AzPolicyAdvertizer

last sync: 2025-Jul-01 17:24:08 UTC

Microsoft IaaSAntimalware extension should be deployed on Windows servers

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft IaaSAntimalware extension should be deployed on Windows servers
Id 9b597639-28e4-48eb-b506-56b05d366257
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Compute
Microsoft Learn
Description This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (3)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id		 True
True
True

False
False
False
THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/virtualMachines/extensions/publisher Microsoft.Compute virtualMachines/extensions properties.publisher True False
Microsoft.Compute/virtualMachines/extensions/type Microsoft.Compute virtualMachines/extensions properties.type True False
Rule resource types IF (1)
Compliance
The following 85 compliance controls are associated with this Policy definition 'Microsoft IaaSAntimalware extension should be deployed on Windows servers' (9b597639-28e4-48eb-b506-56b05d366257)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1288 AU_ISM_1288 AU ISM 1288 Guidelines for Gateways - Content filtering Antivirus scanning - 1288 n/a Antivirus scanning, using multiple different scanning engines, is performed on all content. link 1
AU_ISM 1417 AU_ISM_1417 AU ISM 1417 Guidelines for System Hardening - Operating system hardening Antivirus software - 1417 n/a Antivirus software is implemented on workstations and servers and configured with: • signature-based detection enabled and set to a high level • heuristic-based detection enabled and set to a high level • detection signatures checked for currency and updated on at least a daily basis • automatic and regular scanning configured for all fixed disks and removable media. link 1
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 50
Canada_Federal_PBMM_3-1-2020 SI_3 Canada_Federal_PBMM_3-1-2020_SI_3 Canada Federal PBMM 3-1-2020 SI 3 Malicious Code Protection Malicious Code Protection Shared 1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. 2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. 3. The organization configures malicious code protection mechanisms to: a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. 4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. To mitigate potential impacts on system availability. 52
Canada_Federal_PBMM_3-1-2020 SI_3(1) Canada_Federal_PBMM_3-1-2020_SI_3(1) Canada Federal PBMM 3-1-2020 SI 3(1) Malicious Code Protection Malicious Code Protection | Central Management Shared The organization centrally manages malicious code protection mechanisms. To centrally manage malicious code protection mechanisms. 51
Canada_Federal_PBMM_3-1-2020 SI_3(2) Canada_Federal_PBMM_3-1-2020_SI_3(2) Canada Federal PBMM 3-1-2020 SI 3(2) Malicious Code Protection Malicious Code Protection | Automatic Updates Shared The information system automatically updates malicious code protection mechanisms. To ensure automatic updates in malicious code protection mechanisms. 51
Canada_Federal_PBMM_3-1-2020 SI_3(7) Canada_Federal_PBMM_3-1-2020_SI_3(7) Canada Federal PBMM 3-1-2020 SI 3(7) Malicious Code Protection Malicious Code Protection | Non Signature-Based Detection Shared The information system implements non-signature-based malicious code detection mechanisms. To enhance overall security posture. 51
Canada_Federal_PBMM_3-1-2020 SI_8(1) Canada_Federal_PBMM_3-1-2020_SI_8(1) Canada Federal PBMM 3-1-2020 SI 8(1) Spam Protection Spam Protection | Central Management of Protection Mechanisms Shared The organization centrally manages spam protection mechanisms. To enhance overall security posture. 87
CMMC_2.0_L2 SI.L1-3.14.2 CMMC_2.0_L2_SI.L1-3.14.2 404 not found n/a n/a 11
CMMC_2.0_L2 SI.L1-3.14.4 CMMC_2.0_L2_SI.L1-3.14.4 404 not found n/a n/a 3
CMMC_2.0_L2 SI.L1-3.14.5 CMMC_2.0_L2_SI.L1-3.14.5 404 not found n/a n/a 4
CMMC_L2_v1.9.0 CM.L2_3.4.1 CMMC_L2_v1.9.0_CM.L2_3.4.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 Configuration Management System Baselining Shared Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. To ensure consistency, security, and compliance with organizational standards and requirements. 15
CMMC_L2_v1.9.0 SI.L1_3.14.2 CMMC_L2_v1.9.0_SI.L1_3.14.2 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.2 System and Information Integrity Malicious Code Protection Shared Provide protection from malicious code at appropriate locations within organizational information systems. To the integrity, confidentiality, and availability of information assets. 19
CMMC_L2_v1.9.0 SI.L1_3.14.4 CMMC_L2_v1.9.0_SI.L1_3.14.4 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.4 System and Information Integrity Update Malicious Code Protection Shared Update malicious code protection mechanisms when new releases are available. To effectively defend against new and evolving malware threats, minimize the risk of infections, and maintain the security of their information systems and data. 19
CMMC_L2_v1.9.0 SI.L1_3.14.5 CMMC_L2_v1.9.0_SI.L1_3.14.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.5 System and Information Integrity System & File Scanning Shared Perform periodic scans of the information system and real time scans of files from external sources as files are downloaded, opened, or executed. To identify and mitigate security risks, prevent malware infections and minimise the impact of security breaches. 19
CMMC_L3 SI.1.211 CMMC_L3_SI.1.211 CMMC L3 SI.1.211 System and Information Integrity Provide protection from malicious code at appropriate locations within organizational information systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. link 2
CMMC_L3 SI.1.213 CMMC_L3_SI.1.213 CMMC L3 SI.1.213 System and Information Integrity Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Shared Microsoft and the customer share responsibilities for implementing this requirement. Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. link 9
CSA_v4.0.12 CCC_06 CSA_v4.0.12_CCC_06 CSA Cloud Controls Matrix v4.0.12 CCC 06 Change Control and Configuration Management Change Management Baseline Shared n/a Establish change management baselines for all relevant authorized changes on organization assets. 6
CSA_v4.0.12 CEK_05 CSA_v4.0.12_CEK_05 CSA Cloud Controls Matrix v4.0.12 CEK 05 Cryptography, Encryption & Key Management Encryption Change Management Shared n/a Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes. 9
CSA_v4.0.12 CEK_06 CSA_v4.0.12_CEK_06 CSA Cloud Controls Matrix v4.0.12 CEK 06 Cryptography, Encryption & Key Management Encryption Change Cost Benefit Analysis Shared n/a Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis. 6
CSA_v4.0.12 CEK_07 CSA_v4.0.12_CEK_07 CSA Cloud Controls Matrix v4.0.12 CEK 07 Cryptography, Encryption & Key Management Encryption Risk Management Shared n/a Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. 6
CSA_v4.0.12 CEK_20 CSA_v4.0.12_CEK_20 CSA Cloud Controls Matrix v4.0.12 CEK 20 Cryptography, Encryption & Key Management Key Recovery Shared n/a Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. 23
CSA_v4.0.12 DCS_05 CSA_v4.0.12_DCS_05 CSA Cloud Controls Matrix v4.0.12 DCS 05 Datacenter Security Assets Classification Shared n/a Classify and document the physical, and logical assets (e.g., applications) based on the organizational business risk. 4
CSA_v4.0.12 DCS_06 CSA_v4.0.12_DCS_06 CSA Cloud Controls Matrix v4.0.12 DCS 06 Datacenter Security Assets Cataloguing and Tracking Shared n/a Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system. 5
CSA_v4.0.12 UEM_04 CSA_v4.0.12_UEM_04 CSA Cloud Controls Matrix v4.0.12 UEM 04 Universal Endpoint Management Endpoint Inventory Shared n/a Maintain an inventory of all endpoints used to store and access company data. 4
CSA_v4.0.12 UEM_07 CSA_v4.0.12_UEM_07 CSA Cloud Controls Matrix v4.0.12 UEM 07 Universal Endpoint Management Operating Systems Shared n/a Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes. 4
CSA_v4.0.12 UEM_12 CSA_v4.0.12_UEM_12 CSA Cloud Controls Matrix v4.0.12 UEM 12 Universal Endpoint Management Remote Locate Shared n/a Enable remote geo-location capabilities for all managed mobile endpoints. 4
Cyber_Essentials_v3.1 3 Cyber_Essentials_v3.1_3 Cyber Essentials v3.1 3 Cyber Essentials Security Update Management Shared n/a Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available.   38
Cyber_Essentials_v3.1 5 Cyber_Essentials_v3.1_5 Cyber Essentials v3.1 5 Cyber Essentials Malware protection Shared n/a Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. 60
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 64
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 62
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 189
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 62
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 60
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 94
FFIEC_CAT_2017 3.1.1 FFIEC_CAT_2017_3.1.1 FFIEC CAT 2017 3.1.1 Cybersecurity Controls Infrastructure Management Shared n/a - Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) 71
FFIEC_CAT_2017 3.2.3 FFIEC_CAT_2017_3.2.3 FFIEC CAT 2017 3.2.3 Cybersecurity Controls Event Detection Shared n/a - A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access. 30
HITRUST_CSF_v11.3 06.h HITRUST_CSF_v11.3_06.h HITRUST CSF v11.3 06.h Compliance with Security Policies and Standards Ensure compliance with security implementation standards by regular checking of information systems. Shared 1. Annual checks on the technical security configuration of systems is to be performed either manually by an individual with experience with the systems and/or with the assistance of automated software tools. 2. Technical compliance checking is to be implemented to show compliance in support of technical interoperability. Information systems shall be regularly checked for compliance with security implementation standards. 5
HITRUST_CSF_v11.3 09.j HITRUST_CSF_v11.3_09.j HITRUST CSF v11.3 09.j Protection Against Malicious and Mobile Code Ensure that integrity of information and software is protected from malicious or unauthorized code Shared 1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures. 2. Automatic periodic scans of information systems is to be implemented. 3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented. 4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use. 5. Anti-malware audit logs checks to be performed. 6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls. Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. 37
ISO_IEC_27002_2022 5.9 ISO_IEC_27002_2022_5.9 ISO IEC 27002 2022 5.9 Preventive, Identifying Control Inventory of information and other associated assets Shared An inventory of information and other associated assets, including owners, should be developed and maintained. To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. 6
ISO_IEC_27002_2022 8.7 ISO_IEC_27002_2022_8.7 ISO IEC 27002 2022 8.7 Identifying, Protection, Preventive Control Protection against malware Shared Protection against malware should be implemented and supported by appropriate user awareness. To ensure information and other associated assets are protected against malware. 19
ISO_IEC_27017_2015 8.1.1 ISO_IEC_27017_2015_8.1.1 ISO IEC 27017 2015 8.1.1 Asset Management Inventory of Assets Shared For Cloud Service Customer: The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service. For Cloud Service Provider: The inventory of assets of the cloud service provider should explicitly identify: (i) cloud service customer data; (ii) cloud service derived data. To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. 6
K_ISMS_P_2018 2.10.1 K_ISMS_P_2018_2.10.1 K ISMS P 2018 2.10.1 2.10 Establish Procedures for Managing the Security of System Operations Shared n/a Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. 455
K_ISMS_P_2018 2.10.2 K_ISMS_P_2018_2.10.2 K ISMS P 2018 2.10.2 2.10 Establish Protective Measures for Administrator Privileges and Security Configurations Shared n/a Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. 431
New_Zealand_ISM 14.1.9.C.01 New_Zealand_ISM_14.1.9.C.01 New_Zealand_ISM_14.1.9.C.01 14. Software security 14.1.9.C.01 Maintaining hardened SOEs n/a Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. 16
NIST_SP_800-171_R2_3 .14.2 NIST_SP_800-171_R2_3.14.2 NIST SP 800-171 R2 3.14.2 System and Information Integrity Provide protection from malicious code at designated locations within organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. link 18
NIST_SP_800-171_R2_3 .14.4 NIST_SP_800-171_R2_3.14.4 NIST SP 800-171 R2 3.14.4 System and Information Integrity Update malicious code protection mechanisms when new releases are available. Shared Microsoft and the customer share responsibilities for implementing this requirement. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. link 9
NIST_SP_800-171_R2_3 .14.5 NIST_SP_800-171_R2_3.14.5 NIST SP 800-171 R2 3.14.5 System and Information Integrity Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Shared Microsoft and the customer share responsibilities for implementing this requirement. Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. link 4
NIST_SP_800-171_R3_3 .14.2 NIST_SP_800-171_R3_3.14.2 NIST 800-171 R3 3.14.2 System and Information Integrity Control Malicious Code Protection Shared Malicious code insertions occur through the exploitation of system vulnerabilities. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code can be inserted into the system in many ways, including by email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to malicious code detection during scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. a. Implement malicious code protection mechanisms at designated locations within the system to detect and eradicate malicious code. b. Update malicious code protection mechanisms as new releases are available in accordance with configuration management policy and procedures. c. Configure malicious code protection mechanisms to: 1. Perform scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or network entry and exit points as the files are downloaded, opened, or executed; and 2. Block malicious code, quarantine malicious code, or take other actions in response to malicious code detection. 19
NIST_SP_800-171_R3_3 .4.10 NIST_SP_800-171_R3_3.4.10 NIST 800-171 R3 3.4.10 Configuration Management Control System Component Inventory Shared System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information. a. Develop and document an inventory of system components. b. Review and update the system component inventory periodically. c. Update the system component inventory as part of installations, removals, and system updates. 6
NIST_SP_800-53_R5.1.1 CM.8 NIST_SP_800-53_R5.1.1_CM.8 NIST SP 800-53 R5.1.1 CM.8 Configuration Management Control System Component Inventory Shared a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency]. System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components. 5
NIST_SP_800-53_R5.1.1 SI.3 NIST_SP_800-53_R5.1.1_SI.3 NIST SP 800-53 R5.1.1 SI.3 System and Information Integrity Control Malicious Code Protection Shared a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action] ]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. 19
NZISM_v3.7 14.1.8.C.01. NZISM_v3.7_14.1.8.C.01. NZISM v3.7 14.1.8.C.01. Standard Operating Environments 14.1.8.C.01. - minimise vulnerabilities and enhance system security Shared n/a Agencies SHOULD develop a hardened SOE for workstations and servers, covering: 1. removal of unneeded software and operating system components; 2. removal or disabling of unneeded services, ports and BIOS settings; 3. disabling of unused or undesired functionality in software and operating systems; 4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required; 5. installation of antivirus and anti-malware software; 6. installation of software-based firewalls limiting inbound and outbound network connections; 7. configuration of either remote logging or the transfer of local event logs to a central server; and 8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. 30
NZISM_v3.7 14.1.9.C.01. NZISM_v3.7_14.1.9.C.01. NZISM v3.7 14.1.9.C.01. Standard Operating Environments 14.1.9.C.01. - maintain system reliability, protect sensitive information, and fulfill security requirements. Shared n/a Agencies MUST ensure that for all servers and workstations: 1. a technical specification is agreed for each platform with specified controls; 2. a standard configuration created and updated for each operating system type and version; 3. system users do not have the ability to install or disable software without approval; and 4. installed software and operating system patching is up to date. 4
NZISM_v3.7 17.1.58.C.02. NZISM_v3.7_17.1.58.C.02. NZISM v3.7 17.1.58.C.02. Cryptographic Fundamentals 17.1.58.C.02. - enhance overall cybersecurity posture. Shared n/a Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. 23
NZISM_v3.7 17.5.7.C.02. NZISM_v3.7_17.5.7.C.02. NZISM v3.7 17.5.7.C.02. Secure Shell 17.5.7.C.02. - enhance overall cybersecurity posture. Shared n/a Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password. 41
NZISM_v3.7 22.1.24.C.02. NZISM_v3.7_22.1.24.C.02. NZISM v3.7 22.1.24.C.02. Cloud Computing 22.1.24.C.02. - enhance security posture. Shared n/a Agencies intending to adopt cloud technologies or services SHOULD apply separation and access controls to protect data and systems where support is provided by offshore technical staff. 4
NZISM_v3.7 22.1.26.C.01. NZISM_v3.7_22.1.26.C.01. NZISM v3.7 22.1.26.C.01. Cloud Computing 22.1.26.C.01. - ensure safety of data. Shared n/a Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. 10
NZISM_v3.7 23.1.56.C.01. NZISM_v3.7_23.1.56.C.01. NZISM v3.7 23.1.56.C.01. Public Cloud Security Concepts 23.1.56.C.01. - reduce manual errors and ensure adherence to security standards. Shared n/a Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available. 4
NZISM_v3.7 23.2.20.C.01. NZISM_v3.7_23.2.20.C.01. NZISM v3.7 23.2.20.C.01. Governance, Risk Assessment & Assurance 23.2.20.C.01. - enhance confidence in the security and reliability of cloud services and mitigate risks associated with potential vulnerabilities or non-compliance with security standards. Shared n/a Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants. 4
NZISM_v3.7 6.4.6.C.01. NZISM_v3.7_6.4.6.C.01. NZISM v3.7 6.4.6.C.01. Business Continuity and Disaster Recovery 6.4.6.C.01. - enhance operational resilience. Shared n/a Agencies SHOULD: 1.Identify vital records; 2. backup all vital records; 3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4. 4. classification of the information; and 5. test backup and restoration processes regularly to confirm their effectiveness. 12
PCI_DSS_v4.0.1 5.2.1 PCI_DSS_v4.0.1_5.2.1 PCI DSS v4.0.1 5.2.1 Protect All Systems and Networks from Malicious Software An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware Shared n/a Examine system components to verify that an anti-malware solution(s) is deployed on all system components, except for those determined to not be at risk from malware based on periodic evaluations per Requirement 5.2.3. For any system components without an anti-malware solution, examine the periodic evaluations to verify the component was evaluated and the evaluation concludes that the component is not at risk from malware 19
PCI_DSS_v4.0.1 5.2.2 PCI_DSS_v4.0.1_5.2.2 PCI DSS v4.0.1 5.2.2 Protect All Systems and Networks from Malicious Software The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware Shared n/a Examine vendor documentation and configurations of the anti-malware solution(s) to verify that the solution detects all known types of malware and removes, blocks, or contains all known types of malware 19
PCI_DSS_v4.0.1 5.2.3 PCI_DSS_v4.0.1_5.2.3 PCI DSS v4.0.1 5.2.3 Protect All Systems and Networks from Malicious Software Any system components that are not at risk for malware are evaluated periodically to include the following: a documented list of all system components not at risk for malware, identification and evaluation of evolving malware threats for those system components, confirmation whether such system components continue to not require anti-malware protection Shared n/a Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement. Interview personnel to verify that the evaluations include all elements specified in this requirement. Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements 19
PCI_DSS_v4.0.1 5.3.1 PCI_DSS_v4.0.1_5.3.1 PCI DSS v4.0.1 5.3.1 Protect All Systems and Networks from Malicious Software The anti-malware solution(s) is kept current via automatic updates Shared n/a Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution is configured to perform automatic updates. Examine system components and logs, to verify that the anti-malware solution(s) and definitions are current and have been promptly deployed 19
PCI_DSS_v4.0.1 5.3.2 PCI_DSS_v4.0.1_5.3.2 PCI DSS v4.0.1 5.3.2 Protect All Systems and Networks from Malicious Software The anti-malware solution(s) performs periodic scans and active or real-time scans, or performs continuous behavioral analysis of systems or processes Shared n/a Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution(s) is configured to perform at least one of the elements specified in this requirement. Examine system components, including all operating system types identified as at risk for malware, to verify the solution(s) is enabled in accordance with at least one of the elements specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement 19
PCI_DSS_v4.0.1 5.3.3 PCI_DSS_v4.0.1_5.3.3 PCI DSS v4.0.1 5.3.3 Protect All Systems and Networks from Malicious Software For removable electronic media, the anti-malware solution(s) performs automatic scans of when the media is inserted, connected, or logically mounted, or performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted Shared n/a Examine anti-malware solution(s) configurations to verify that, for removable electronic media, the solution is configured to perform at least one of the elements specified in this requirement. Examine system components with removable electronic media connected to verify that the solution(s) is enabled in accordance with at least one of the elements as specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement 19
PCI_DSS_v4.0.1 9.5.1 PCI_DSS_v4.0.1_9.5.1 PCI DSS v4.0.1 9.5.1 Restrict Physical Access to Cardholder Data Protection Measures for POI Devices Against Tampering and Unauthorized Substitution Shared n/a POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: • Maintaining a list of POI devices. • Periodically inspecting POI devices to look for tampering or unauthorized substitution. • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. 8
PCI_DSS_v4.0.1 9.5.1.1 PCI_DSS_v4.0.1_9.5.1.1 PCI DSS v4.0.1 9.5.1.1 Restrict Physical Access to Cardholder Data Maintenance of an Up-to-Date List of POI Devices Shared n/a An up-to-date list of POI devices is maintained, including: • Make and model of the device. • Location of device. • Device serial number or other methods of unique identification. 6
RMiT_v1.0 Appendix_5.7 RMiT_v1.0_Appendix_5.7 RMiT Appendix 5.7 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.7 Customer n/a Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls; (d) endpoint protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. link 21
SOC_2023 CC1.4 SOC_2023_CC1.4 SOC 2023 CC1.4 Control Environment Ensure organizational resilience, innovation, and competitiveness in the long run. Shared n/a Entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives by establishing policies and procedures, evaluating the competence required and address its shortcomings, attracts, develops and retains individuals through mentoring and training and plan and prepare for succession by developing contingency plans for assignments of responsibilities important for internal control. 6
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 214
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 225
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 127
SOC_2023 CC6.8 SOC_2023_CC6.8 SOC 2023 CC6.8 Logical and Physical Access Controls Mitigate the risk of cybersecurity threats, safeguard critical systems and data, and maintain operational continuity and integrity. Shared n/a Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. 33
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations Maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 163
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 209
SOC_2023 CM_8b SOC_2023_CM_8b 404 not found n/a n/a 5
SWIFT_CSCF_2024 6.1 SWIFT_CSCF_2024_6.1 SWIFT Customer Security Controls Framework 2024 6.1 Risk Management Malware Protection Shared 1. Malware is a general term that includes many types of intrusive and unwanted software, including viruses. 2. Anti-malware technology (a broader term for anti-virus) is effective in protecting against malicious code that has a known digital or behaviour profile To ensure that the user’s Swift infrastructure is protected against malware and act upon results. 19
SWIFT_CSCF_v2021 6.1 SWIFT_CSCF_v2021_6.1 SWIFT CSCF v2021 6.1 Detect Anomalous Activity to Systems or Transaction Records Malware Protection n/a Ensure that local SWIFT infrastructure is protected against malware. link 2
SWIFT_CSCF_v2022 6.1 SWIFT_CSCF_v2022_6.1 SWIFT CSCF v2022 6.1 6. Detect Anomalous Activity to Systems or Transaction Records Ensure that local SWIFT infrastructure is protected against malware and act upon results. Shared n/a Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. link 29
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
K ISMS P 2018 e0782c37-30da-4a78-9f92-50bfe7aa2553 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-05-27 20:20:35 change Minor (1.0.0 > 1.1.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC