compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'System Audit Policies - Account Management'' (94d9aca8-3757-46df-aa51-f218c5f11954)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
30 |
| Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
120 |
| Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_5(3) |
Canada_Federal_PBMM_3-1-2020_IA_5(3) |
Canada Federal PBMM 3-1-2020 IA 5(3) |
Authenticator Management |
Authenticator Management | In-Person or Trusted Third-Party Registration |
Shared |
The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles. |
To enhance security and accountability within the organization's registration procedures. |
|
25 |
| Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
| Canada_Federal_PBMM_3-1-2020 |
SI_4 |
Canada_Federal_PBMM_3-1-2020_SI_4 |
Canada Federal PBMM 3-1-2020 SI 4 |
Information System Monitoring |
Information System Monitoring |
Shared |
1. The organization monitors the information system to detect:
a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and
b. Unauthorized local, network, and remote connections;
2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods.
3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.
4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information.
6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards.
7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. |
To enhance overall security posture.
|
|
93 |
| Canada_Federal_PBMM_3-1-2020 |
SI_4(1) |
Canada_Federal_PBMM_3-1-2020_SI_4(1) |
Canada Federal PBMM 3-1-2020 SI 4(1) |
Information System Monitoring |
Information System Monitoring | System-Wide Intrusion Detection System |
Shared |
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
To enhance overall security posture.
|
|
93 |
| Canada_Federal_PBMM_3-1-2020 |
SI_4(2) |
Canada_Federal_PBMM_3-1-2020_SI_4(2) |
Canada Federal PBMM 3-1-2020 SI 4(2) |
Information System Monitoring |
Information System Monitoring | Automated Tools for Real-Time Analysis |
Shared |
The organization employs automated tools to support near real-time analysis of events. |
To enhance overall security posture.
|
|
92 |
| CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
95 |
| CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
97 |
| CIS_Controls_v8.1 |
13.11 |
CIS_Controls_v8.1_13.11 |
CIS Controls v8.1 13.11 |
Network Monitoring and Defense |
Tune security event alerting thresholds |
Shared |
Tune security event alerting thresholds monthly, or more frequently.
|
To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. |
|
48 |
| CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
95 |
| CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
89 |
| CIS_Controls_v8.1 |
3.14 |
CIS_Controls_v8.1_3.14 |
CIS Controls v8.1 3.14 |
Data Protection |
Log sensitive data access |
Shared |
Log sensitive data access, including modification and disposal.
|
To enhance accountability, traceability, and security measures within the enterprise. |
|
45 |
| CIS_Controls_v8.1 |
8.1 |
CIS_Controls_v8.1_8.1 |
CIS Controls v8.1 8.1 |
Audit Log Management |
Establish and maintain an audit log management process |
Shared |
1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements.
2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets.
3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure appropriate management of audit log systems. |
|
29 |
| CIS_Controls_v8.1 |
8.11 |
CIS_Controls_v8.1_8.11 |
CIS Controls v8.1 8.11 |
Audit Log Management |
Conduct audit log reviews |
Shared |
1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat.
2. Conduct reviews on a weekly, or more frequent, basis.
|
To ensure the integrity of the data in audit logs. |
|
59 |
| CIS_Controls_v8.1 |
8.2 |
CIS_Controls_v8.1_8.2 |
CIS Controls v8.1 8.2 |
Audit Log Management |
Collect audit logs. |
Shared |
1. Collect audit logs.
2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
To assist in troubleshooting of system issues and ensure integrity of data systems. |
|
30 |
| CIS_Controls_v8.1 |
8.5 |
CIS_Controls_v8.1_8.5 |
CIS Controls v8.1 8.5 |
Audit Log Management |
Collect detailed audit logs. |
Shared |
1. Configure detailed audit logging for enterprise assets containing sensitive data.
2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. |
To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. |
|
32 |
| CIS_Controls_v8.1 |
8.7 |
CIS_Controls_v8.1_8.7 |
CIS Controls v8.1 8.7 |
Audit Log Management |
Collect URL request audit logs |
Shared |
Collect URL request audit logs on enterprise assets, where appropriate and supported. |
To maintain an audit trail of all URL requests made.
|
|
29 |
| CIS_Controls_v8.1 |
8.8 |
CIS_Controls_v8.1_8.8 |
CIS Controls v8.1 8.8 |
Audit Log Management |
Collect command-line audit logs |
Shared |
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. |
To ensure recording of the commands and arguments used by a process. |
|
29 |
| CIS_Controls_v8.1 |
8.9 |
CIS_Controls_v8.1_8.9 |
CIS Controls v8.1 8.9 |
Audit Log Management |
Centralize audit logs |
Shared |
Centralize, to the extent possible, audit log collection and retention across enterprise assets. |
To optimize and simply the process of audit log management. |
|
29 |
| CMMC_L2_v1.9.0 |
AU.L2_3.3.3 |
CMMC_L2_v1.9.0_AU.L2_3.3.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 |
Audit and Accountability |
Event Review |
Shared |
Review and update logged events. |
To enhance the effectiveness of security measures. |
|
33 |
| CSA_v4.0.12 |
LOG_07 |
CSA_v4.0.12_LOG_07 |
CSA Cloud Controls Matrix v4.0.12 LOG 07 |
Logging and Monitoring |
Logging Scope |
Shared |
n/a |
Establish, document and implement which information meta/data system
events should be logged. Review and update the scope at least annually or whenever
there is a change in the threat environment. |
|
33 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.4 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
| hipaa |
0605.10h1System.12-10.h |
hipaa-0605.10h1System.12-10.h |
0605.10h1System.12-10.h |
06 Configuration Management |
0605.10h1System.12-10.h 10.04 Security of System Files |
Shared |
n/a |
Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. |
|
5 |
| HITRUST_CSF_v11.3 |
09.aa |
HITRUST_CSF_v11.3_09.aa |
HITRUST CSF v11.3 09.aa |
Monitoring |
Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. |
Shared |
1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly.
2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system.
3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. |
Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. |
|
37 |
| HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
109 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
| NIST_SP_800-171_R3_3 |
.3.1 |
NIST_SP_800-171_R3_3.3.1 |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
| NIST_SP_800-53_R5.1.1 |
AC.2.4 |
NIST_SP_800-53_R5.1.1_AC.2.4 |
NIST SP 800-53 R5.1.1 AC.2.4 |
Access Control |
Account Management | Automated Audit Actions |
Shared |
Automatically audit account creation, modification, enabling, disabling, and removal actions. |
Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6. |
|
5 |
| NIST_SP_800-53_R5.1.1 |
AU.12 |
NIST_SP_800-53_R5.1.1_AU.12 |
NIST SP 800-53 R5.1.1 AU.12 |
Audit and Accountability Control |
Audit Record Generation |
Shared |
a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. |
Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. |
|
20 |
| NZISM_v3.7 |
16.6.10.C.01. |
NZISM_v3.7_16.6.10.C.01. |
NZISM v3.7 16.6.10.C.01. |
Event Logging and Auditing |
16.6.10.C.01. - enhance system security and accountability. |
Shared |
n/a |
Agencies SHOULD log the events listed in the table below for specific software components.
1. Database -
a. System user access to the database.
b. Attempted access that is denied
c. Changes to system user roles or database rights.
d. Addition of new system users, especially privileged users
e. Modifications to the data.
f. Modifications to the format or structure of the database
2. Network/operating system
a. Successful and failed attempts to logon and logoff.
b. Changes to system administrator and system user accounts.
c. Failed attempts to access data and system resources.
d. Attempts to use special privileges.
e. Use of special privileges.
f. System user or group management.
g. Changes to the security policy.
h. Service failures and restarts.
i.System startup and shutdown.
j. Changes to system configuration data.
k. Access to sensitive data and processes.
l. Data import/export operations.
3. Web application
a. System user access to the Web application.
b. Attempted access that is denied.
c. System user access to the Web documents.
d. Search engine queries initiated by system users. |
|
31 |
| NZISM_v3.7 |
16.6.10.C.02. |
NZISM_v3.7_16.6.10.C.02. |
NZISM v3.7 16.6.10.C.02. |
Event Logging and Auditing |
16.6.10.C.02. - enhance system security and accountability. |
Shared |
n/a |
Agencies SHOULD log, at minimum, the following events for all software components:
1. user login;
2. all privileged operations;
3. failed attempts to elevate privileges;
4. security related system alerts and failures;
5. system user and group additions, deletions and modification to permissions; and
6. unauthorised or failed access attempts to systems and files identified as critical to the agency. |
|
48 |
| NZISM_v3.7 |
16.6.11.C.01. |
NZISM_v3.7_16.6.11.C.01. |
NZISM v3.7 16.6.11.C.01. |
Event Logging and Auditing |
16.6.11.C.01. - enhance system security and accountability. |
Shared |
n/a |
For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable:
1. date and time of the event;
2. relevant system user(s) or processes;
3. event description;
4. success or failure of the event;
5. event source (e.g. application name); and
6. IT equipment location/identification. |
|
48 |
| NZISM_v3.7 |
16.6.12.C.01. |
NZISM_v3.7_16.6.12.C.01. |
NZISM v3.7 16.6.12.C.01. |
Event Logging and Auditing |
16.6.12.C.01. - maintain integrity of the data. |
Shared |
n/a |
Event logs MUST be protected from:
1. modification and unauthorised access; and
2. whole or partial loss within the defined retention period. |
|
48 |
| NZISM_v3.7 |
16.6.6.C.01. |
NZISM_v3.7_16.6.6.C.01. |
NZISM v3.7 16.6.6.C.01. |
Event Logging and Auditing |
16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST maintain system management logs for the life of a system. |
|
48 |
| NZISM_v3.7 |
16.6.7.C.01. |
NZISM_v3.7_16.6.7.C.01. |
NZISM v3.7 16.6.7.C.01. |
Event Logging and Auditing |
16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations. |
Shared |
n/a |
A system management log SHOULD record the following minimum information:
1. all system start-up and shutdown;
2. service, application, component or system failures;
3. maintenance activities;
4. backup and archival activities;
5. system recovery activities; and
6. special or out of hours activities. |
|
48 |
| NZISM_v3.7 |
16.6.9.C.01. |
NZISM_v3.7_16.6.9.C.01. |
NZISM v3.7 16.6.9.C.01. |
Event Logging and Auditing |
16.6.9.C.01. - enhance system security and accountability. |
Shared |
n/a |
Agencies MUST log, at minimum, the following events for all software components:
1. logons;
2. failed logon attempts;
3. logoffs;
4 .date and time;
5. all privileged operations;
6. failed attempts to elevate privileges;
7. security related system alerts and failures;
8. system user and group additions, deletions and modification to permissions; and
9. unauthorised or failed access attempts to systems and files identified as critical to the agency. |
|
46 |
| PCI_DSS_v4.0.1 |
10.2.1.2 |
PCI_DSS_v4.0.1_10.2.1.2 |
PCI DSS v4.0.1 10.2.1.2 |
Log and Monitor All Access to System Components and Cardholder Data |
Administrative Actions Logging |
Shared |
n/a |
Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. |
|
24 |
| PCI_DSS_v4.0.1 |
10.2.1.5 |
PCI_DSS_v4.0.1_10.2.1.5 |
PCI DSS v4.0.1 10.2.1.5 |
Log and Monitor All Access to System Components and Cardholder Data |
Credential Changes Audit Logging |
Shared |
n/a |
Audit logs capture all changes to identification and authentication credentials including, but not limited to:
• Creation of new accounts.
• Elevation of privileges.
• All changes, additions, or deletions to accounts with administrative access. |
|
5 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
107 |
| SOC_2023 |
CC.5.3 |
SOC_2023_CC.5.3 |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC4.1 |
SOC_2023_CC4.1 |
SOC 2023 CC4.1 |
Monitoring Activities |
Enhance the ability to manage risks and achieve objectives. |
Shared |
n/a |
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
|
36 |
| SOC_2023 |
CC4.2 |
SOC_2023_CC4.2 |
SOC 2023 CC4.2 |
Monitoring Activities |
Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. |
Shared |
n/a |
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. |
|
35 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
143 |
| SWIFT_CSCF_2024 |
1.2 |
SWIFT_CSCF_2024_1.2 |
SWIFT Customer Security Controls Framework 2024 1.2 |
Privileged Account Control |
Operating System Privileged Account Control |
Shared |
Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). |
To restrict and control the allocation and usage of administrator-level operating system accounts. |
|
53 |
| SWIFT_CSCF_2024 |
11.2 |
SWIFT_CSCF_2024_11.2 |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
| SWIFT_CSCF_2024 |
5.1 |
SWIFT_CSCF_2024_5.1 |
SWIFT Customer Security Controls Framework 2024 5.1 |
Access Control |
Logical Access Control |
Shared |
1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure.
2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack. |
To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
|
26 |
| SWIFT_CSCF_2024 |
6.4 |
SWIFT_CSCF_2024_6.4 |
SWIFT Customer Security Controls Framework 2024 6.4 |
Access Control |
Logging and Monitoring |
Shared |
1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations.
2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. |
To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. |
|
38 |