AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

App Service apps should have authentication enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name App Service apps should have authentication enabled
Id 95bccee9-a7f8-4bec-9ee9-62c3473701fc
Version 2.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.1
Built-in Versioning [Preview]
Category App Service
Microsoft Learn
Description Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Web/sites/config/siteAuthEnabled Microsoft.Web sites/config properties.siteAuthEnabled True False
Rule resource types IF (1)
Compliance
The following 148 compliance controls are associated with this Policy definition 'App Service apps should have authentication enabled' (95bccee9-a7f8-4bec-9ee9-62c3473701fc)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Canada_Federal_PBMM_3-1-2020 AC_14 Canada_Federal_PBMM_3-1-2020_AC_14 Canada Federal PBMM 3-1-2020 AC 14 Permitted Actions Without Identification or Authentication Permitted Actions without Identification or Authentication Shared 1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. 2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. To ensure transparency and accountability in the system's security measures. 19
Canada_Federal_PBMM_3-1-2020 AC_2(10) Canada_Federal_PBMM_3-1-2020_AC_2(10) Canada Federal PBMM 3-1-2020 AC 2(10) Account Management Account Management | Shared / Group Account Credential Termination Shared The information system terminates shared/group account credentials when members leave the group. To uphold security measures within the information system. 17
Canada_Federal_PBMM_3-1-2020 AC_2(2) Canada_Federal_PBMM_3-1-2020_AC_2(2) Canada Federal PBMM 3-1-2020 AC 2(2) Account Management Account Management | Removal of Temporary / Emergency Accounts Shared The information system automatically disables temporary and emergency accounts after no more than 30 days for both temporary and emergency accounts. To ensure timely security measures for both types of accounts. 17
Canada_Federal_PBMM_3-1-2020 AC_2(3) Canada_Federal_PBMM_3-1-2020_AC_2(3) Canada Federal PBMM 3-1-2020 AC 2(3) Account Management Account Management | Disable Inactive Accounts Shared The information system automatically disables inactive accounts after 90 days. To bolster security measures and ensure efficient account management. 17
Canada_Federal_PBMM_3-1-2020 AC_3 Canada_Federal_PBMM_3-1-2020_AC_3 Canada Federal PBMM 3-1-2020 AC 3 Access Enforcement Access Enforcement Shared The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. To mitigate the risk of unauthorized access. 33
Canada_Federal_PBMM_3-1-2020 AC_5 Canada_Federal_PBMM_3-1-2020_AC_5 Canada Federal PBMM 3-1-2020 AC 5 Separation of Duties Separation of Duties Shared The organization: 1. Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions; 2. Documents separation of duties of individuals; and 3. Defines information system access authorizations to support separation of duties. To facilitate proper separation of duties within the organization. 18
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 124
Canada_Federal_PBMM_3-1-2020 IA_1 Canada_Federal_PBMM_3-1-2020_IA_1 Canada Federal PBMM 3-1-2020 IA 1 Identification and Authentication Policy and Procedures Identification and Authentication Policy and Procedures Shared 1. The organization Develops, documents, and disseminates to all personnel: a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. 2. The organization Reviews and updates the current: a. Identification and authentication policy at least every 3 years; and b. Identification and authentication procedures at least annually. To ensure secure access control and compliance with established standards. 19
Canada_Federal_PBMM_3-1-2020 IA_2 Canada_Federal_PBMM_3-1-2020_IA_2 Canada Federal PBMM 3-1-2020 IA 2 Identification and Authentication (Organizational Users) Identification and Authentication (Organizational Users) Shared The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). To prevent unauthorized access and maintain system security. 19
Canada_Federal_PBMM_3-1-2020 IA_4(2) Canada_Federal_PBMM_3-1-2020_IA_4(2) Canada Federal PBMM 3-1-2020 IA 4(2) Identifier Management Identifier Management | Supervisor Authorization Shared The organization requires that the registration process to receive an individual identifier includes supervisor authorization. To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. 18
Canada_Federal_PBMM_3-1-2020 IA_4(3) Canada_Federal_PBMM_3-1-2020_IA_4(3) Canada Federal PBMM 3-1-2020 IA 4(3) Identifier Management Identifier Management | Multiple Forms of Certification Shared The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. To enhance the reliability and accuracy of individual identification. 18
Canada_Federal_PBMM_3-1-2020 IA_5(3) Canada_Federal_PBMM_3-1-2020_IA_5(3) Canada Federal PBMM 3-1-2020 IA 5(3) Authenticator Management Authenticator Management | In-Person or Trusted Third-Party Registration Shared The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles. To enhance security and accountability within the organization's registration procedures. 25
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 94
Canada_Federal_PBMM_3-1-2020 SI_8(1) Canada_Federal_PBMM_3-1-2020_SI_8(1) Canada Federal PBMM 3-1-2020 SI 8(1) Spam Protection Spam Protection | Central Management of Protection Mechanisms Shared The organization centrally manages spam protection mechanisms. To enhance overall security posture. 87
CIS_Azure_1.1.0 9.1 CIS_Azure_1.1.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.3.0 9.1 CIS_Azure_1.3.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.4.0 9.1 CIS_Azure_1.4.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set up for apps in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_2.0.0 9.1 CIS_Azure_2.0.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 Ensure App Service Authentication is set up for apps in Azure App Service Shared This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable. Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. link 5
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 99
CIS_Controls_v8.1 12.5 CIS_Controls_v8.1_12.5 CIS Controls v8.1 12.5 Network Infrastructure Management Centralize network authentication, authorization and auditing (AAA) Shared Centralize network AAA. To ensure that all network AAA is centralized to maintain standardisation and integrity of AAA. 22
CIS_Controls_v8.1 12.8 CIS_Controls_v8.1_12.8 CIS Controls v8.1 12.8 Network Infrastructure Management Establish and maintain dedicated computing resources for all administrative work Shared 1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. 2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access. To ensure administrative work is on a different system on which access to data and internet is restricted. 22
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 101
CIS_Controls_v8.1 13.11 CIS_Controls_v8.1_13.11 CIS Controls v8.1 13.11 Network Monitoring and Defense Tune security event alerting thresholds Shared Tune security event alerting thresholds monthly, or more frequently. To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. 50
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 99
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 93
CIS_Controls_v8.1 3.14 CIS_Controls_v8.1_3.14 CIS Controls v8.1 3.14 Data Protection Log sensitive data access Shared Log sensitive data access, including modification and disposal. To enhance accountability, traceability, and security measures within the enterprise. 47
CIS_Controls_v8.1 4.7 CIS_Controls_v8.1_4.7 CIS Controls v8.1 4.7 Secure Configuration of Enterprise Assets and Software Manage default accounts on enterprise assets and software Shared 1. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. 2. Example implementations can include: disabling default accounts or making them unusable. To ensure access to default accounts is restricted. 26
CIS_Controls_v8.1 5.1 CIS_Controls_v8.1_5.1 CIS Controls v8.1 5.1 Account Management Establish and maintain an inventory of accounts Shared 1. Establish and maintain an inventory of all accounts managed in the enterprise. 2. The inventory must include both user and administrator accounts. 3. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. 4. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. To ensure accurate tracking and management of accounts. 35
CIS_Controls_v8.1 5.3 CIS_Controls_v8.1_5.3 CIS Controls v8.1 5.3 Account Management Disable dormant accounts Shared Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. To implement time based expiry of access to systems. 25
CIS_Controls_v8.1 5.4 CIS_Controls_v8.1_5.4 CIS Controls v8.1 5.4 Account Management Restrict administrator privileges to dedicated administrator accounts. Shared 1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. 2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. To restrict access to privileged accounts. 22
CIS_Controls_v8.1 5.5 CIS_Controls_v8.1_5.5 CIS Controls v8.1 5.5 Account Management Establish and maintain an inventory of service accounts. Shared 1. Establish and maintain an inventory of service accounts. 2. The inventory, at a minimum, must contain department owner, review date, and purpose. 3. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. To ensure accurate tracking and management of service accounts. 19
CIS_Controls_v8.1 5.6 CIS_Controls_v8.1_5.6 CIS Controls v8.1 5.6 Account Management Centralize account management Shared Centralize account management through a directory or identity service. To optimize and simply the process of account management. 20
CIS_Controls_v8.1 6.1 CIS_Controls_v8.1_6.1 CIS Controls v8.1 6.1 Access Control Management Establish an access granting process Shared Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. To implement role based access controls. 23
CIS_Controls_v8.1 6.2 CIS_Controls_v8.1_6.2 CIS Controls v8.1 6.2 Access Control Management Establish an access revoking process Shared 1. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. 2. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. To restrict access to enterprise assets. 24
CMMC_L2_v1.9.0 AC.L1_3.1.1 CMMC_L2_v1.9.0_AC.L1_3.1.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.1 Access Control Authorized Access Control Shared Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). To ensure security and integrity. 27
CMMC_L2_v1.9.0 AC.L2_3.1.5 CMMC_L2_v1.9.0_AC.L2_3.1.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.5 Access Control Least Privilege Shared Employ the principle of least privilege, including for specific security functions and privileged accounts. To restrict information system access. 27
CMMC_L2_v1.9.0 IA.L1_3.5.1 CMMC_L2_v1.9.0_IA.L1_3.5.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L1 3.5.1 Identification and Authentication Identification Shared Identify information system users, processes acting on behalf of users, or devices. To enable effective monitoring, authentication, and access control measures to be implemented within the system. 23
CMMC_L2_v1.9.0 PE.L2_3.10.6 CMMC_L2_v1.9.0_PE.L2_3.10.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6 Physical Protection Alternative Work Sites Shared Enforce safeguarding measures for CUI at alternate work sites. To ensure that sensitive information is protected even when employees are working remotely or at off site locations. 11
CMMC_L2_v1.9.0 PS.L2_3.9.2 CMMC_L2_v1.9.0_PS.L2_3.9.2 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PS.L2 3.9.2 Personnel Security Personnel Actions Shared Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. To ensure that organizational systems containing CUI are protected during and after personnel actions, such as terminations and transfers. 17
CMMC_L2_v1.9.0 SC.L2_3.13.15 CMMC_L2_v1.9.0_SC.L2_3.13.15 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.15 System and Communications Protection Communications Authenticity Shared Protect the authenticity of communications sessions. To prevent unauthorized access, tampering, or interception of sensitive information. 2
CSA_v4.0.12 DCS_08 CSA_v4.0.12_DCS_08 CSA Cloud Controls Matrix v4.0.12 DCS 08 Datacenter Security Equipment Identification Shared n/a Use equipment identification as a method for connection authentication. 1
CSA_v4.0.12 IAM_01 CSA_v4.0.12_IAM_01 CSA Cloud Controls Matrix v4.0.12 IAM 01 Identity & Access Management Identity and Access Management Policy and Procedures Shared n/a Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually. 24
CSA_v4.0.12 IAM_02 CSA_v4.0.12_IAM_02 CSA Cloud Controls Matrix v4.0.12 IAM 02 Identity & Access Management Strong Password Policy and Procedures Shared n/a Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually. 52
CSA_v4.0.12 IAM_04 CSA_v4.0.12_IAM_04 CSA Cloud Controls Matrix v4.0.12 IAM 04 Identity & Access Management Separation of Duties Shared n/a Employ the separation of duties principle when implementing information system access. 43
CSA_v4.0.12 IAM_05 CSA_v4.0.12_IAM_05 CSA Cloud Controls Matrix v4.0.12 IAM 05 Identity & Access Management Least Privilege Shared n/a Employ the least privilege principle when implementing information system access. 27
CSA_v4.0.12 IAM_07 CSA_v4.0.12_IAM_07 CSA Cloud Controls Matrix v4.0.12 IAM 07 Identity & Access Management User Access Changes and Revocation Shared n/a De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies. 56
CSA_v4.0.12 IAM_10 CSA_v4.0.12_IAM_10 CSA Cloud Controls Matrix v4.0.12 IAM 10 Identity & Access Management Management of Privileged Access Roles Shared n/a Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access. 56
CSA_v4.0.12 IAM_12 CSA_v4.0.12_IAM_12 CSA Cloud Controls Matrix v4.0.12 IAM 12 Identity & Access Management Safeguard Logs Integrity Shared n/a Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures. 42
CSA_v4.0.12 IAM_13 CSA_v4.0.12_IAM_13 CSA Cloud Controls Matrix v4.0.12 IAM 13 Identity & Access Management Uniquely Identifiable Users Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs. 49
CSA_v4.0.12 IAM_14 CSA_v4.0.12_IAM_14 CSA Cloud Controls Matrix v4.0.12 IAM 14 Identity & Access Management Strong Authentication Shared n/a Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities. 32
CSA_v4.0.12 IAM_15 CSA_v4.0.12_IAM_15 CSA Cloud Controls Matrix v4.0.12 IAM 15 Identity & Access Management Passwords Management Shared n/a Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords. 26
CSA_v4.0.12 IAM_16 CSA_v4.0.12_IAM_16 CSA Cloud Controls Matrix v4.0.12 IAM 16 Identity & Access Management Authorization Mechanisms Shared n/a Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized. 46
Cyber_Essentials_v3.1 1 Cyber_Essentials_v3.1_1 Cyber Essentials v3.1 1 Cyber Essentials Firewalls Shared n/a Aim: to make sure that only secure and necessary network services can be accessed from the internet. 37
Cyber_Essentials_v3.1 2 Cyber_Essentials_v3.1_2 Cyber Essentials v3.1 2 Cyber Essentials Secure Configuration Shared n/a Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. 61
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 193
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 310
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 310
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 310
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 310
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 110
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .6 FBI_Criminal_Justice_Information_Services_v5.9.5_5.6 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6 Policy and Implementation - Identification And Authentication Identification And Authentication Shared Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft. 1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity. 2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources. 19
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 95
FFIEC_CAT_2017 3.1.2 FFIEC_CAT_2017_3.1.2 FFIEC CAT 2017 3.1.2 Cybersecurity Controls Access and Data Management Shared n/a Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames. 59
HITRUST_CSF_v11.3 01.c HITRUST_CSF_v11.3_01.c HITRUST CSF v11.3 01.c Authorized Access to Information Systems Control privileged access to information systems and services. Shared 1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization. The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. 44
HITRUST_CSF_v11.3 01.i HITRUST_CSF_v11.3_01.i HITRUST CSF v11.3 01.i Network Access Control Implement role based access to internal and external network services. Shared 1. It is to be determined who is allowed access to which network and what networked services. 2. The networks and network services to which users have authorized access is to be specified. Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment. 11
HITRUST_CSF_v11.3 01.j HITRUST_CSF_v11.3_01.j HITRUST CSF v11.3 01.j Network Access Control Prevent unauthorized access to networked services. Shared 1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted. Appropriate authentication methods shall be used to control access by remote users. 16
HITRUST_CSF_v11.3 01.q HITRUST_CSF_v11.3_01.q HITRUST CSF v11.3 01.q Operating System Access Control Prevent unauthorized access to operating systems and implement authentication technique to verify user. Shared 1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability. 2. Multi-factor authentication to be implemented for network and local access to privileged accounts. 3. Users to be uniquely identified and authenticated for local access and remote access. 4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts. All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user. 30
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 113
HITRUST_CSF_v11.3 09.m HITRUST_CSF_v11.3_09.m HITRUST CSF v11.3 09.m Network Security Management Ensure the protection of information in networks and protection of the supporting network infrastructure. Shared 1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points. 2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes. 3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized. Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. 24
ISO_IEC_27002_2022 5.18 ISO_IEC_27002_2022_5.18 ISO IEC 27002 2022 5.18 Protection, Preventive Control Access rights Shared Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. To ensure access to information and other associated assets is defined and authorized according to the business requirements. 20
ISO_IEC_27002_2022 6.7 ISO_IEC_27002_2022_6.7 ISO IEC 27002 2022 6.7 Protection, Preventive, Control Remote working Shared Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. To ensure the security of information when personnel are working remotely. 11
ISO_IEC_27002_2022 8.2 ISO_IEC_27002_2022_8.2 ISO IEC 27002 2022 8.2 Protection, Preventive, Control Privileged access rights Shared The allocation and use of privileged access rights should be restricted and managed. To ensure only authorized users, software components and services are provided with privileged access rights. 29
ISO_IEC_27002_2022 8.9 ISO_IEC_27002_2022_8.9 ISO IEC 27002 2022 8.9 Protection, Preventive Control Configuration management Shared Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. 20
ISO_IEC_27017_2015 12.4.3 ISO_IEC_27017_2015_12.4.3 ISO IEC 27017 2015 12.4.3 Operations Security Administrator and Operation Logs Shared For Cloud Service Customer: If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. The cloud service customer should determine whether logging capabilities provided by the cloud service provider are appropriate or whether the cloud service customer should implement additional logging capabilities. To log operation and performance of those operations wherein rivileged operation is delegated to the cloud service customer. 28
mp.s.3 Protection of web browsing mp.s.3 Protection of web browsing 404 not found n/a n/a 51
New_Zealand_ISM 14.5.8.C.01 New_Zealand_ISM_14.5.8.C.01 New_Zealand_ISM_14.5.8.C.01 14. Software security 14.5.8.C.01 Web applications n/a Agencies SHOULD follow the documentation provided in the Open Web Application Security Project guide to building secure Web applications and Web services. 18
NIST_CSF_v2.0 PR.AA_05 NIST_CSF_v2.0_PR.AA_05 NIST CSF v2.0 PR.AA 05 PROTECT- Identity Management, Authentication, and Access Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties. Shared n/a To implement safeguards for managing organization’s cybersecurity risks. 29
NIST_SP_800-171_R3_3 .1.1 NIST_SP_800-171_R3_3.1.1 NIST 800-171 R3 3.1.1 Access Control Account Management Shared a. Define the types of system accounts allowed and prohibited. b. Create, enable, modify, disable, and remove system accounts in accordance with organizational policy, procedures, prerequisites, and criteria. c. Specify authorized users of the system, group and role membership, and access authorizations (i.e., privileges). d. Authorize access to the system based on a valid access authorization and intended system usage. e. Monitor the use of system accounts. f. Disable system accounts when: 1. The accounts have expired; 2. The accounts have been inactive for [Assignment: organization-defined time period]; 3. The accounts are no longer associated with a user or individual; 4. The accounts are in violation of organizational policy; or 5. Significant risks associated with individuals are discovered. g. Notify organizational personnel or roles when: 1. Accounts are no longer required; 2. Users are terminated or transferred; and 3. System usage or need-to-know changes for an individual. This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g.,privileged access, non-privileged access) are addressed in requirement 03.01.02. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service. Users who require administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes,organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements). Users who pose a significant security risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among human resource managers, mission/business owners, system administrators, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary. 18
NIST_SP_800-171_R3_3 .1.12 NIST_SP_800-171_R3_3.1.12 NIST 800-171 R3 3.1.12 Access Control Remote Access Shared Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. b. Authorize each type of remote system access prior to establishing such connections. c. Route remote access to the system through authorized and managed access control points. d. Authorize remote execution of privileged commands and remote access to security-relevant information. 15
NIST_SP_800-171_R3_3 .1.2 NIST_SP_800-171_R3_3.1.2 NIST 800-171 R3 3.1.2 Access Control Access Enforcement Shared Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. Enforce approved authorizations for logical access to CUI and system resources. 38
NIST_SP_800-171_R3_3 .1.5 NIST_SP_800-171_R3_3.1.5 NIST 800-171 R3 3.1.5 Access Control Least Privilege Shared Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, and establishing intrusion detection parameters. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, and access control lists. a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. b. Authorize access to [Assignment: organization-defined security functions and security-relevant information]. c. Review the privileges assigned to roles or classes of users periodically to validate the need for such privileges. d. Reassign or remove privileges, as necessary. 24
NIST_SP_800-171_R3_3 .1.6 NIST_SP_800-171_R3_3.1.6 NIST 800-171 R3 3.1.6 Access Control Least Privilege – Privileged Accounts Shared Privileged accounts are typically described as system administrator accounts. Restricting privileged accounts to specific personnel or roles prevents nonprivileged users from accessing security functions or security-relevant information. Requiring the use of non-privileged accounts when accessing nonsecurity functions or nonsecurity information limits exposure when operating from within privileged accounts. Including roles addresses situations in which organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. a. Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. b. Require that users (or roles) with privileged accounts use non-privileged accounts when accessing nonsecurity functions or nonsecurity information. 19
NIST_SP_800-171_R3_3 .12.5 NIST_SP_800-171_R3_3.12.5 NIST 800-171 R3 3.12.5 Security Assessment Control Information Exchange Shared The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. Types of agreements can include interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service-level agreements, or other types of agreements. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (e.g., service providers, contractors, system developers, and system integrators). Examples of the types of information contained in exchange agreements include the interface characteristics, security requirements, controls, and responsibilities for each system. a. Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements]. b. Document, as part of the exchange agreements, interface characteristics, security requirements, and responsibilities for each system. c. Review and update the exchange agreements periodically. 25
NIST_SP_800-171_R3_3 .13.15 NIST_SP_800-171_R3_3.13.15 NIST 800-171 R3 3.13.15 System and Communications Protection Control Session Authenticity Shared Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of the communications sessions in the ongoing identities of other parties and the validity of the transmitted information. Authenticity protection includes protecting against “adversary-in-the-middle” attacks, session hijacking, and the insertion of false information into sessions. Protect the authenticity of communications sessions. 2
NIST_SP_800-171_R3_3 .5.1 NIST_SP_800-171_R3_3.5.1 404 not found n/a n/a 10
NIST_SP_800-171_R3_3 .5.2 NIST_SP_800-171_R3_3.5.2 404 not found n/a n/a 1
NIST_SP_800-171_R3_3 .5.5 NIST_SP_800-171_R3_3.5.5 404 not found n/a n/a 43
NIST_SP_800-53_R5.1.1 AC.17 NIST_SP_800-53_R5.1.1_AC.17 NIST SP 800-53 R5.1.1 AC.17 Access Control Remote Access Shared a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3. 11
NIST_SP_800-53_R5.1.1 AC.2 NIST_SP_800-53_R5.1.1_AC.2 NIST SP 800-53 R5.1.1 AC.2 Access Control Account Management Shared a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts. Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training. 17
NIST_SP_800-53_R5.1.1 AC.6 NIST_SP_800-53_R5.1.1_AC.6 NIST SP 800-53 R5.1.1 AC.6 Access Control Least Privilege Shared Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems. 25
NIST_SP_800-53_R5.1.1 IA.3 NIST_SP_800-53_R5.1.1_IA.3 NIST SP 800-53 R5.1.1 IA.3 Identification and Authentication Control Device Identification and Authentication Shared Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs. 1
NIST_SP_800-53_R5.1.1 IA.8 NIST_SP_800-53_R5.1.1_IA.8 NIST SP 800-53 R5.1.1 IA.8 Identification and Authentication Control Identification and Authentication (non-organizational Users) Shared Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. 2
NIST_SP_800-53_R5.1.1 SC.23 NIST_SP_800-53_R5.1.1_SC.23 NIST SP 800-53 R5.1.1 SC.23 System and Communications Protection Session Authenticity Shared Protect the authenticity of communications sessions. Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against “man-in-the-middle” attacks, session hijacking, and the insertion of false information into sessions. 2
NZ_ISM_v3.5 SS-9 NZ_ISM_v3.5_SS-9 NZISM Security Benchmark SS-9 Software security 14.5.8 Web applications Customer n/a The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications. link 12
NZISM_v3.7 14.1.10.C.01. NZISM_v3.7_14.1.10.C.01. NZISM v3.7 14.1.10.C.01. Standard Operating Environments 14.1.10.C.01. - reduce potential vulnerabilities. Shared n/a Agencies MUST reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords before or during the installation process. 39
NZISM_v3.7 14.1.10.C.02. NZISM_v3.7_14.1.10.C.02. NZISM v3.7 14.1.10.C.02. Standard Operating Environments 14.1.10.C.02. - reduce potential vulnerabilities. Shared n/a Agencies SHOULD reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords, before or during the installation process. 39
NZISM_v3.7 16.1.31.C.01. NZISM_v3.7_16.1.31.C.01. NZISM v3.7 16.1.31.C.01. Identification, Authentication and Passwords 16.1.31.C.01. - promote security and accountability within the agency's systems. Shared n/a Agencies MUST: 1. develop, implement and maintain a set of policies and procedures covering all system users: a. identification; b. authentication; c. authorisation; d. privileged access identification and management; and 2. make their system users aware of the agency's policies and procedures. 26
NZISM_v3.7 16.1.32.C.01. NZISM_v3.7_16.1.32.C.01. NZISM v3.7 16.1.32.C.01. Identification, Authentication and Passwords 16.1.32.C.01. - promote security and accountability within the agency's systems. Shared n/a Agencies MUST ensure that all system users are: 1. uniquely identifiable; and 2. authenticated on each occasion that access is granted to a system. 25
NZISM_v3.7 16.1.47.C.01. NZISM_v3.7_16.1.47.C.01. NZISM v3.7 16.1.47.C.01. Identification, Authentication and Passwords 16.1.47.C.01. - enhance overall security posture. Shared n/a Agencies SHOULD ensure that repeated account lockouts are investigated before reauthorising access. 39
NZISM_v3.7 16.4.32.C.02. NZISM_v3.7_16.4.32.C.02. NZISM v3.7 16.4.32.C.02. Privileged Access Management 16.4.32.C.02. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Privileged Access credentials MUST NOT be issued until approval has been formally granted. 20
NZISM_v3.7 16.5.10.C.01. NZISM_v3.7_16.5.10.C.01. NZISM v3.7 16.5.10.C.01. Remote Access 16.5.10.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system. 11
NZISM_v3.7 16.5.10.C.02. NZISM_v3.7_16.5.10.C.02. NZISM v3.7 16.5.10.C.02. Remote Access 16.5.10.C.02. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD authenticate both the remote system user and device during the authentication process. 21
NZISM_v3.7 16.5.11.C.01. NZISM_v3.7_16.5.11.C.01. NZISM v3.7 16.5.11.C.01. Remote Access 16.5.11.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.11.C.02. NZISM_v3.7_16.5.11.C.02. NZISM v3.7 16.5.11.C.02. Remote Access 16.5.11.C.02. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.12.C.01. NZISM_v3.7_16.5.12.C.01. NZISM v3.7 16.5.12.C.01. Remote Access 16.5.12.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD establish VPN connections for all remote access connections. 11
NZISM_v3.7 16.6.10.C.02. NZISM_v3.7_16.6.10.C.02. NZISM v3.7 16.6.10.C.02. Event Logging and Auditing 16.6.10.C.02. - enhance system security and accountability. Shared n/a Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency. 50
NZISM_v3.7 16.6.11.C.01. NZISM_v3.7_16.6.11.C.01. NZISM v3.7 16.6.11.C.01. Event Logging and Auditing 16.6.11.C.01. - enhance system security and accountability. Shared n/a For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification. 50
NZISM_v3.7 16.6.12.C.01. NZISM_v3.7_16.6.12.C.01. NZISM v3.7 16.6.12.C.01. Event Logging and Auditing 16.6.12.C.01. - maintain integrity of the data. Shared n/a Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period. 50
NZISM_v3.7 16.6.6.C.01. NZISM_v3.7_16.6.6.C.01. NZISM v3.7 16.6.6.C.01. Event Logging and Auditing 16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST maintain system management logs for the life of a system. 50
NZISM_v3.7 16.6.7.C.01. NZISM_v3.7_16.6.7.C.01. NZISM v3.7 16.6.7.C.01. Event Logging and Auditing 16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations. Shared n/a A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities. 50
PCI_DSS_v4.0.1 1.2.1 PCI_DSS_v4.0.1_1.2.1 PCI DSS v4.0.1 1.2.1 Install and Maintain Network Security Controls Configuration standards for NSC rulesets are defined, implemented, and maintained Shared n/a Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards 11
PCI_DSS_v4.0.1 1.2.7 PCI_DSS_v4.0.1_1.2.7 PCI DSS v4.0.1 1.2.7 Install and Maintain Network Security Controls Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective Shared n/a Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated 11
PCI_DSS_v4.0.1 7.2.1 PCI_DSS_v4.0.1_7.2.1 PCI DSS v4.0.1 7.2.1 Restrict Access to System Components and Cardholder Data by Business Need to Know An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function Shared n/a Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement 43
PCI_DSS_v4.0.1 7.2.2 PCI_DSS_v4.0.1_7.2.2 PCI DSS v4.0.1 7.2.2 Restrict Access to System Components and Cardholder Data by Business Need to Know Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities Shared n/a Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement 43
PCI_DSS_v4.0.1 7.2.3 PCI_DSS_v4.0.1_7.2.3 PCI DSS v4.0.1 7.2.3 Restrict Access to System Components and Cardholder Data by Business Need to Know Required privileges are approved by authorized personnel Shared n/a Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel. Examine user IDs and assigned privileges, and compare with documented approvals to verify that: Documented approval exists for the assigned privileges. The approval was by authorized personnel. Specified privileges match the roles assigned to the individual 38
PCI_DSS_v4.0.1 7.2.4 PCI_DSS_v4.0.1_7.2.4 PCI DSS v4.0.1 7.2.4 Restrict Access to System Components and Cardholder Data by Business Need to Know All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate Shared n/a Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement 40
PCI_DSS_v4.0.1 7.2.5 PCI_DSS_v4.0.1_7.2.5 PCI DSS v4.0.1 7.2.5 Restrict Access to System Components and Cardholder Data by Business Need to Know All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use Shared n/a Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement 44
PCI_DSS_v4.0.1 7.2.5.1 PCI_DSS_v4.0.1_7.2.5.1 PCI DSS v4.0.1 7.2.5.1 Restrict Access to System Components and Cardholder Data by Business Need to Know All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate Shared n/a Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement 39
PCI_DSS_v4.0.1 7.2.6 PCI_DSS_v4.0.1_7.2.6 PCI DSS v4.0.1 7.2.6 Restrict Access to System Components and Cardholder Data by Business Need to Know All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD Shared n/a Examine policies and procedures and interview personnel to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with all elements specified in this requirement. Examine configuration settings for querying repositories of stored cardholder data to verify they are in accordance with all elements specified in this requirement 41
PCI_DSS_v4.0.1 7.3.1 PCI_DSS_v4.0.1_7.3.1 PCI DSS v4.0.1 7.3.1 Restrict Access to System Components and Cardholder Data by Business Need to Know An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components Shared n/a Examine vendor documentation and system settings to verify that access is managed for each system component via an access control system(s) that restricts access based on a user’s need to know and covers all system components 27
RMiT_v1.0 10.54 RMiT_v1.0_10.54 RMiT 10.54 Access Control Access Control - 10.54 Shared n/a A financial institution must implement an appropriate access controls policy for the identification, authentication and authorisation of users (internal and external users such as third party service providers). This must address both logical and physical technology access controls which are commensurate with the level of risk of unauthorised access to its technology systems. link 14
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 111
SOC_2023 C1.1 SOC_2023_C1.1 SOC 2023 C1.1 Additional Criteria for Confidentiality Preserve trust, compliance, and competitive advantage. Shared n/a The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. 11
SOC_2023 CC1.3 SOC_2023_CC1.3 SOC 2023 CC1.3 Control Environment Enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. Shared n/a 1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. 13
SOC_2023 CC2.2 SOC_2023_CC2.2 SOC 2023 CC2.2 Information and Communication Facilitate effective internal communication, including objectives and responsibilities for internal control. Shared n/a Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information 28
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.1 SOC_2023_CC5.1 SOC 2023 CC5.1 Control Activities Enhance the ability to manage uncertainties and accomplish its strategic goals. Shared n/a Entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 17
SOC_2023 CC5.2 SOC_2023_CC5.2 SOC 2023 CC5.2 Control Activities Mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations. Shared n/a Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities. 15
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC6.2 SOC_2023_CC6.2 SOC 2023 CC6.2 Logical and Physical Access Controls Ensure effective access control and ensuring the security of the organization's systems and data. Shared n/a 1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. 50
SOC_2023 CC7.1 SOC_2023_CC7.1 SOC 2023 CC7.1 Systems Operations Maintain a proactive approach to cybersecurity and mitigate risks effectively. Shared n/a meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. 11
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations Maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.5 SOC_2023_CC7.5 SOC 2023 CC7.5 Systems Operations Ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents. Shared n/a The entity identifies, develops, and implements activities to recover from identified security incidents. 12
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SOC_2023 CC9.2 SOC_2023_CC9.2 SOC 2023 CC9.2 Risk Mitigation Ensure effective risk management throughout the supply chain and business ecosystem. Shared n/a Entity assesses and manages risks associated with vendors and business partners. 43
SOC_2023 PI1.3 SOC_2023_PI1.3 SOC 2023 PI1.3 Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. Shared n/a The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. 50
SWIFT_CSCF_2024 1.2 SWIFT_CSCF_2024_1.2 SWIFT Customer Security Controls Framework 2024 1.2 Privileged Account Control Operating System Privileged Account Control Shared Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). To restrict and control the allocation and usage of administrator-level operating system accounts. 53
SWIFT_CSCF_2024 11.2 SWIFT_CSCF_2024_11.2 404 not found n/a n/a 26
SWIFT_CSCF_2024 2.6 SWIFT_CSCF_2024_2.6 SWIFT Customer Security Controls Framework 2024 2.6 Risk Management Operator Session Confidentiality and Integrity Shared 1. Operator sessions, through the jump server when accessing the on-premises or remote (that is hosted or operated by a third party, or both) Swift infrastructure, pose a unique threat because unusual or unexpected activity is more difficult to detect during interactive sessions than it is during application-to-application activity. 2. Therefore, it is important to protect the integrity and confidentiality of these operator sessions to reduce any opportunity for misuse or password theft. When used, access to the virtualisation layer (virtualisation or cloud management console) must be similarly protected. To protect the confidentiality and integrity of interactive operator sessions that connect to the on- premises or remote (operated by a service provider or outsourcing agent) Swift infrastructure or to a service provider or outsourcing agent Swift-related applications. 12
SWIFT_CSCF_2024 5.1 SWIFT_CSCF_2024_5.1 SWIFT Customer Security Controls Framework 2024 5.1 Access Control Logical Access Control Shared 1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure. 2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack. To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. 26
UK_NCSC_CAF_v3.2 B2.a UK_NCSC_CAF_v3.2_B2.a NCSC Cyber Assurance Framework (CAF) v3.2 B2.a Identity and Access Control Identity Verification, Authentication and Authorisation Shared 1. The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to networks and information systems that support the essential function. 2. Only authorised and individually authenticated users can physically access and logically connect to the networks or information systems on which that essential function depends. 3. The number of authorised users and systems that have access to all the networks and information systems supporting the essential function is limited to the minimum necessary. 4. Use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all systems that operate or support the essential function. 5. Use additional authentication mechanisms, such as multi-factor (MFA), when there is individual authentication and authorisation of all remote user access to all the networks and information systems that support the essential function. 6. The list of users and systems with access to networks and systems supporting and delivering the essential functions reviewed on a regular basis, at least every six months. The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. Robustly verify, authenticate and authorise access to the networks and information systems supporting the essential function. 32
UK_NCSC_CAF_v3.2 B4.b UK_NCSC_CAF_v3.2_B4.b NCSC Cyber Assurance Framework (CAF) v3.2 B4.b System Security Secure Configuration Shared 1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function. 2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment. 3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented. 4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration. 5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation. 6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. Securely configure the network and information systems that support the operation of essential functions. 36
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: Control the use of App Service in a Virtual Enclave 528d78c5-246c-4f26-ade6-d30798705411 VirtualEnclaves Preview BuiltIn true
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-07-01 16:32:34 change Patch (2.0.0 > 2.0.1)
2022-04-01 20:29:14 change Major (1.0.0 > 2.0.0)
2019-12-11 09:18:30 add 95bccee9-a7f8-4bec-9ee9-62c3473701fc
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC