate and supported.

To maintain an audit trail of all URL requests made.

8.8

CIS_Controls_v8.1_8.8

CIS Controls v8.1 8.8

Audit Log Management

Collect command-line audit logs

Shared

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals.

To ensure recording of the commands and arguments used by a process.

8.9

CIS_Controls_v8.1_8.9

CIS Controls v8.1 8.9

Audit Log Management

Centralize audit logs

Shared

Centralize, to the extent possible, audit log collection and retention across enterprise assets.

To optimize and simply the process of audit log management.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

hipaa

0945.09y1Organizational.3-09.y

hipaa-0945.09y1Organizational.3-09.y

0945.09y1Organizational.3-09.y

09 Transmission Protection

0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services

Shared

n/a

Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL).

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

09.aa

HITRUST_CSF_v11.3_09.aa

HITRUST CSF v11.3 09.aa

Monitoring

Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements.

Shared

1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information.

Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

2.1.1

HITRUST_CSF_v11.3_2.1.1

404 not found

n/a

NIST_SP_800-53_R5.1.1_CM.7.1

3.2.8

HITRUST_CSF_v11.3_3.2.8

404 not found

n/a

NIST_SP_800-171_R3_3

.4.6

NIST_SP_800-171_R3_3.4.6

404 not found

n/a

NIST_SP_800-53_R5.1.1

CM.7.1

NIST SP 800-53 R5.1.1 CM.7.1

Configuration Management Control

Least Functionality | Periodic Review

Shared

(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

NIST_SP_800-53_R5.1.1

SI.7.1

NIST_SP_800-53_R5.1.1_SI.7.1

NIST SP 800-53 R5.1.1 SI.7.1

System and Information Integrity Control

Software, Firmware, and Information Integrity | Integrity Checks

Shared

Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events] ; [Assignment: organization-defined frequency] ].

Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

16.6.10.C.01.

NZISM_v3.7_16.6.10.C.01.

NZISM v3.7 16.6.10.C.01.

Event Logging and Auditing

16.6.10.C.01. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users.

16.6.10.C.02.

NZISM_v3.7_16.6.10.C.02.

NZISM v3.7 16.6.10.C.02.

Event Logging and Auditing

16.6.10.C.02. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency.

16.6.11.C.01.

NZISM_v3.7_16.6.11.C.01.

NZISM v3.7 16.6.11.C.01.

Event Logging and Auditing

16.6.11.C.01. - enhance system security and accountability.

Shared

n/a

For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification.

16.6.12.C.01.

NZISM_v3.7_16.6.12.C.01.

NZISM v3.7 16.6.12.C.01.

Event Logging and Auditing

16.6.12.C.01. - maintain integrity of the data.

Shared

n/a

Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period.

16.6.6.C.01.

NZISM_v3.7_16.6.6.C.01.

NZISM v3.7 16.6.6.C.01.

Event Logging and Auditing

16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST maintain system management logs for the life of a system.

16.6.7.C.01.

NZISM_v3.7_16.6.7.C.01.

NZISM v3.7 16.6.7.C.01.

Event Logging and Auditing

16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations.

Shared

n/a

A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities.

16.6.9.C.01.

NZISM_v3.7_16.6.9.C.01.

NZISM v3.7 16.6.9.C.01.

Event Logging and Auditing

16.6.9.C.01. - enhance system security and accountability.

Shared

n/a

Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency.

22.3.11.C.01.

NZISM_v3.7_22.3.11.C.01.

NZISM v3.7 22.3.11.C.01.

Virtual Local Area Networks

22.3.11.C.01. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches MUST be disabled.

22.3.11.C.02.

NZISM_v3.7_22.3.11.C.02.

NZISM v3.7 22.3.11.C.02.

Virtual Local Area Networks

22.3.11.C.02. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches SHOULD be disabled.

PCI_DSS_v4.0.1

10.3.4

PCI_DSS_v4.0.1_10.3.4

PCI DSS v4.0.1 10.3.4

Log and Monitor All Access to System Components and Cardholder Data

Log Integrity Monitoring

Shared

n/a

File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.

PCI_DSS_v4.0.1

11.5.2

PCI_DSS_v4.0.1_11.5.2

PCI DSS v4.0.1 11.5.2

Test Security of Systems and Networks Regularly

Change-Detection Mechanism Deployment

Shared

n/a

A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly.

PCI_DSS_v4.0.1

2.2.4

PCI_DSS_v4.0.1_2.2.4

PCI DSS v4.0.1 2.2.4

Apply Secure Configurations to All System Components

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled

Shared

n/a

Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213