compliance controls are associated with this Policy definition 'Kubernetes clusters should not use the default namespace' (9f061a12-e40d-4183-a00e-171812443373)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v3.0 |
PV-2 |
Azure_Security_Benchmark_v3.0_PV-2 |
Microsoft cloud security benchmark PV-2 |
Posture and Vulnerability Management |
Audit and enforce secure configurations |
Shared |
**Security Principle:**
Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration.
**Azure Guidance:**
Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement.
**Implementation and additional context:**
Understand Azure Policy effects:
https://docs.microsoft.com/azure/governance/policy/concepts/effects
Create and manage policies to enforce compliance:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Get compliance data of Azure resources:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data |
n/a |
link |
27 |
|
C.04.7 - Evaluated |
C.04.7 - Evaluated |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
125 |
Canada_Federal_PBMM_3-1-2020 |
SI_3 |
Canada_Federal_PBMM_3-1-2020_SI_3 |
Canada Federal PBMM 3-1-2020 SI 3 |
Malicious Code Protection |
Malicious Code Protection |
Shared |
1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.
2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
3. The organization configures malicious code protection mechanisms to:
a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and
b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection.
4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
To mitigate potential impacts on system availability. |
|
52 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(1) |
Canada_Federal_PBMM_3-1-2020_SI_3(1) |
Canada Federal PBMM 3-1-2020 SI 3(1) |
Malicious Code Protection |
Malicious Code Protection | Central Management |
Shared |
The organization centrally manages malicious code protection mechanisms. |
To centrally manage malicious code protection mechanisms. |
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(2) |
Canada_Federal_PBMM_3-1-2020_SI_3(2) |
Canada Federal PBMM 3-1-2020 SI 3(2) |
Malicious Code Protection |
Malicious Code Protection | Automatic Updates |
Shared |
The information system automatically updates malicious code protection mechanisms. |
To ensure automatic updates in malicious code protection mechanisms. |
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_3(7) |
Canada_Federal_PBMM_3-1-2020_SI_3(7) |
Canada Federal PBMM 3-1-2020 SI 3(7) |
Malicious Code Protection |
Malicious Code Protection | Non Signature-Based Detection |
Shared |
The information system implements non-signature-based malicious code detection mechanisms. |
To enhance overall security posture.
|
|
51 |
Canada_Federal_PBMM_3-1-2020 |
SI_4 |
Canada_Federal_PBMM_3-1-2020_SI_4 |
Canada Federal PBMM 3-1-2020 SI 4 |
Information System Monitoring |
Information System Monitoring |
Shared |
1. The organization monitors the information system to detect:
a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and
b. Unauthorized local, network, and remote connections;
2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods.
3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.
4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information.
6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards.
7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. |
To enhance overall security posture.
|
|
95 |
Canada_Federal_PBMM_3-1-2020 |
SI_4(1) |
Canada_Federal_PBMM_3-1-2020_SI_4(1) |
Canada Federal PBMM 3-1-2020 SI 4(1) |
Information System Monitoring |
Information System Monitoring | System-Wide Intrusion Detection System |
Shared |
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
To enhance overall security posture.
|
|
95 |
Canada_Federal_PBMM_3-1-2020 |
SI_4(2) |
Canada_Federal_PBMM_3-1-2020_SI_4(2) |
Canada Federal PBMM 3-1-2020 SI 4(2) |
Information System Monitoring |
Information System Monitoring | Automated Tools for Real-Time Analysis |
Shared |
The organization employs automated tools to support near real-time analysis of events. |
To enhance overall security posture.
|
|
94 |
Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
88 |
CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
100 |
CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
102 |
CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
100 |
CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
94 |
CIS_Controls_v8.1 |
5.1 |
CIS_Controls_v8.1_5.1 |
CIS Controls v8.1 5.1 |
Account Management |
Establish and maintain an inventory of accounts |
Shared |
1. Establish and maintain an inventory of all accounts managed in the enterprise.
2. The inventory must include both user and administrator accounts.
3. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department.
4. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
|
To ensure accurate tracking and management of accounts. |
|
35 |
CIS_Controls_v8.1 |
6.8 |
CIS_Controls_v8.1_6.8 |
CIS Controls v8.1 6.8 |
Access Control Management |
Define and maintain role-based access control. |
Shared |
1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties.
2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. |
To implement a system of role-based access control. |
|
30 |
CIS_Controls_v8.1 |
8.11 |
CIS_Controls_v8.1_8.11 |
CIS Controls v8.1 8.11 |
Audit Log Management |
Conduct audit log reviews |
Shared |
1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat.
2. Conduct reviews on a weekly, or more frequent, basis.
|
To ensure the integrity of the data in audit logs. |
|
62 |
CMMC_L2_v1.9.0 |
AC.L2_3.1.3 |
CMMC_L2_v1.9.0_AC.L2_3.1.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 |
Access Control |
Control CUI Flow |
Shared |
Control the flow of CUI in accordance with approved authorizations. |
To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations |
|
46 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
17 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.2 |
CMMC_L2_v1.9.0_CM.L2_3.4.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 |
Configuration Management |
Security Configuration Enforcement |
Shared |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
To mitigate vulnerabilities and enhance overall security posture. |
|
11 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.6 |
CMMC_L2_v1.9.0_CM.L2_3.4.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 |
Configuration Management |
Least Functionality |
Shared |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
To reduce the risk of unauthorized access or exploitation of system vulnerabilities. |
|
11 |
CMMC_L2_v1.9.0 |
SC.L1_3.13.1 |
CMMC_L2_v1.9.0_SC.L1_3.13.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1 |
System and Communications Protection |
Boundary Protection |
Shared |
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
To protect information assets from external attacks and insider threats. |
|
43 |
CMMC_L2_v1.9.0 |
SC.L1_3.13.5 |
CMMC_L2_v1.9.0_SC.L1_3.13.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5 |
System and Communications Protection |
Public Access System Separation |
Shared |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources. |
|
43 |
CSA_v4.0.12 |
AIS_02 |
CSA_v4.0.12_AIS_02 |
CSA Cloud Controls Matrix v4.0.12 AIS 02 |
Application & Interface Security |
Application Security Baseline Requirements |
Shared |
n/a |
Establish, document and maintain baseline requirements for securing
different applications. |
|
11 |
CSA_v4.0.12 |
CCC_02 |
CSA_v4.0.12_CCC_02 |
CSA Cloud Controls Matrix v4.0.12 CCC 02 |
Change Control and Configuration Management |
Quality Testing |
Shared |
n/a |
Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards. |
|
12 |
CSA_v4.0.12 |
CCC_03 |
CSA_v4.0.12_CCC_03 |
CSA Cloud Controls Matrix v4.0.12 CCC 03 |
Change Control and Configuration Management |
Change Management Technology |
Shared |
n/a |
Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced). |
|
31 |
CSA_v4.0.12 |
CCC_04 |
CSA_v4.0.12_CCC_04 |
CSA Cloud Controls Matrix v4.0.12 CCC 04 |
Change Control and Configuration Management |
Unauthorized Change Protection |
Shared |
n/a |
Restrict the unauthorized addition, removal, update, and management
of organization assets. |
|
25 |
CSA_v4.0.12 |
CCC_09 |
CSA_v4.0.12_CCC_09 |
CSA Cloud Controls Matrix v4.0.12 CCC 09 |
Change Control and Configuration Management |
Change Restoration |
Shared |
n/a |
Define and implement a process to proactively roll back changes to
a previous known good state in case of errors or security concerns. |
|
11 |
CSA_v4.0.12 |
DCS_02 |
CSA_v4.0.12_DCS_02 |
CSA Cloud Controls Matrix v4.0.12 DCS 02 |
Datacenter Security |
Off-Site Transfer Authorization Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually. |
|
45 |
CSA_v4.0.12 |
DSP_05 |
CSA_v4.0.12_DSP_05 |
CSA Cloud Controls Matrix v4.0.12 DSP 05 |
Data Security and Privacy Lifecycle Management |
Data Flow Documentation |
Shared |
n/a |
Create data flow documentation to identify what data is processed,
stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change. |
|
57 |
CSA_v4.0.12 |
IAM_02 |
CSA_v4.0.12_IAM_02 |
CSA Cloud Controls Matrix v4.0.12 IAM 02 |
Identity & Access Management |
Strong Password Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually. |
|
52 |
CSA_v4.0.12 |
IAM_04 |
CSA_v4.0.12_IAM_04 |
CSA Cloud Controls Matrix v4.0.12 IAM 04 |
Identity & Access Management |
Separation of Duties |
Shared |
n/a |
Employ the separation of duties principle when implementing information
system access. |
|
43 |
CSA_v4.0.12 |
IAM_06 |
CSA_v4.0.12_IAM_06 |
CSA Cloud Controls Matrix v4.0.12 IAM 06 |
Identity & Access Management |
User Access Provisioning |
Shared |
n/a |
Define and implement a user access provisioning process which authorizes,
records, and communicates access changes to data and assets. |
|
24 |
CSA_v4.0.12 |
IAM_07 |
CSA_v4.0.12_IAM_07 |
CSA Cloud Controls Matrix v4.0.12 IAM 07 |
Identity & Access Management |
User Access Changes and Revocation |
Shared |
n/a |
De-provision or respectively modify access of movers / leavers or
system identity changes in a timely manner in order to effectively adopt and
communicate identity and access management policies. |
|
56 |
CSA_v4.0.12 |
IAM_10 |
CSA_v4.0.12_IAM_10 |
CSA Cloud Controls Matrix v4.0.12 IAM 10 |
Identity & Access Management |
Management of Privileged Access Roles |
Shared |
n/a |
Define and implement an access process to ensure privileged access
roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access. |
|
56 |
CSA_v4.0.12 |
IAM_13 |
CSA_v4.0.12_IAM_13 |
CSA Cloud Controls Matrix v4.0.12 IAM 13 |
Identity & Access Management |
Uniquely Identifiable Users |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs. |
|
49 |
CSA_v4.0.12 |
IAM_16 |
CSA_v4.0.12_IAM_16 |
CSA Cloud Controls Matrix v4.0.12 IAM 16 |
Identity & Access Management |
Authorization Mechanisms |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to verify access to data and system functions is authorized. |
|
46 |
CSA_v4.0.12 |
UEM_03 |
CSA_v4.0.12_UEM_03 |
CSA Cloud Controls Matrix v4.0.12 UEM 03 |
Universal Endpoint Management |
Compatibility |
Shared |
n/a |
Define and implement a process for the validation of the endpoint
device's compatibility with operating systems and applications. |
|
11 |
CSA_v4.0.12 |
UEM_05 |
CSA_v4.0.12_UEM_05 |
CSA Cloud Controls Matrix v4.0.12 UEM 05 |
Universal Endpoint Management |
Endpoint Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data. |
|
11 |
Cyber_Essentials_v3.1 |
1 |
Cyber_Essentials_v3.1_1 |
Cyber Essentials v3.1 1 |
Cyber Essentials |
Firewalls |
Shared |
n/a |
Aim: to make sure that only secure and necessary network services can be accessed from the internet. |
|
37 |
Cyber_Essentials_v3.1 |
2 |
Cyber_Essentials_v3.1_2 |
Cyber Essentials v3.1 2 |
Cyber Essentials |
Secure Configuration |
Shared |
n/a |
Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. |
|
61 |
Cyber_Essentials_v3.1 |
3 |
Cyber_Essentials_v3.1_3 |
Cyber Essentials v3.1 3 |
Cyber Essentials |
Security Update Management |
Shared |
n/a |
Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available. |
|
38 |
Cyber_Essentials_v3.1 |
5 |
Cyber_Essentials_v3.1_5 |
Cyber Essentials v3.1 5 |
Cyber Essentials |
Malware protection |
Shared |
n/a |
Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. |
|
60 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
FFIEC_CAT_2017 |
3.1.1 |
FFIEC_CAT_2017_3.1.1 |
FFIEC CAT 2017 3.1.1 |
Cybersecurity Controls |
Infrastructure Management |
Shared |
n/a |
- Network perimeter defense tools (e.g., border router and firewall) are used.
- Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.
- All ports are monitored.
- Up to date antivirus and anti-malware tools are used.
- Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
- Ports, functions, protocols and services are prohibited if no longer needed for business purposes.
- Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
- Programs that can override system, object, network, virtual machine, and application controls are restricted.
- System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.
- Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) |
|
72 |
FFIEC_CAT_2017 |
4.1.1 |
FFIEC_CAT_2017_4.1.1 |
FFIEC CAT 2017 4.1.1 |
External Dependency Management |
Connections |
Shared |
n/a |
- The critical business processes that are dependent on external connectivity have been identified.
- The institution ensures that third-party connections are authorized.
- A network diagram is in place and identifies all external connections.
- Data flow diagrams are in place and document information flow to external parties. |
|
43 |
HITRUST_CSF_v11.3 |
01.c |
HITRUST_CSF_v11.3_01.c |
HITRUST CSF v11.3 01.c |
Authorized Access to Information Systems |
To control privileged access to information systems and services. |
Shared |
1. Privileged role assignments to be automatically tracked and monitored.
2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions.
3. Critical security functions to be executable only after granting of explicit authorization. |
The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. |
|
44 |
HITRUST_CSF_v11.3 |
01.l |
HITRUST_CSF_v11.3_01.l |
HITRUST CSF v11.3 01.l |
Network Access Control |
To prevent unauthorized access to networked services. |
Shared |
Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed. |
Physical and logical access to diagnostic and configuration ports shall be controlled. |
|
26 |
HITRUST_CSF_v11.3 |
01.m |
HITRUST_CSF_v11.3_01.m |
HITRUST CSF v11.3 01.m |
Network Access Control |
To ensure segregation in networks. |
Shared |
Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. |
Groups of information services, users, and information systems should be segregated on networks. |
|
48 |
HITRUST_CSF_v11.3 |
01.n |
HITRUST_CSF_v11.3_01.n |
HITRUST CSF v11.3 01.n |
Network Access Control |
To prevent unauthorised access to shared networks. |
Shared |
Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. |
For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
|
55 |
HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
114 |
HITRUST_CSF_v11.3 |
09.j |
HITRUST_CSF_v11.3_09.j |
HITRUST CSF v11.3 09.j |
Protection Against Malicious and Mobile Code |
To ensure that integrity of information and software is protected from malicious or unauthorized code |
Shared |
1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures.
2. Automatic periodic scans of information systems is to be implemented.
3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented.
4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use.
5. Anti-malware audit logs checks to be performed.
6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls. |
Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. |
|
37 |
HITRUST_CSF_v11.3 |
09.m |
HITRUST_CSF_v11.3_09.m |
HITRUST CSF v11.3 09.m |
Network Security Management |
To ensure the protection of information in networks and protection of the supporting network infrastructure. |
Shared |
1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points.
2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes.
3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized. |
Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
|
24 |
HITRUST_CSF_v11.3 |
09.w |
HITRUST_CSF_v11.3_09.w |
HITRUST CSF v11.3 09.w |
Exchange of Information |
To develop and implement policies and procedures, to protect information associated with the interconnection of business information systems. |
Shared |
1. A security baseline is to be documented and implemented for interconnected systems.
2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements. |
Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. |
|
45 |
HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
34 |
HITRUST_CSF_v11.3 |
10.m |
HITRUST_CSF_v11.3_10.m |
HITRUST CSF v11.3 10.m |
Technical Vulnerability Management |
To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. |
Shared |
1. The necessary secure services, protocols required for the function of the system are to be enabled.
2. Security features to be implemented for any required services that are considered to be insecure.
3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media.
4. Configuration standards to be consistent with industry-accepted system hardening standards.
5. An enterprise security posture review within every 365 days is to be conducted.
6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. |
Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. |
|
47 |
ISO_IEC_27002_2022 |
5.14 |
ISO_IEC_27002_2022_5.14 |
ISO IEC 27002 2022 5.14 |
Protection,
Preventive Control |
Information transfer |
Shared |
To maintain the security of information transferred within an organization and with any external interested party. |
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. |
|
46 |
ISO_IEC_27002_2022 |
8.9 |
ISO_IEC_27002_2022_8.9 |
ISO IEC 27002 2022 8.9 |
Protection,
Preventive Control |
Configuration management |
Shared |
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
|
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. |
|
21 |
New_Zealand_ISM |
14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
14. Software security |
14.1.9.C.01 Maintaining hardened SOEs |
|
n/a |
Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. |
|
16 |
NIST_SP_800-171_R3_3 |
.1.2 |
NIST_SP_800-171_R3_3.1.2 |
NIST 800-171 R3 3.1.2 |
Access Control |
Access Enforcement |
Shared |
Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. |
Enforce approved authorizations for logical access to CUI and system resources. |
|
38 |
NIST_SP_800-171_R3_3 |
.1.3 |
NIST_SP_800-171_R3_3.1.3 |
NIST 800-171 R3 3.1.3 |
Access Control |
Information Flow Enforcement |
Shared |
Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also
consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement.
Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. |
|
46 |
NIST_SP_800-171_R3_3 |
.13.1 |
NIST_SP_800-171_R3_3.13.1 |
NIST 800-171 R3 3.13.1 |
System and Communications Protection Control |
Boundary Protection |
Shared |
Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.
b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
|
43 |
NIST_SP_800-171_R3_3 |
.4.1 |
NIST_SP_800-171_R3_3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
10 |
NIST_SP_800-171_R3_3 |
.4.2 |
NIST_SP_800-171_R3_3.4.2 |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
NIST_SP_800-171_R3_3 |
.4.6 |
NIST_SP_800-171_R3_3.4.6 |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
NIST_SP_800-171_R3_3 |
.5.5 |
NIST_SP_800-171_R3_3.5.5 |
404 not found |
|
|
|
n/a |
n/a |
|
43 |
NIST_SP_800-53_R5.1.1 |
AC.3 |
NIST_SP_800-53_R5.1.1_AC.3 |
NIST SP 800-53 R5.1.1 AC.3 |
Access Control |
Access Enforcement |
Shared |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family. |
|
22 |
NIST_SP_800-53_R5.1.1 |
AC.4 |
NIST_SP_800-53_R5.1.1_AC.4 |
NIST SP 800-53 R5.1.1 AC.4 |
Access Control |
Information Flow Enforcement |
Shared |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). |
|
44 |
NIST_SP_800-53_R5.1.1 |
CM.2 |
NIST_SP_800-53_R5.1.1_CM.2 |
NIST SP 800-53 R5.1.1 CM.2 |
Configuration Management Control |
Baseline Configuration |
Shared |
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system:
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: Assignment organization-defined circumstances]; and
3. When system components are installed or upgraded. |
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. |
|
10 |
NIST_SP_800-53_R5.1.1 |
CM.6 |
NIST_SP_800-53_R5.1.1_CM.6 |
NIST SP 800-53 R5.1.1 CM.6 |
Configuration Management Control |
Configuration Settings |
Shared |
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. |
Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.
Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.
Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings. |
|
12 |
NIST_SP_800-53_R5.1.1 |
CM.7 |
NIST_SP_800-53_R5.1.1_CM.7 |
NIST SP 800-53 R5.1.1 CM.7 |
Configuration Management Control |
Least Functionality |
Shared |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3). |
|
17 |
NIST_SP_800-53_R5.1.1 |
SC.7 |
NIST_SP_800-53_R5.1.1_SC.7 |
NIST SP 800-53 R5.1.1 SC.7 |
System and Communications Protection |
Boundary Protection |
Shared |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. |
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). |
|
43 |
NL_BIO_Cloud_Theme |
C.04.7(2) |
NL_BIO_Cloud_Theme_C.04.7(2) |
NL_BIO_Cloud_Theme_C.04.7(2) |
C.04 Technical Vulnerability Management |
Evaluated |
|
n/a |
Evaluations of technical vulnerabilities are recorded and reported. |
|
41 |
NZ_ISM_v3.5 |
SS-3 |
NZ_ISM_v3.5_SS-3 |
NZISM Security Benchmark SS-3 |
Software security |
14.1.9 Maintaining hardened SOEs |
Customer |
n/a |
Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates.
End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation.
End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. |
link |
15 |
NZISM_v3.7 |
14.1.10.C.01. |
NZISM_v3.7_14.1.10.C.01. |
NZISM v3.7 14.1.10.C.01. |
Standard Operating Environments |
14.1.10.C.01. - To reduce potential vulnerabilities. |
Shared |
n/a |
Agencies MUST reduce potential vulnerabilities in their SOEs by:
1. removing unused accounts;
2. renaming or deleting default accounts; and
3. replacing default passwords before or during the installation process. |
|
39 |
NZISM_v3.7 |
14.1.10.C.02. |
NZISM_v3.7_14.1.10.C.02. |
NZISM v3.7 14.1.10.C.02. |
Standard Operating Environments |
14.1.10.C.02. - To reduce potential vulnerabilities. |
Shared |
n/a |
Agencies SHOULD reduce potential vulnerabilities in their SOEs by:
1. removing unused accounts;
2. renaming or deleting default accounts; and
3. replacing default passwords, before or during the installation process. |
|
39 |
NZISM_v3.7 |
14.1.8.C.01. |
NZISM_v3.7_14.1.8.C.01. |
NZISM v3.7 14.1.8.C.01. |
Standard Operating Environments |
14.1.8.C.01. - To minimise vulnerabilities and enhance system security |
Shared |
n/a |
Agencies SHOULD develop a hardened SOE for workstations and servers, covering:
1. removal of unneeded software and operating system components;
2. removal or disabling of unneeded services, ports and BIOS settings;
3. disabling of unused or undesired functionality in software and operating systems;
4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required;
5. installation of antivirus and anti-malware software;
6. installation of software-based firewalls limiting inbound and outbound network connections;
7. configuration of either remote logging or the transfer of local event logs to a central server; and
8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. |
|
31 |
NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
82 |
NZISM_v3.7 |
16.1.47.C.01. |
NZISM_v3.7_16.1.47.C.01. |
NZISM v3.7 16.1.47.C.01. |
Identification, Authentication and Passwords |
16.1.47.C.01. - To enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD ensure that repeated account lockouts are investigated before reauthorising access. |
|
39 |
NZISM_v3.7 |
17.5.7.C.01. |
NZISM_v3.7_17.5.7.C.01. |
NZISM v3.7 17.5.7.C.01. |
Secure Shell |
17.5.7.C.01. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use public key-based authentication before using password-based authentication. |
|
37 |
NZISM_v3.7 |
17.5.7.C.02. |
NZISM_v3.7_17.5.7.C.02. |
NZISM v3.7 17.5.7.C.02. |
Secure Shell |
17.5.7.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password. |
|
43 |
NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
NZISM_v3.7 |
20.4.4.C.01. |
NZISM_v3.7_20.4.4.C.01. |
NZISM v3.7 20.4.4.C.01. |
Databases |
20.4.4.C.01. - To enhance data security and integrity. |
Shared |
n/a |
Agencies MUST protect database files from access that bypasses the database's normal access controls. |
|
23 |
NZISM_v3.7 |
20.4.4.C.02. |
NZISM_v3.7_20.4.4.C.02. |
NZISM v3.7 20.4.4.C.02. |
Databases |
20.4.4.C.02. - To enhance data security and integrity. |
Shared |
n/a |
Agencies SHOULD protect database files from access that bypass normal access controls. |
|
23 |
NZISM_v3.7 |
20.4.5.C.01. |
NZISM_v3.7_20.4.5.C.01. |
NZISM v3.7 20.4.5.C.01. |
Databases |
20.4.5.C.01. - To enhance data security and integrity. |
Shared |
n/a |
Agencies MUST enable logging and auditing of system users' actions. |
|
22 |
NZISM_v3.7 |
20.4.5.C.02. |
NZISM_v3.7_20.4.5.C.02. |
NZISM v3.7 20.4.5.C.02. |
Databases |
20.4.5.C.02. - To bolster data security and compliance measures. |
Shared |
n/a |
Agencies SHOULD ensure that databases provide functionality to allow for auditing of system users' actions. |
|
22 |
NZISM_v3.7 |
20.4.6.C.01. |
NZISM_v3.7_20.4.6.C.01. |
NZISM v3.7 20.4.6.C.01. |
Databases |
20.4.6.C.01. - To mitigate the risk of unauthorized access to sensitive information and ensuring compliance with security clearance requirements. |
Shared |
n/a |
If results from database queries cannot be appropriately filtered, agencies MUST ensure that all query results are appropriately sanitised to meet the minimum security clearances of system users. |
|
22 |
NZISM_v3.7 |
20.4.6.C.02. |
NZISM_v3.7_20.4.6.C.02. |
NZISM v3.7 20.4.6.C.02. |
Databases |
20.4.6.C.02. - To enhance data security. |
Shared |
n/a |
Agencies SHOULD ensure that system users who do not have sufficient security clearances to view database contents cannot see or interrogate associated metadata in a list of results from a search engine query. |
|
22 |
NZISM_v3.7 |
22.3.11.C.01. |
NZISM_v3.7_22.3.11.C.01. |
NZISM v3.7 22.3.11.C.01. |
Virtual Local Area Networks |
22.3.11.C.01. - To ensure data security and integrity. |
Shared |
n/a |
Unused ports on the switches MUST be disabled. |
|
18 |
NZISM_v3.7 |
22.3.11.C.02. |
NZISM_v3.7_22.3.11.C.02. |
NZISM v3.7 22.3.11.C.02. |
Virtual Local Area Networks |
22.3.11.C.02. - To ensure data security and integrity. |
Shared |
n/a |
Unused ports on the switches SHOULD be disabled. |
|
18 |
PCI_DSS_v4.0.1 |
1.2.5 |
PCI_DSS_v4.0.1_1.2.5 |
PCI DSS v4.0.1 1.2.5 |
Install and Maintain Network Security Controls |
All services, protocols, and ports allowed are identified, approved, and have a defined business need |
Shared |
n/a |
Examine documentation to verify that a list exists of all allowed services, protocols, and ports, including business justification and approval for each. Examine configuration settings for NSCs to verify that only approved services, protocols, and ports are in use |
|
19 |
PCI_DSS_v4.0.1 |
1.4.4 |
PCI_DSS_v4.0.1_1.4.4 |
PCI DSS v4.0.1 1.4.4 |
Install and Maintain Network Security Controls |
System components that store cardholder data are not directly accessible from untrusted networks |
Shared |
n/a |
Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks |
|
43 |
PCI_DSS_v4.0.1 |
2.2.1 |
PCI_DSS_v4.0.1_2.2.1 |
PCI DSS v4.0.1 2.2.1 |
Apply Secure Configurations to All System Components |
Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment |
Shared |
n/a |
Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment |
|
15 |
PCI_DSS_v4.0.1 |
2.2.4 |
PCI_DSS_v4.0.1_2.2.4 |
PCI DSS v4.0.1 2.2.4 |
Apply Secure Configurations to All System Components |
Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled |
Shared |
n/a |
Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled |
|
25 |
PCI_DSS_v4.0.1 |
7.2.3 |
PCI_DSS_v4.0.1_7.2.3 |
PCI DSS v4.0.1 7.2.3 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
Required privileges are approved by authorized personnel |
Shared |
n/a |
Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel. Examine user IDs and assigned privileges, and compare with documented approvals to verify that: Documented approval exists for the assigned privileges. The approval was by authorized personnel. Specified privileges match the roles assigned to the individual |
|
38 |
PCI_DSS_v4.0.1 |
7.2.4 |
PCI_DSS_v4.0.1_7.2.4 |
PCI DSS v4.0.1 7.2.4 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate |
Shared |
n/a |
Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement |
|
40 |
PCI_DSS_v4.0.1 |
7.2.5.1 |
PCI_DSS_v4.0.1_7.2.5.1 |
PCI DSS v4.0.1 7.2.5.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate |
Shared |
n/a |
Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement |
|
39 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
47 |
SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
SWIFT_CSCF_2024 |
1.1 |
SWIFT_CSCF_2024_1.1 |
SWIFT Customer Security Controls Framework 2024 1.1 |
Physical and Environmental Security |
Swift Environment Protection |
Shared |
1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment.
2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. |
|
69 |
SWIFT_CSCF_2024 |
1.5 |
SWIFT_CSCF_2024_1.5 |
SWIFT Customer Security Controls Framework 2024 1.5 |
Physical and Environmental Security |
Customer Environment Protection |
Shared |
1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment.
2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. |
To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
|
57 |
SWIFT_CSCF_2024 |
9.1 |
SWIFT_CSCF_2024_9.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
SWIFT_CSCF_2024 |
9.2 |
SWIFT_CSCF_2024_9.2 |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
UK_NCSC_CAF_v3.2 |
B4.b |
UK_NCSC_CAF_v3.2_B4.b |
NCSC Cyber Assurance Framework (CAF) v3.2 B4.b |
System Security |
Secure Configuration |
Shared |
1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function.
2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment.
3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented.
4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration.
5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation.
6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. |
Securely configure the network and information systems that support the operation of essential functions. |
|
37 |