compliance controls are associated with this Policy definition 'Microsoft IaaSAntimalware extension should be deployed on Windows servers' (9b597639-28e4-48eb-b506-56b05d366257)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
AU_ISM |
1288 |
AU_ISM_1288 |
AU ISM 1288 |
Guidelines for Gateways - Content filtering |
Antivirus scanning - 1288 |
|
n/a |
Antivirus scanning, using multiple different scanning engines, is performed on all content. |
link |
1 |
AU_ISM |
1417 |
AU_ISM_1417 |
AU ISM 1417 |
Guidelines for System Hardening - Operating system hardening |
Antivirus software - 1417 |
|
n/a |
Antivirus software is implemented on workstations and servers and configured with:
• signature-based detection enabled and set to a high level
• heuristic-based detection enabled and set to a high level
• detection signatures checked for currency and updated on at least a daily basis
• automatic and regular scanning configured for all fixed disks and removable media. |
link |
1 |
Canada_Federal_PBMM_3-1-2020 |
AC_2(4) |
Canada_Federal_PBMM_3-1-2020_AC_2(4) |
Canada Federal PBMM 3-1-2020 AC 2(4) |
Account Management |
Account Management | Automated Audit Actions |
Shared |
1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers.
2. Related controls: AU-2, AU-12. |
To ensure accountability and transparency within the information system. |
|
53 |
Canada_Federal_PBMM_3-1-2020 |
SI_3 |
Canada_Federal_PBMM_3-1-2020_SI_3 |
Canada Federal PBMM 3-1-2020 SI 3 |
Malicious Code Protection |
Malicious Code Protection |
Shared |
1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.
2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
3. The organization configures malicious code protection mechanisms to:
a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and
b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection.
4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
To mitigate potential impacts on system availability. |
|
52 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(1) |
Canada_Federal_PBMM_3-1-2020_SI_3(1) |
Canada Federal PBMM 3-1-2020 SI 3(1) |
Malicious Code Protection |
Malicious Code Protection | Central Management |
Shared |
The organization centrally manages malicious code protection mechanisms. |
To centrally manage malicious code protection mechanisms. |
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(2) |
Canada_Federal_PBMM_3-1-2020_SI_3(2) |
Canada Federal PBMM 3-1-2020 SI 3(2) |
Malicious Code Protection |
Malicious Code Protection | Automatic Updates |
Shared |
The information system automatically updates malicious code protection mechanisms. |
To ensure automatic updates in malicious code protection mechanisms. |
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(7) |
Canada_Federal_PBMM_3-1-2020_SI_3(7) |
Canada Federal PBMM 3-1-2020 SI 3(7) |
Malicious Code Protection |
Malicious Code Protection | Non Signature-Based Detection |
Shared |
The information system implements non-signature-based malicious code detection mechanisms. |
To enhance overall security posture.
|
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
88 |
CMMC_2.0_L2 |
SI.L1-3.14.2 |
CMMC_2.0_L2_SI.L1-3.14.2 |
404 not found |
|
|
|
n/a |
n/a |
|
11 |
CMMC_2.0_L2 |
SI.L1-3.14.4 |
CMMC_2.0_L2_SI.L1-3.14.4 |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
CMMC_2.0_L2 |
SI.L1-3.14.5 |
CMMC_2.0_L2_SI.L1-3.14.5 |
404 not found |
|
|
|
n/a |
n/a |
|
4 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
17 |
CMMC_L2_v1.9.0 |
SI.L1_3.14.2 |
CMMC_L2_v1.9.0_SI.L1_3.14.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.2 |
System and Information Integrity |
Malicious Code Protection |
Shared |
Provide protection from malicious code at appropriate locations within organizational information systems. |
To the integrity, confidentiality, and availability of information assets. |
|
19 |
CMMC_L2_v1.9.0 |
SI.L1_3.14.4 |
CMMC_L2_v1.9.0_SI.L1_3.14.4 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.4 |
System and Information Integrity |
Update Malicious Code Protection |
Shared |
Update malicious code protection mechanisms when new releases are available. |
To effectively defend against new and evolving malware threats, minimize the risk of infections, and maintain the security of their information systems and data. |
|
19 |
CMMC_L2_v1.9.0 |
SI.L1_3.14.5 |
CMMC_L2_v1.9.0_SI.L1_3.14.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.5 |
System and Information Integrity |
System & File Scanning |
Shared |
Perform periodic scans of the information system and real time scans of files from external sources as files are downloaded, opened, or executed. |
To identify and mitigate security risks, prevent malware infections and minimise the impact of security breaches. |
|
19 |
CMMC_L3 |
SI.1.211 |
CMMC_L3_SI.1.211 |
CMMC L3 SI.1.211 |
System and Information Integrity |
Provide protection from malicious code at appropriate locations within organizational information systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities.
Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. |
link |
2 |
CMMC_L3 |
SI.1.213 |
CMMC_L3_SI.1.213 |
CMMC L3 SI.1.213 |
System and Information Integrity |
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. |
link |
9 |
CSA_v4.0.12 |
CCC_06 |
CSA_v4.0.12_CCC_06 |
CSA Cloud Controls Matrix v4.0.12 CCC 06 |
Change Control and Configuration Management |
Change Management Baseline |
Shared |
n/a |
Establish change management baselines for all relevant authorized
changes on organization assets. |
|
8 |
CSA_v4.0.12 |
CEK_05 |
CSA_v4.0.12_CEK_05 |
CSA Cloud Controls Matrix v4.0.12 CEK 05 |
Cryptography, Encryption & Key Management |
Encryption Change Management |
Shared |
n/a |
Establish a standard change management procedure, to accommodate
changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
changes. |
|
11 |
CSA_v4.0.12 |
CEK_06 |
CSA_v4.0.12_CEK_06 |
CSA Cloud Controls Matrix v4.0.12 CEK 06 |
Cryptography, Encryption & Key Management |
Encryption Change Cost Benefit Analysis |
Shared |
n/a |
Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis. |
|
8 |
CSA_v4.0.12 |
CEK_07 |
CSA_v4.0.12_CEK_07 |
CSA Cloud Controls Matrix v4.0.12 CEK 07 |
Cryptography, Encryption & Key Management |
Encryption Risk Management |
Shared |
n/a |
Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback. |
|
8 |
CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
25 |
CSA_v4.0.12 |
DCS_05 |
CSA_v4.0.12_DCS_05 |
CSA Cloud Controls Matrix v4.0.12 DCS 05 |
Datacenter Security |
Assets Classification |
Shared |
n/a |
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk. |
|
6 |
CSA_v4.0.12 |
DCS_06 |
CSA_v4.0.12_DCS_06 |
CSA Cloud Controls Matrix v4.0.12 DCS 06 |
Datacenter Security |
Assets Cataloguing and Tracking |
Shared |
n/a |
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system. |
|
7 |
CSA_v4.0.12 |
UEM_04 |
CSA_v4.0.12_UEM_04 |
CSA Cloud Controls Matrix v4.0.12 UEM 04 |
Universal Endpoint Management |
Endpoint Inventory |
Shared |
n/a |
Maintain an inventory of all endpoints used to store and access company
data. |
|
6 |
CSA_v4.0.12 |
UEM_07 |
CSA_v4.0.12_UEM_07 |
CSA Cloud Controls Matrix v4.0.12 UEM 07 |
Universal Endpoint Management |
Operating Systems |
Shared |
n/a |
Manage changes to endpoint operating systems, patch levels, and/or
applications through the company's change management processes. |
|
6 |
CSA_v4.0.12 |
UEM_12 |
CSA_v4.0.12_UEM_12 |
CSA Cloud Controls Matrix v4.0.12 UEM 12 |
Universal Endpoint Management |
Remote Locate |
Shared |
n/a |
Enable remote geo-location capabilities for all managed mobile endpoints. |
|
6 |
Cyber_Essentials_v3.1 |
3 |
Cyber_Essentials_v3.1_3 |
Cyber Essentials v3.1 3 |
Cyber Essentials |
Security Update Management |
Shared |
n/a |
Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available. |
|
38 |
Cyber_Essentials_v3.1 |
5 |
Cyber_Essentials_v3.1_5 |
Cyber Essentials v3.1 5 |
Cyber Essentials |
Malware protection |
Shared |
n/a |
Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. |
|
60 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
69 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
67 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
65 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
FFIEC_CAT_2017 |
3.1.1 |
FFIEC_CAT_2017_3.1.1 |
FFIEC CAT 2017 3.1.1 |
Cybersecurity Controls |
Infrastructure Management |
Shared |
n/a |
- Network perimeter defense tools (e.g., border router and firewall) are used.
- Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.
- All ports are monitored.
- Up to date antivirus and anti-malware tools are used.
- Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
- Ports, functions, protocols and services are prohibited if no longer needed for business purposes.
- Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
- Programs that can override system, object, network, virtual machine, and application controls are restricted.
- System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.
- Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) |
|
72 |
FFIEC_CAT_2017 |
3.2.3 |
FFIEC_CAT_2017_3.2.3 |
FFIEC CAT 2017 3.2.3 |
Cybersecurity Controls |
Event Detection |
Shared |
n/a |
- A normal network activity baseline is established.
- Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.
- Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.
- Responsibilities for monitoring and reporting suspicious systems activity have been assigned.
- The physical environment is monitored to detect potential unauthorized access. |
|
35 |
HITRUST_CSF_v11.3 |
06.h |
HITRUST_CSF_v11.3_06.h |
HITRUST CSF v11.3 06.h |
Compliance with Security Policies and Standards |
To ensure compliance with security implementation standards by regular checking of information systems. |
Shared |
1. Annual checks on the technical security configuration of systems is to be performed either manually by an individual with experience with the systems and/or with the assistance of automated software tools.
2. Technical compliance checking is to be implemented to show compliance in support of technical interoperability. |
Information systems shall be regularly checked for compliance with security implementation standards. |
|
7 |
HITRUST_CSF_v11.3 |
09.j |
HITRUST_CSF_v11.3_09.j |
HITRUST CSF v11.3 09.j |
Protection Against Malicious and Mobile Code |
To ensure that integrity of information and software is protected from malicious or unauthorized code |
Shared |
1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures.
2. Automatic periodic scans of information systems is to be implemented.
3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented.
4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use.
5. Anti-malware audit logs checks to be performed.
6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls. |
Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. |
|
37 |
ISO_IEC_27002_2022 |
5.9 |
ISO_IEC_27002_2022_5.9 |
ISO IEC 27002 2022 5.9 |
Preventive,
Identifying Control |
Inventory of information and other associated assets |
Shared |
An inventory of information and other associated assets, including owners, should be developed and maintained.
|
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
8 |
ISO_IEC_27002_2022 |
8.7 |
ISO_IEC_27002_2022_8.7 |
ISO IEC 27002 2022 8.7 |
Identifying,
Protection,
Preventive Control |
Protection against malware |
Shared |
Protection against malware should be implemented and supported by appropriate user awareness.
|
To ensure information and other associated assets are protected against malware. |
|
19 |
ISO_IEC_27017_2015 |
8.1.1 |
ISO_IEC_27017_2015_8.1.1 |
ISO IEC 27017 2015 8.1.1 |
Asset Management |
Inventory of Assets |
Shared |
For Cloud Service Customer:
The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service.
For Cloud Service Provider:
The inventory of assets of the cloud service provider should explicitly identify:
(i) cloud service customer data;
(ii) cloud service derived data. |
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
8 |
New_Zealand_ISM |
14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
14. Software security |
14.1.9.C.01 Maintaining hardened SOEs |
|
n/a |
Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. |
|
16 |
NIST_SP_800-171_R2_3 |
.14.2 |
NIST_SP_800-171_R2_3.14.2 |
NIST SP 800-171 R2 3.14.2 |
System and Information Integrity |
Provide protection from malicious code at designated locations within organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. |
link |
18 |
NIST_SP_800-171_R2_3 |
.14.4 |
NIST_SP_800-171_R2_3.14.4 |
NIST SP 800-171 R2 3.14.4 |
System and Information Integrity |
Update malicious code protection mechanisms when new releases are available. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. |
link |
9 |
NIST_SP_800-171_R2_3 |
.14.5 |
NIST_SP_800-171_R2_3.14.5 |
NIST SP 800-171 R2 3.14.5 |
System and Information Integrity |
Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. |
link |
4 |
NIST_SP_800-171_R3_3 |
.14.2 |
NIST_SP_800-171_R3_3.14.2 |
NIST 800-171 R3 3.14.2 |
System and Information Integrity Control |
Malicious Code Protection |
Shared |
Malicious code insertions occur through the exploitation of system vulnerabilities. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code can be inserted into the system in many ways, including by email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.
If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to malicious code detection during scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. |
a. Implement malicious code protection mechanisms at designated locations within the system to detect and eradicate malicious code.
b. Update malicious code protection mechanisms as new releases are available in accordance with configuration management policy and procedures.
c. Configure malicious code protection mechanisms to:
1. Perform scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or network entry and exit points as the files are downloaded, opened, or executed; and
2. Block malicious code, quarantine malicious code, or take other actions in response to malicious code detection. |
|
19 |
NIST_SP_800-171_R3_3 |
.4.10 |
NIST_SP_800-171_R3_3.4.10 |
NIST 800-171 R3 3.4.10 |
Configuration Management Control |
System Component Inventory |
Shared |
System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information. |
a. Develop and document an inventory of system components.
b. Review and update the system component inventory periodically.
c. Update the system component inventory as part of installations, removals, and system updates. |
|
8 |
NIST_SP_800-53_R5.1.1 |
CM.8 |
NIST_SP_800-53_R5.1.1_CM.8 |
NIST SP 800-53 R5.1.1 CM.8 |
Configuration Management Control |
System Component Inventory |
Shared |
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency]. |
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.
Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components. |
|
7 |
NIST_SP_800-53_R5.1.1 |
SI.3 |
NIST_SP_800-53_R5.1.1_SI.3 |
NIST SP 800-53 R5.1.1 SI.3 |
System and Information Integrity Control |
Malicious Code Protection |
Shared |
a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]
]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. |
System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.
Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.
In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. |
|
19 |
NZISM_v3.7 |
14.1.8.C.01. |
NZISM_v3.7_14.1.8.C.01. |
NZISM v3.7 14.1.8.C.01. |
Standard Operating Environments |
14.1.8.C.01. - To minimise vulnerabilities and enhance system security |
Shared |
n/a |
Agencies SHOULD develop a hardened SOE for workstations and servers, covering:
1. removal of unneeded software and operating system components;
2. removal or disabling of unneeded services, ports and BIOS settings;
3. disabling of unused or undesired functionality in software and operating systems;
4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required;
5. installation of antivirus and anti-malware software;
6. installation of software-based firewalls limiting inbound and outbound network connections;
7. configuration of either remote logging or the transfer of local event logs to a central server; and
8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. |
|
31 |
NZISM_v3.7 |
14.1.9.C.01. |
NZISM_v3.7_14.1.9.C.01. |
NZISM v3.7 14.1.9.C.01. |
Standard Operating Environments |
14.1.9.C.01. - To maintain system reliability, protect sensitive information, and fulfill security requirements. |
Shared |
n/a |
Agencies MUST ensure that for all servers and workstations:
1. a technical specification is agreed for each platform with specified controls;
2. a standard configuration created and updated for each operating system type and version;
3. system users do not have the ability to install or disable software without approval; and
4. installed software and operating system patching is up to date. |
|
6 |
NZISM_v3.7 |
17.1.58.C.02. |
NZISM_v3.7_17.1.58.C.02. |
NZISM v3.7 17.1.58.C.02. |
Cryptographic Fundamentals |
17.1.58.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. |
|
25 |
NZISM_v3.7 |
17.5.7.C.02. |
NZISM_v3.7_17.5.7.C.02. |
NZISM v3.7 17.5.7.C.02. |
Secure Shell |
17.5.7.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password. |
|
43 |
NZISM_v3.7 |
22.1.24.C.02. |
NZISM_v3.7_22.1.24.C.02. |
NZISM v3.7 22.1.24.C.02. |
Cloud Computing |
22.1.24.C.02. - To enhance security posture. |
Shared |
n/a |
Agencies intending to adopt cloud technologies or services SHOULD apply separation and access controls to protect data and systems where support is provided by offshore technical staff. |
|
6 |
NZISM_v3.7 |
22.1.26.C.01. |
NZISM_v3.7_22.1.26.C.01. |
NZISM v3.7 22.1.26.C.01. |
Cloud Computing |
22.1.26.C.01. - To ensure safety of data. |
Shared |
n/a |
Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. |
|
12 |
NZISM_v3.7 |
23.1.56.C.01. |
NZISM_v3.7_23.1.56.C.01. |
NZISM v3.7 23.1.56.C.01. |
Public Cloud Security Concepts |
23.1.56.C.01. - To reduce manual errors and ensure adherence to security standards. |
Shared |
n/a |
Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available. |
|
6 |
NZISM_v3.7 |
23.2.20.C.01. |
NZISM_v3.7_23.2.20.C.01. |
NZISM v3.7 23.2.20.C.01. |
Governance, Risk Assessment & Assurance |
23.2.20.C.01. - To enhance confidence in the security and reliability of cloud services and mitigate risks associated with potential vulnerabilities or non-compliance with security standards. |
Shared |
n/a |
Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants. |
|
6 |
NZISM_v3.7 |
6.4.6.C.01. |
NZISM_v3.7_6.4.6.C.01. |
NZISM v3.7 6.4.6.C.01. |
Business Continuity and Disaster Recovery |
6.4.6.C.01. - To enhance operational resilience. |
Shared |
n/a |
Agencies SHOULD:
1.Identify vital records;
2. backup all vital records;
3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4.
4. classification of the information; and
5. test backup and restoration processes regularly to confirm their effectiveness. |
|
14 |
PCI_DSS_v4.0.1 |
5.2.1 |
PCI_DSS_v4.0.1_5.2.1 |
PCI DSS v4.0.1 5.2.1 |
Protect All Systems and Networks from Malicious Software |
An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware |
Shared |
n/a |
Examine system components to verify that an anti-malware solution(s) is deployed on all system components, except for those determined to not be at risk from malware based on periodic evaluations per Requirement 5.2.3. For any system components without an anti-malware solution, examine the periodic evaluations to verify the component was evaluated and the evaluation concludes that the component is not at risk from malware |
|
19 |
PCI_DSS_v4.0.1 |
5.2.2 |
PCI_DSS_v4.0.1_5.2.2 |
PCI DSS v4.0.1 5.2.2 |
Protect All Systems and Networks from Malicious Software |
The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware |
Shared |
n/a |
Examine vendor documentation and configurations of the anti-malware solution(s) to verify that the solution detects all known types of malware and removes, blocks, or contains all known types of malware |
|
19 |
PCI_DSS_v4.0.1 |
5.2.3 |
PCI_DSS_v4.0.1_5.2.3 |
PCI DSS v4.0.1 5.2.3 |
Protect All Systems and Networks from Malicious Software |
Any system components that are not at risk for malware are evaluated periodically to include the following: a documented list of all system components not at risk for malware, identification and evaluation of evolving malware threats for those system components, confirmation whether such system components continue to not require anti-malware protection |
Shared |
n/a |
Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement. Interview personnel to verify that the evaluations include all elements specified in this requirement. Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements |
|
19 |
PCI_DSS_v4.0.1 |
5.3.1 |
PCI_DSS_v4.0.1_5.3.1 |
PCI DSS v4.0.1 5.3.1 |
Protect All Systems and Networks from Malicious Software |
The anti-malware solution(s) is kept current via automatic updates |
Shared |
n/a |
Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution is configured to perform automatic updates. Examine system components and logs, to verify that the anti-malware solution(s) and definitions are current and have been promptly deployed |
|
19 |
PCI_DSS_v4.0.1 |
5.3.2 |
PCI_DSS_v4.0.1_5.3.2 |
PCI DSS v4.0.1 5.3.2 |
Protect All Systems and Networks from Malicious Software |
The anti-malware solution(s) performs periodic scans and active or real-time scans, or performs continuous behavioral analysis of systems or processes |
Shared |
n/a |
Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution(s) is configured to perform at least one of the elements specified in this requirement. Examine system components, including all operating system types identified as at risk for malware, to verify the solution(s) is enabled in accordance with at least one of the elements specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement |
|
19 |
PCI_DSS_v4.0.1 |
5.3.3 |
PCI_DSS_v4.0.1_5.3.3 |
PCI DSS v4.0.1 5.3.3 |
Protect All Systems and Networks from Malicious Software |
For removable electronic media, the anti-malware solution(s) performs automatic scans of when the media is inserted, connected, or logically mounted, or performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted |
Shared |
n/a |
Examine anti-malware solution(s) configurations to verify that, for removable electronic media, the solution is configured to perform at least one of the elements specified in this requirement. Examine system components with removable electronic media connected to verify that the solution(s) is enabled in accordance with at least one of the elements as specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement |
|
19 |
PCI_DSS_v4.0.1 |
9.5.1 |
PCI_DSS_v4.0.1_9.5.1 |
PCI DSS v4.0.1 9.5.1 |
Restrict Physical Access to Cardholder Data |
Protection Measures for POI Devices Against Tampering and Unauthorized Substitution |
Shared |
n/a |
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. |
|
10 |
PCI_DSS_v4.0.1 |
9.5.1.1 |
PCI_DSS_v4.0.1_9.5.1.1 |
PCI DSS v4.0.1 9.5.1.1 |
Restrict Physical Access to Cardholder Data |
Maintenance of an Up-to-Date List of POI Devices |
Shared |
n/a |
An up-to-date list of POI devices is maintained, including:
• Make and model of the device.
• Location of device.
• Device serial number or other methods of unique identification. |
|
8 |
RMiT_v1.0 |
Appendix_5.7 |
RMiT_v1.0_Appendix_5.7 |
RMiT Appendix 5.7 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.7 |
Customer |
n/a |
Ensure overall network security controls are implemented including the following:
(a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path;
(b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic;
(c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls;
(d) endpoint protection solution to detect and remove security threats including viruses and malicious software;
(e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and
(f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. |
link |
21 |
SOC_2023 |
CC1.4 |
SOC_2023_CC1.4 |
SOC 2023 CC1.4 |
Control Environment |
To ensure organizational resilience, innovation, and competitiveness in the long run. |
Shared |
n/a |
Entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives by establishing policies and procedures, evaluating the competence required and address its shortcomings, attracts, develops and retains individuals through mentoring and training and plan and prepare for succession by developing contingency plans for assignments of responsibilities important for internal control. |
|
8 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
219 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
230 |
SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
129 |
SOC_2023 |
CC6.8 |
SOC_2023_CC6.8 |
SOC 2023 CC6.8 |
Logical and Physical Access Controls |
To mitigate the risk of cybersecurity threats, safeguard critical systems and data, and maintain operational continuity and integrity. |
Shared |
n/a |
Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
|
33 |
SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
To maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
168 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
214 |
SOC_2023 |
CM_8b |
SOC_2023_CM_8b |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
SWIFT_CSCF_2024 |
6.1 |
SWIFT_CSCF_2024_6.1 |
SWIFT Customer Security Controls Framework 2024 6.1 |
Risk Management |
Malware Protection |
Shared |
1. Malware is a general term that includes many types of intrusive and unwanted software, including viruses.
2. Anti-malware technology (a broader term for anti-virus) is effective in protecting against malicious code that has a known digital or behaviour profile |
To ensure that the user’s Swift infrastructure is protected against malware and act upon results. |
|
19 |
SWIFT_CSCF_v2021 |
6.1 |
SWIFT_CSCF_v2021_6.1 |
SWIFT CSCF v2021 6.1 |
Detect Anomalous Activity to Systems or Transaction Records |
Malware Protection |
|
n/a |
Ensure that local SWIFT infrastructure is protected against malware. |
link |
2 |
SWIFT_CSCF_v2022 |
6.1 |
SWIFT_CSCF_v2022_6.1 |
SWIFT CSCF v2022 6.1 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure that local SWIFT infrastructure is protected against malware and act upon results. |
Shared |
n/a |
Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. |
link |
29 |