compliance controls are associated with this Policy definition 'Security Center standard pricing tier should be selected' (a1181c5f-672a-477a-979a-7d58aa086233)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_1 |
Canada_Federal_PBMM_3-1-2020_AC_1 |
Canada Federal PBMM 3-1-2020 AC 1 |
Access Control Policy and Procedures |
Access Control Policy and Procedures |
Shared |
1. The organization develops, documents, and disseminates to personnel or roles with access control responsibilities:
a. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the access control policy and associated access controls.
2. The organization reviews and updates the current:
a. Access control policy at least every 3 years; and
b. Access control procedures at least annually. |
To establish and maintain effective access control measures. |
|
13 |
| Canada_Federal_PBMM_3-1-2020 |
AC_17(100) |
Canada_Federal_PBMM_3-1-2020_AC_17(100) |
Canada Federal PBMM 3-1-2020 AC 17(100) |
Remote Access |
Remote Access | Remote Access to Privileged Accounts using Dedicated Management Console |
Shared |
Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed). |
To reduce the risk of unauthorized access or compromise of privileged accounts. |
|
13 |
| Canada_Federal_PBMM_3-1-2020 |
AC_2(7) |
Canada_Federal_PBMM_3-1-2020_AC_2(7) |
Canada Federal PBMM 3-1-2020 AC 2(7) |
Account Management |
Account Management | Role-Based Schemes |
Shared |
1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
2. The organization monitors privileged role assignments; and
3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate. |
To strengthen the security posture and safeguard sensitive data and critical resources.
|
|
16 |
| Canada_Federal_PBMM_3-1-2020 |
AC_2(9) |
Canada_Federal_PBMM_3-1-2020_AC_2(9) |
Canada Federal PBMM 3-1-2020 AC 2(9) |
Account Management |
Account Management | Restrictions on Use of Shared Groups / Accounts |
Shared |
The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts. |
To maintain security and accountability. |
|
11 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
30 |
| Canada_Federal_PBMM_3-1-2020 |
AC_6 |
Canada_Federal_PBMM_3-1-2020_AC_6 |
Canada Federal PBMM 3-1-2020 AC 6 |
Least Privilege |
Least Privilege |
Shared |
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
To mitigate the risk of unauthorized access, data breaches, and system compromises. |
|
14 |
| Canada_Federal_PBMM_3-1-2020 |
AC_6(2) |
Canada_Federal_PBMM_3-1-2020_AC_6(2) |
Canada Federal PBMM 3-1-2020 AC 6(2) |
Least Privilege |
Least Privilege | Non-Privileged Access for Non-Security Functions |
Shared |
The organization requires that users of information system accounts, or roles, with access to any security function, use non-privileged accounts or roles, when accessing non-security functions. |
To enhance security measures and minimise the risk of unauthorized access or misuse of privileges. |
|
14 |
| Canada_Federal_PBMM_3-1-2020 |
AU_9(4) |
Canada_Federal_PBMM_3-1-2020_AU_9(4) |
Canada Federal PBMM 3-1-2020 AU 9(4) |
Protection of Audit Information |
Protection of Audit Information | Access by Subset of Privileged Users |
Shared |
The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users. |
To enhance security and maintain the integrity of audit processes. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_8(3) |
Canada_Federal_PBMM_3-1-2020_CM_8(3) |
Canada Federal PBMM 3-1-2020 CM 8(3) |
Information System Component Inventory |
Information System Component Inventory | Automated Unauthorized Component Detection |
Shared |
1. The organization employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
2. The organization takes the organization-defined actions when unauthorized components are detected such as disables network access by such components; isolates the components; notifies organization-defined personnel or roles. |
To employ automated mechanisms for timely detection of unauthorized hardware, software, and firmware components in the information system. |
|
17 |
| Canada_Federal_PBMM_3-1-2020 |
CM_8(5) |
Canada_Federal_PBMM_3-1-2020_CM_8(5) |
Canada Federal PBMM 3-1-2020 CM 8(5) |
Information System Component Inventory |
Information System Component Inventory | No Duplicate Accounting of Components |
Shared |
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
To ensure that all components within the authorization boundary of the information system are uniquely identified and not duplicated in other information system component inventories. |
|
17 |
| Canada_Federal_PBMM_3-1-2020 |
RA_5(1) |
Canada_Federal_PBMM_3-1-2020_RA_5(1) |
Canada Federal PBMM 3-1-2020 RA 5(1) |
Vulnerability Scanning |
Vulnerability Scanning | Update Tool Capability |
Shared |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
To employ vulnerability scanning tools. |
|
20 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3 |
Canada_Federal_PBMM_3-1-2020_SI_3 |
Canada Federal PBMM 3-1-2020 SI 3 |
Malicious Code Protection |
Malicious Code Protection |
Shared |
1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code.
2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
3. The organization configures malicious code protection mechanisms to:
a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and
b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection.
4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
To mitigate potential impacts on system availability. |
|
52 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3(1) |
Canada_Federal_PBMM_3-1-2020_SI_3(1) |
Canada Federal PBMM 3-1-2020 SI 3(1) |
Malicious Code Protection |
Malicious Code Protection | Central Management |
Shared |
The organization centrally manages malicious code protection mechanisms. |
To centrally manage malicious code protection mechanisms. |
|
51 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3(2) |
Canada_Federal_PBMM_3-1-2020_SI_3(2) |
Canada Federal PBMM 3-1-2020 SI 3(2) |
Malicious Code Protection |
Malicious Code Protection | Automatic Updates |
Shared |
The information system automatically updates malicious code protection mechanisms. |
To ensure automatic updates in malicious code protection mechanisms. |
|
51 |
| Canada_Federal_PBMM_3-1-2020 |
SI_3(7) |
Canada_Federal_PBMM_3-1-2020_SI_3(7) |
Canada Federal PBMM 3-1-2020 SI 3(7) |
Malicious Code Protection |
Malicious Code Protection | Non Signature-Based Detection |
Shared |
The information system implements non-signature-based malicious code detection mechanisms. |
To enhance overall security posture.
|
|
51 |
| Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
87 |
| CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
95 |
| CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
97 |
| CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
95 |
| CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
89 |
| CIS_Controls_v8.1 |
4.7 |
CIS_Controls_v8.1_4.7 |
CIS Controls v8.1 4.7 |
Secure Configuration of Enterprise Assets and Software |
Manage default accounts on enterprise assets and software |
Shared |
1. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts.
2. Example implementations can include: disabling default accounts or making them unusable. |
To ensure access to default accounts is restricted. |
|
22 |
| CIS_Controls_v8.1 |
5.3 |
CIS_Controls_v8.1_5.3 |
CIS Controls v8.1 5.3 |
Account Management |
Disable dormant accounts |
Shared |
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. |
To implement time based expiry of access to systems. |
|
21 |
| CIS_Controls_v8.1 |
6.1 |
CIS_Controls_v8.1_6.1 |
CIS Controls v8.1 6.1 |
Access Control Management |
Establish an access granting process |
Shared |
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
|
To implement role based access controls. |
|
20 |
| CIS_Controls_v8.1 |
6.2 |
CIS_Controls_v8.1_6.2 |
CIS Controls v8.1 6.2 |
Access Control Management |
Establish an access revoking process |
Shared |
1. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user.
2. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. |
To restrict access to enterprise assets. |
|
21 |
| CIS_Controls_v8.1 |
8.11 |
CIS_Controls_v8.1_8.11 |
CIS Controls v8.1 8.11 |
Audit Log Management |
Conduct audit log reviews |
Shared |
1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat.
2. Conduct reviews on a weekly, or more frequent, basis.
|
To ensure the integrity of the data in audit logs. |
|
59 |
| CIS_Controls_v8.1 |
9.3 |
CIS_Controls_v8.1_9.3 |
CIS Controls v8.1 9.3 |
Email and Web Browser Protections |
Maintain and enforce network-based URL filters |
Shared |
1. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites.
2. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists.
3. Enforce filters for all enterprise assets. |
To prevent users from connecting to unsafe websites. |
|
7 |
| CMMC_L2_v1.9.0 |
AU.L2_3.3.1 |
CMMC_L2_v1.9.0_AU.L2_3.3.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 |
Audit and Accountability |
System Auditing |
Shared |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
To enhance security and accountability measures. |
|
40 |
| CMMC_L2_v1.9.0 |
CA.L2_3.12.2 |
CMMC_L2_v1.9.0_CA.L2_3.12.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CA.L2 3.12.2 |
Security Assessment |
Plan of Action |
Shared |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
To enhance the resilience to cyber threats and protect systems and data from potential exploitation or compromise. |
|
17 |
| CMMC_L2_v1.9.0 |
RA.L2_3.11.2 |
CMMC_L2_v1.9.0_RA.L2_3.11.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.2 |
Risk Assessment |
Vulnerability Scan |
Shared |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
To enhance the overall security posture of the organization. |
|
14 |
| CMMC_L2_v1.9.0 |
RA.L2_3.11.3 |
CMMC_L2_v1.9.0_RA.L2_3.11.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.3 |
Risk Assessment |
Vulnerability Remediation |
Shared |
Remediate vulnerabilities in accordance with risk assessments. |
To reduce the likelihood of security breaches and minimize potential impacts on operations and assets. |
|
14 |
| CMMC_L2_v1.9.0 |
SI.L1_3.14.2 |
CMMC_L2_v1.9.0_SI.L1_3.14.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.2 |
System and Information Integrity |
Malicious Code Protection |
Shared |
Provide protection from malicious code at appropriate locations within organizational information systems. |
To the integrity, confidentiality, and availability of information assets. |
|
19 |
| CMMC_L2_v1.9.0 |
SI.L1_3.14.4 |
CMMC_L2_v1.9.0_SI.L1_3.14.4 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.4 |
System and Information Integrity |
Update Malicious Code Protection |
Shared |
Update malicious code protection mechanisms when new releases are available. |
To effectively defend against new and evolving malware threats, minimize the risk of infections, and maintain the security of their information systems and data. |
|
19 |
| CMMC_L2_v1.9.0 |
SI.L1_3.14.5 |
CMMC_L2_v1.9.0_SI.L1_3.14.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.5 |
System and Information Integrity |
System & File Scanning |
Shared |
Perform periodic scans of the information system and real time scans of files from external sources as files are downloaded, opened, or executed. |
To identify and mitigate security risks, prevent malware infections and minimise the impact of security breaches. |
|
19 |
| CMMC_L2_v1.9.0 |
SI.L2_3.14.3 |
CMMC_L2_v1.9.0_SI.L2_3.14.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3 |
System and Information Integrity |
Security Alerts & Advisories |
Shared |
Monitor system security alerts and advisories and take action in response. |
To proactively defend against emerging threats and minimize the risk of security incidents or breaches. |
|
15 |
| CMMC_L2_v1.9.0 |
SI.L2_3.14.6 |
CMMC_L2_v1.9.0_SI.L2_3.14.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6 |
System and Information Integrity |
Monitor Communications for Attacks |
Shared |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
To protect systems and data from unauthorized access or compromise. |
|
15 |
| CMMC_L2_v1.9.0 |
SI.L2_3.14.7 |
CMMC_L2_v1.9.0_SI.L2_3.14.7 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7 |
System and Information Integrity |
Identify Unauthorized Use |
Shared |
Identify unauthorized use of organizational systems. |
To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access. |
|
14 |
| CMMC_L3 |
CA.2.158 |
CMMC_L3_CA.2.158 |
CMMC L3 CA.2.158 |
Security Assessment |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.
Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.
Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. |
link |
6 |
| CMMC_L3 |
CA.3.161 |
CMMC_L3_CA.3.161 |
CMMC L3 CA.3.161 |
Security Assessment |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions.
Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. |
link |
6 |
| CMMC_L3 |
CM.2.063 |
CMMC_L3_CM.2.063 |
CMMC L3 CM.2.063 |
Configuration Management |
Control and monitor user-installed software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. |
link |
2 |
| CMMC_L3 |
RM.2.141 |
CMMC_L3_RM.2.141 |
CMMC L3 RM.2.141 |
Risk Assessment |
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. |
link |
13 |
| CMMC_L3 |
RM.2.142 |
CMMC_L3_RM.2.142 |
CMMC L3 RM.2.142 |
Risk Assessment |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms.
To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD).
Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. |
link |
13 |
| CMMC_L3 |
RM.2.143 |
CMMC_L3_RM.2.143 |
CMMC L3 RM.2.143 |
Risk Assessment |
Remediate vulnerabilities in accordance with risk assessments. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. |
link |
15 |
| CMMC_L3 |
RM.3.144 |
CMMC_L3_RM.3.144 |
CMMC L3 RM.3.144 |
Risk Management |
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. |
Shared |
Microsoft and the customer share responsibility for implementing this requirement. |
Organizations must evaluate potential cybersecurity risks to operations, assets, and individuals. |
link |
8 |
| CPS_234_(APRA)_2019 |
CPS_234_(APRA)_2019_27 |
CPS_234_(APRA)_2019_27 |
APRA CPS 234 2019 27 |
Testing control effectiveness |
Ensure that an APRA-regulated entity systematically tests the effectiveness of its information security controls. |
Shared |
n/a |
An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:
1. the rate at which the vulnerabilities and threats change;
2. the criticality and sensitivity of the information asset;
3. the consequences of an information security incident;
4. the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies;
5. the materiality and frequency of change to information assets. |
|
17 |
| CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
54 |
| CSA_v4.0.12 |
HRS_06 |
CSA_v4.0.12_HRS_06 |
CSA Cloud Controls Matrix v4.0.12 HRS 06 |
Human Resources |
Employment Termination |
Shared |
n/a |
Establish, document, and communicate to all personnel the procedures
outlining the roles and responsibilities concerning changes in employment. |
|
13 |
| CSA_v4.0.12 |
IAM_12 |
CSA_v4.0.12_IAM_12 |
CSA Cloud Controls Matrix v4.0.12 IAM 12 |
Identity & Access Management |
Safeguard Logs Integrity |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to ensure the logging infrastructure is read-only for all with write
access, including privileged access roles, and that the ability to disable it
is controlled through a procedure that ensures the segregation of duties and
break glass procedures. |
|
38 |
| CSA_v4.0.12 |
TVM_04 |
CSA_v4.0.12_TVM_04 |
CSA Cloud Controls Matrix v4.0.12 TVM 04 |
Threat & Vulnerability Management |
Detection Updates |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to update detection tools, threat signatures, and indicators of compromise
on a weekly, or more frequent basis. |
|
46 |
| Cyber_Essentials_v3.1 |
3 |
Cyber_Essentials_v3.1_3 |
Cyber Essentials v3.1 3 |
Cyber Essentials |
Security Update Management |
Shared |
n/a |
Aim: ensure that devices and software are not vulnerable to known security issues for which fixes are available. |
|
38 |
| Cyber_Essentials_v3.1 |
5 |
Cyber_Essentials_v3.1_5 |
Cyber Essentials v3.1 5 |
Cyber Essentials |
Malware protection |
Shared |
n/a |
Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. |
|
60 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
64 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
62 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
62 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_7 |
EU_2555_(NIS2)_2022_7 |
EU 2022/2555 (NIS2) 2022 7 |
|
National cybersecurity strategy |
Shared |
n/a |
Requires Member States to adopt a national cybersecurity strategy. |
|
16 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
60 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
| FFIEC_CAT_2017 |
2.2.1 |
FFIEC_CAT_2017_2.2.1 |
FFIEC CAT 2017 2.2.1 |
Threat Intelligence and Collaboration |
Monitoring and Analyzing |
Shared |
n/a |
- Audit log records and other security event logs are reviewed and retained in a secure manner.
- Computer event logs are used for investigations once an event has occurred. |
|
22 |
| FFIEC_CAT_2017 |
3.1.1 |
FFIEC_CAT_2017_3.1.1 |
FFIEC CAT 2017 3.1.1 |
Cybersecurity Controls |
Infrastructure Management |
Shared |
n/a |
- Network perimeter defense tools (e.g., border router and firewall) are used.
- Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.
- All ports are monitored.
- Up to date antivirus and anti-malware tools are used.
- Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
- Ports, functions, protocols and services are prohibited if no longer needed for business purposes.
- Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
- Programs that can override system, object, network, virtual machine, and application controls are restricted.
- System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.
- Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) |
|
71 |
| FFIEC_CAT_2017 |
3.2.2 |
FFIEC_CAT_2017_3.2.2 |
FFIEC CAT 2017 3.2.2 |
Cybersecurity Controls |
Anomalous Activity Detection |
Shared |
n/a |
- The institution is able to detect anomalous activities through monitoring across the environment.
- Customer transactions generating anomalous activity alerts are monitored and reviewed.
- Logs of physical and/or logical access are reviewed following events.
- Access to critical systems by third parties is monitored for unauthorized or unusual activity.
- Elevated privileges are monitored. |
|
26 |
| FFIEC_CAT_2017 |
3.2.3 |
FFIEC_CAT_2017_3.2.3 |
FFIEC CAT 2017 3.2.3 |
Cybersecurity Controls |
Event Detection |
Shared |
n/a |
- A normal network activity baseline is established.
- Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.
- Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.
- Responsibilities for monitoring and reporting suspicious systems activity have been assigned.
- The physical environment is monitored to detect potential unauthorized access. |
|
30 |
| HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
109 |
| HITRUST_CSF_v11.3 |
09.j |
HITRUST_CSF_v11.3_09.j |
HITRUST CSF v11.3 09.j |
Protection Against Malicious and Mobile Code |
Ensure that integrity of information and software is protected from malicious or unauthorized code |
Shared |
1. Technologies are to be implemented for timely installation, upgrade and renewal of anti-malware protective measures.
2. Automatic periodic scans of information systems is to be implemented.
3. Anti-malware software that offers a centralized infrastructure that compiles information on file reputations is to be implemented.
4. Post-malicious code update, signature deployment, scanning files, email, and web traffic is to be verified by automated systems, while BYOD users require anti-malware, network-based malware detection is to be used on servers without host-based solutions use.
5. Anti-malware audit logs checks to be performed.
6. Protection against malicious code is to be based on malicious code detection and repair software, security awareness, appropriate system access, and change management controls. |
Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. |
|
37 |
| HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
33 |
| HITRUST_CSF_v11.3 |
10.m |
HITRUST_CSF_v11.3_10.m |
HITRUST CSF v11.3 10.m |
Technical Vulnerability Management |
Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. |
Shared |
1. The necessary secure services, protocols required for the function of the system are to be enabled.
2. Security features to be implemented for any required services that are considered to be insecure.
3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media.
4. Configuration standards to be consistent with industry-accepted system hardening standards.
5. An enterprise security posture review within every 365 days is to be conducted.
6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. |
Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. |
|
46 |
| ISO_IEC_27001_2022 |
10.2 |
ISO_IEC_27001_2022_10.2 |
ISO IEC 27001 2022 10.2 |
Improvement |
Nonconformity and corrective action |
Shared |
1. When a nonconformity occurs, the organization shall:
a. react to the nonconformity, and as applicable:
i. take action to control and correct it;
ii. deal with the consequences;
b. evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
i. reviewing the nonconformity;
ii. determining the causes of the nonconformity; and
iii. determining if similar nonconformities exist, or could potentially occur;
c. implement any action needed;
d. review the effectiveness of any corrective action taken; and
e. make changes to the information security management system, if necessary.
2. Corrective actions shall be appropriate to the effects of the nonconformities encountered.
3. Documented information shall be available as evidence of:
a. the nature of the nonconformities and any subsequent actions taken,
b. the results of any corrective action. |
Specifies the actions that the organisation shall take in cases of nonconformity. |
|
18 |
| ISO_IEC_27001_2022 |
9.1 |
ISO_IEC_27001_2022_9.1 |
ISO IEC 27001 2022 9.1 |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
1. The organization shall determine:
a. what needs to be monitored and measured, including information security processes and controls;
b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
c. when the monitoring and measuring shall be performed;
d. who shall monitor and measure;
e. when the results from monitoring and measurement shall be analysed and evaluated;
f. who shall analyse and evaluate these results.
2. Documented information shall be available as evidence of the results. |
Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. |
|
43 |
| ISO_IEC_27002_2022 |
5.5 |
ISO_IEC_27002_2022_5.5 |
ISO IEC 27002 2022 5.5 |
Identifying,
Protection,
Response,
Recovery,
Preventive,
Corrective Control |
Contact with authorities |
Shared |
The organization should establish and maintain contact with relevant authorities.
|
To ensure appropriate flow of information takes place with respect to information security between
the organization and relevant legal, regulatory and supervisory authorities. |
|
13 |
| ISO_IEC_27002_2022 |
8.16 |
ISO_IEC_27002_2022_8.16 |
ISO IEC 27002 2022 8.16 |
Response,
Detection,
Corrective Control |
Monitoring activities |
Shared |
Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
|
To detect anomalous behaviour and potential information security incidents. |
|
15 |
| ISO_IEC_27002_2022 |
8.7 |
ISO_IEC_27002_2022_8.7 |
ISO IEC 27002 2022 8.7 |
Identifying,
Protection,
Preventive Control |
Protection against malware |
Shared |
Protection against malware should be implemented and supported by appropriate user awareness.
|
To ensure information and other associated assets are protected against malware. |
|
19 |
| ISO_IEC_27002_2022 |
8.8 |
ISO_IEC_27002_2022_8.8 |
ISO IEC 27002 2022 8.8 |
Identifying,
Protection,
Preventive Control |
Management of technical vulnerabilities |
Shared |
Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.
|
To prevent exploitation of technical vulnerabilities. |
|
14 |
| NIST_CSF_v2.0 |
DE.CM |
NIST_CSF_v2.0_DE.CM |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
| NIST_CSF_v2.0 |
GV.SC_07 |
NIST_CSF_v2.0_GV.SC_07 |
NIST CSF v2.0 GV.SC 07 |
GOVERN-Cybersecurity Supply Chain Risk Management |
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship. |
Shared |
n/a |
To establish, communicate, and monitor the risk management strategy, expectations, and policy. |
|
17 |
| NIST_SP_800-171_R3_3 |
.11.2 |
NIST_SP_800-171_R3_3.11.2 |
NIST 800-171 R3 3.11.2 |
Risk Assessment Control |
Vulnerability Monitoring and Scanning |
Shared |
Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms.
To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated and that employ the Extensible Configuration Checklist Description Format (XCCDF). Organizations also consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL). Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS). |
a. Monitor and scan for vulnerabilities in the system periodically and when new vulnerabilities affecting the system are identified.
b. Remediate system vulnerabilities within [Assignment: organization-defined response times].
c. Update system vulnerabilities to be scanned periodically and when new vulnerabilities are identified and reported. |
|
15 |
| NIST_SP_800-171_R3_3 |
.12.3 |
NIST_SP_800-171_R3_3.12.3 |
NIST 800-171 R3 3.12.3 |
Security Assessment Control |
Continuous Monitoring |
Shared |
Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk based decisions. Different types of security requirements may require different monitoring frequencies. |
Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk based decisions. Different types of security requirements may require different monitoring frequencies. |
|
17 |
| NIST_SP_800-171_R3_3 |
.14.2 |
NIST_SP_800-171_R3_3.14.2 |
NIST 800-171 R3 3.14.2 |
System and Information Integrity Control |
Malicious Code Protection |
Shared |
Malicious code insertions occur through the exploitation of system vulnerabilities. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code can be inserted into the system in many ways, including by email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.
If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to malicious code detection during scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. |
a. Implement malicious code protection mechanisms at designated locations within the system to detect and eradicate malicious code.
b. Update malicious code protection mechanisms as new releases are available in accordance with configuration management policy and procedures.
c. Configure malicious code protection mechanisms to:
1. Perform scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or network entry and exit points as the files are downloaded, opened, or executed; and
2. Block malicious code, quarantine malicious code, or take other actions in response to malicious code detection. |
|
19 |
| NIST_SP_800-171_R3_3 |
.14.6 |
NIST_SP_800-171_R3_3.14.6 |
NIST 800-171 R3 3.14.6 |
System and Information Integrity Control |
System Monitoring |
Shared |
System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events.
A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces.
The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives.
Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless.
Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements. |
a. Monitor the system to detect:
1. Attacks and indicators of potential attacks; and
2. Unauthorized connections.
b. Identify unauthorized use of the system.
c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions. |
|
14 |
| NIST_SP_800-53_R5.1.1 |
CA.7 |
NIST_SP_800-53_R5.1.1_CA.7 |
NIST SP 800-53 R5.1.1 CA.7 |
Assessment, Authorization and Monitoring Control |
Continuous Monitoring |
Shared |
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing control assessments in accordance with the continuous monitoring strategy;
d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
e. Correlation and analysis of information generated by control assessments and monitoring;
f. Response actions to address results of the analysis of control assessment and monitoring information; and
g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles]
[Assignment: organization-defined frequency]. |
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms “continuous” and “ongoing” imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, and SI-4. |
|
17 |
| NIST_SP_800-53_R5.1.1 |
RA.5 |
NIST_SP_800-53_R5.1.1_RA.5 |
NIST SP 800-53 R5.1.1 RA.5 |
Risk Assessment Control |
Vulnerability Monitoring and Scanning |
Shared |
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;
d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.
Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).
Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.
Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points. |
|
13 |
| NIST_SP_800-53_R5.1.1 |
SI.3 |
NIST_SP_800-53_R5.1.1_SI.3 |
NIST SP 800-53 R5.1.1 SI.3 |
System and Information Integrity Control |
Malicious Code Protection |
Shared |
a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]
]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. |
System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.
Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.
In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files. |
|
19 |
| NIST_SP_800-53_R5.1.1 |
SI.4 |
NIST_SP_800-53_R5.1.1_SI.4 |
NIST SP 800-53 R5.1.1 SI.4 |
System and Information Integrity Control |
System Monitoring |
Shared |
a. Monitor the system to detect:
1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
c. Invoke internal monitoring capabilities or deploy monitoring devices:
1. Strategically within the system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Analyze detected events and anomalies;
e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
f. Obtain legal opinion regarding system monitoring activities; and
g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles]
[Selection (one or more): as needed;
[Assignment: organization-defined frequency]
]. |
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. |
|
13 |
| NZISM_v3.7 |
14.1.8.C.01. |
NZISM_v3.7_14.1.8.C.01. |
NZISM v3.7 14.1.8.C.01. |
Standard Operating Environments |
14.1.8.C.01. - minimise vulnerabilities and enhance system security |
Shared |
n/a |
Agencies SHOULD develop a hardened SOE for workstations and servers, covering:
1. removal of unneeded software and operating system components;
2. removal or disabling of unneeded services, ports and BIOS settings;
3. disabling of unused or undesired functionality in software and operating systems;
4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required;
5. installation of antivirus and anti-malware software;
6. installation of software-based firewalls limiting inbound and outbound network connections;
7. configuration of either remote logging or the transfer of local event logs to a central server; and
8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. |
|
30 |
| NZISM_v3.7 |
14.2.4.C.01. |
NZISM_v3.7_14.2.4.C.01. |
NZISM v3.7 14.2.4.C.01. |
Application Allow listing |
14.2.4.C.01. - mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD implement application allow listing as part of the SOE for workstations, servers and any other network device. |
|
25 |
| NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
77 |
| NZISM_v3.7 |
16.1.31.C.01. |
NZISM_v3.7_16.1.31.C.01. |
NZISM v3.7 16.1.31.C.01. |
Identification, Authentication and Passwords |
16.1.31.C.01. - promote security and accountability within the agency's systems.
|
Shared |
n/a |
Agencies MUST:
1. develop, implement and maintain a set of policies and procedures covering all system users:
a. identification;
b. authentication;
c. authorisation;
d. privileged access identification and management; and
2. make their system users aware of the agency's policies and procedures. |
|
22 |
| NZISM_v3.7 |
16.1.32.C.01. |
NZISM_v3.7_16.1.32.C.01. |
NZISM v3.7 16.1.32.C.01. |
Identification, Authentication and Passwords |
16.1.32.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies MUST ensure that all system users are:
1. uniquely identifiable; and
2. authenticated on each occasion that access is granted to a system. |
|
21 |
| NZISM_v3.7 |
18.4.10.C.01. |
NZISM_v3.7_18.4.10.C.01. |
NZISM v3.7 18.4.10.C.01. |
Intrusion Detection and Prevention |
18.4.10.C.01. - ensure user awareness of the policies, and handling outbreaks according to established procedures. |
Shared |
n/a |
Agencies MUST:
1. develop and maintain a set of policies and procedures covering how to:
a.minimise the likelihood of malicious code being introduced into a system;
b. prevent all unauthorised code from executing on an agency network;
c. detect any malicious code installed on a system;
d. make their system users aware of the agency's policies and procedures; and
e. ensure that all instances of detected malicious code outbreaks are handled according to established procedures. |
|
16 |
| NZISM_v3.7 |
19.1.10.C.01. |
NZISM_v3.7_19.1.10.C.01. |
NZISM v3.7 19.1.10.C.01. |
Gateways |
19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. |
Shared |
n/a |
When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. |
|
46 |
| NZISM_v3.7 |
19.1.11.C.01. |
NZISM_v3.7_19.1.11.C.01. |
NZISM v3.7 19.1.11.C.01. |
Gateways |
19.1.11.C.01. - ensure network protection through gateway mechanisms. |
Shared |
n/a |
Agencies MUST ensure that:
1. all agency networks are protected from networks in other security domains by one or more gateways;
2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
|
45 |
| NZISM_v3.7 |
6.1.9.C.01. |
NZISM_v3.7_6.1.9.C.01. |
NZISM v3.7 6.1.9.C.01. |
Information Security Reviews |
6.1.9.C.01. - ensure alignment with the vulnerability disclosure policy, and implement adjustments and changes consistent with the findings of vulnerability analysis |
Shared |
n/a |
Agencies SHOULD review the components detailed below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.
1. Information security documentation - The SecPol, Systems Architecture, SRMPs, SSPs, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports.
2. Dispensations - Prior to the identified expiry date.
3. Operating environment - When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.
4. Procedures - After an information security incident or test exercise.
5. System security - Items that could affect the security of the system on a regular basis.
6. Threats - Changes in threat environment and risk profile.
7. NZISM - Changes to baseline or other controls, any new controls and guidance. |
|
16 |
|
op.mon.3 Monitoring |
op.mon.3 Monitoring |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| PCI_DSS_v4.0.1 |
10.3.4 |
PCI_DSS_v4.0.1_10.3.4 |
PCI DSS v4.0.1 10.3.4 |
Log and Monitor All Access to System Components and Cardholder Data |
Log Integrity Monitoring |
Shared |
n/a |
File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
|
24 |
| PCI_DSS_v4.0.1 |
11.3.1 |
PCI_DSS_v4.0.1_11.3.1 |
PCI DSS v4.0.1 11.3.1 |
Test Security of Systems and Networks Regularly |
Internal Vulnerability Scans |
Shared |
n/a |
Internal vulnerability scans are performed as follows:
• At least once every three months.
• Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high-risk and all critical vulnerabilities (as noted above) have been resolved.
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists. |
|
15 |
| PCI_DSS_v4.0.1 |
11.3.1.1 |
PCI_DSS_v4.0.1_11.3.1.1 |
PCI DSS v4.0.1 11.3.1.1 |
Test Security of Systems and Networks Regularly |
Management of Other Vulnerabilities |
Shared |
n/a |
All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows:
• Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Rescans are conducted as needed. |
|
14 |
| PCI_DSS_v4.0.1 |
11.4.4 |
PCI_DSS_v4.0.1_11.4.4 |
PCI DSS v4.0.1 11.4.4 |
Test Security of Systems and Networks Regularly |
Addressing Penetration Testing Findings |
Shared |
n/a |
Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:
• In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1.
• Penetration testing is repeated to verify the corrections. |
|
14 |
| PCI_DSS_v4.0.1 |
11.5.1 |
PCI_DSS_v4.0.1_11.5.1 |
PCI DSS v4.0.1 11.5.1 |
Test Security of Systems and Networks Regularly |
Intrusion Detection/Prevention |
Shared |
n/a |
Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows:
• All traffic is monitored at the perimeter of the CDE.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date |
|
19 |
| PCI_DSS_v4.0.1 |
11.5.1.1 |
PCI_DSS_v4.0.1_11.5.1.1 |
PCI DSS v4.0.1 11.5.1.1 |
Test Security of Systems and Networks Regularly |
Covert Malware Detection |
Shared |
n/a |
Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. |
|
17 |
| PCI_DSS_v4.0.1 |
11.5.2 |
PCI_DSS_v4.0.1_11.5.2 |
PCI DSS v4.0.1 11.5.2 |
Test Security of Systems and Networks Regularly |
Change-Detection Mechanism Deployment |
Shared |
n/a |
A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.
• To perform critical file comparisons at least once weekly. |
|
27 |
| PCI_DSS_v4.0.1 |
12.4.1 |
PCI_DSS_v4.0.1_12.4.1 |
PCI DSS v4.0.1 12.4.1 |
Support Information Security with Organizational Policies and Programs |
Executive Management Responsibility for PCI DSS |
Shared |
n/a |
Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management. |
|
17 |
| PCI_DSS_v4.0.1 |
5.2.1 |
PCI_DSS_v4.0.1_5.2.1 |
PCI DSS v4.0.1 5.2.1 |
Protect All Systems and Networks from Malicious Software |
An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware |
Shared |
n/a |
Examine system components to verify that an anti-malware solution(s) is deployed on all system components, except for those determined to not be at risk from malware based on periodic evaluations per Requirement 5.2.3. For any system components without an anti-malware solution, examine the periodic evaluations to verify the component was evaluated and the evaluation concludes that the component is not at risk from malware |
|
19 |
| PCI_DSS_v4.0.1 |
5.2.2 |
PCI_DSS_v4.0.1_5.2.2 |
PCI DSS v4.0.1 5.2.2 |
Protect All Systems and Networks from Malicious Software |
The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware |
Shared |
n/a |
Examine vendor documentation and configurations of the anti-malware solution(s) to verify that the solution detects all known types of malware and removes, blocks, or contains all known types of malware |
|
19 |
| PCI_DSS_v4.0.1 |
5.2.3 |
PCI_DSS_v4.0.1_5.2.3 |
PCI DSS v4.0.1 5.2.3 |
Protect All Systems and Networks from Malicious Software |
Any system components that are not at risk for malware are evaluated periodically to include the following: a documented list of all system components not at risk for malware, identification and evaluation of evolving malware threats for those system components, confirmation whether such system components continue to not require anti-malware protection |
Shared |
n/a |
Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement. Interview personnel to verify that the evaluations include all elements specified in this requirement. Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements |
|
19 |
| PCI_DSS_v4.0.1 |
5.3.1 |
PCI_DSS_v4.0.1_5.3.1 |
PCI DSS v4.0.1 5.3.1 |
Protect All Systems and Networks from Malicious Software |
The anti-malware solution(s) is kept current via automatic updates |
Shared |
n/a |
Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution is configured to perform automatic updates. Examine system components and logs, to verify that the anti-malware solution(s) and definitions are current and have been promptly deployed |
|
19 |
| PCI_DSS_v4.0.1 |
5.3.2 |
PCI_DSS_v4.0.1_5.3.2 |
PCI DSS v4.0.1 5.3.2 |
Protect All Systems and Networks from Malicious Software |
The anti-malware solution(s) performs periodic scans and active or real-time scans, or performs continuous behavioral analysis of systems or processes |
Shared |
n/a |
Examine anti-malware solution(s) configurations, including any master installation of the software, to verify the solution(s) is configured to perform at least one of the elements specified in this requirement. Examine system components, including all operating system types identified as at risk for malware, to verify the solution(s) is enabled in accordance with at least one of the elements specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement |
|
19 |
| PCI_DSS_v4.0.1 |
5.3.3 |
PCI_DSS_v4.0.1_5.3.3 |
PCI DSS v4.0.1 5.3.3 |
Protect All Systems and Networks from Malicious Software |
For removable electronic media, the anti-malware solution(s) performs automatic scans of when the media is inserted, connected, or logically mounted, or performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted |
Shared |
n/a |
Examine anti-malware solution(s) configurations to verify that, for removable electronic media, the solution is configured to perform at least one of the elements specified in this requirement. Examine system components with removable electronic media connected to verify that the solution(s) is enabled in accordance with at least one of the elements as specified in this requirement. Examine logs and scan results to verify that the solution(s) is enabled in accordance with at least one of the elements specified in this requirement |
|
19 |
| PCI_DSS_v4.0.1 |
6.4.1 |
PCI_DSS_v4.0.1_6.4.1 |
PCI DSS v4.0.1 6.4.1 |
Develop and Maintain Secure Systems and Software |
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes. By an entity that specializes in application security. Including, at a minimum, all common software attacks in Requirement 6.2.4. All vulnerabilities are ranked in accordance with requirement 6.3.1. All vulnerabilities are corrected. The application is re-evaluated after the corrections. OR Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: Installed in front of public-facing web applications to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated |
Shared |
n/a |
For public-facing web applications, ensure that either one of the required methods is in place as follows: If manual or automated vulnerability security assessment tools or methods are in use, examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed in accordance with all elements of this requirement specific to the tool/method. OR If an automated technical solution(s) is installed that continually detects and prevents web-based attacks, examine the system configuration settings and audit logs, and interview responsible personnel to verify that the automated technical solution(s) is installed in accordance with all elements of this requirement specific to the solution(s) |
|
15 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
107 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
127 |
| SOC_2023 |
CC6.8 |
SOC_2023_CC6.8 |
SOC 2023 CC6.8 |
Logical and Physical Access Controls |
Mitigate the risk of cybersecurity threats, safeguard critical systems and data, and maintain operational continuity and integrity. |
Shared |
n/a |
Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
|
33 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
163 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
143 |
| SOC_2023 |
CC9.2 |
SOC_2023_CC9.2 |
SOC 2023 CC9.2 |
Risk Mitigation |
Ensure effective risk management throughout the supply chain and business ecosystem. |
Shared |
n/a |
Entity assesses and manages risks associated with vendors and business partners. |
|
43 |
| SWIFT_CSCF_2024 |
2.7 |
SWIFT_CSCF_2024_2.7 |
SWIFT Customer Security Controls Framework 2024 2.7 |
Risk Management |
Vulnerability Scanning |
Shared |
1. The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack.
2. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action. |
To identify known vulnerabilities within the user’s Swift environment by implementing a regular vulnerability scanning process and act upon results. |
|
16 |
| SWIFT_CSCF_2024 |
2.9 |
SWIFT_CSCF_2024_2.9 |
SWIFT Customer Security Controls Framework 2024 2.9 |
Transaction Controls |
Transaction Business Controls |
Shared |
1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions.
2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity. |
To ensure outbound transaction activity within the expected bounds of normal business. |
|
21 |
| SWIFT_CSCF_2024 |
6.1 |
SWIFT_CSCF_2024_6.1 |
SWIFT Customer Security Controls Framework 2024 6.1 |
Risk Management |
Malware Protection |
Shared |
1. Malware is a general term that includes many types of intrusive and unwanted software, including viruses.
2. Anti-malware technology (a broader term for anti-virus) is effective in protecting against malicious code that has a known digital or behaviour profile |
To ensure that the user’s Swift infrastructure is protected against malware and act upon results. |
|
19 |
| SWIFT_CSCF_2024 |
6.4 |
SWIFT_CSCF_2024_6.4 |
SWIFT Customer Security Controls Framework 2024 6.4 |
Access Control |
Logging and Monitoring |
Shared |
1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations.
2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. |
To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. |
|
38 |
| SWIFT_CSCF_2024 |
6.5 |
SWIFT_CSCF_2024_6.5 |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
| SWIFT_CSCF_2024 |
8.1 |
SWIFT_CSCF_2024_8.1 |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
| UK_NCSC_CAF_v3.2 |
C |
UK_NCSC_CAF_v3.2_C |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
| UK_NCSC_CAF_v3.2 |
C1 |
UK_NCSC_CAF_v3.2_C1 |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
| UK_NCSC_CAF_v3.2 |
C1.c |
UK_NCSC_CAF_v3.2_C1.c |
NCSC Cyber Assurance Framework (CAF) v3.2 C1.c |
Security Monitoring |
Generating Alerts |
Shared |
1. Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts.
2. A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts.
3. Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time.
4. Security alerts relating to all essential functions are prioritised and this information is used to support incident management.
5. Logs are reviewed almost continuously, in real time.
6. Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms. |
Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. |
|
18 |
| UK_NCSC_CAF_v3.2 |
C1.d |
UK_NCSC_CAF_v3.2_C1.d |
NCSC Cyber Assurance Framework (CAF) v3.2 C1.d |
Security Monitoring |
Identifying Security Incidents |
Shared |
1. Select threat intelligence sources or services using risk-based and threat-informed decisions based on the business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based info share, special interest groups).
2. Apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them.
3. Receive signature updates for all the protective technologies (e.g. AV, IDS).
4. Track the effectiveness of the intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g.
sector partners, threat intelligence providers, government agencies). |
Contextualise alerts with knowledge of the threat and the systems, to identify those security incidents that require some form of response. |
|
17 |
| UK_NCSC_CAF_v3.2 |
C2 |
UK_NCSC_CAF_v3.2_C2 |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
| UK_NCSC_CAF_v3.2 |
C2.b |
UK_NCSC_CAF_v3.2_C2.b |
NCSC Cyber Assurance Framework (CAF) v3.2 C2.b |
Proactive Security Event Discovery |
Proactive Attack Discovery |
Shared |
1. Routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches.
2. Have justified confidence in the effectiveness of the searches for system abnormalities indicative of malicious activity. |
Use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. |
|
15 |