Az Policy Advertizer

Azure_Security_Benchmark_v2.0

LT-4

Azure_Security_Benchmark_v2.0_LT-4

Azure Security Benchmark LT-4

Logging and Threat Detection

Enable logging for Azure resources

Shared

Enable logging for Azure resources to meet the requirements for compliance, threat detection, hunting, and incident investigation. You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting on Azure resources for access to audit, security, and resource logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Azure Security Center data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets

n/a

Azure_Security_Benchmark_v3.0

LT-3

Azure_Security_Benchmark_v3.0_LT-3

Microsoft cloud security benchmark LT-3

Logging and Threat Detection

Enable logging for security investigation

Shared

**Security Principle:** Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. **Azure Guidance:** Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Be mindful about different type of logs for security, audit, and other operation logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. - Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. - Microsoft Entra logs: Logs of the history of sign-in activity and audit trail of changes made in the Microsoft Entra ID for a particular tenant. You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. **Implementation and additional context:** Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Microsoft Defender for Cloud data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets Operating systems and application logs inside in your compute resources: https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest

n/a

Canada_Federal_PBMM_3-1-2020_AC_1

AC_1

Canada Federal PBMM 3-1-2020 AC 1

Access Control Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with access control responsibilities: a. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the access control policy and associated access controls. 2. The organization reviews and updates the current: a. Access control policy at least every 3 years; and b. Access control procedures at least annually.

To establish and maintain effective access control measures.

Canada_Federal_PBMM_3-1-2020_AC_17(100)

AC_17(100)

Canada Federal PBMM 3-1-2020 AC 17(100)

Remote Access

Remote Access | Remote Access to Privileged Accounts using Dedicated Management Console

Shared

Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed).

To reduce the risk of unauthorized access or compromise of privileged accounts.

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_AC_2(7)

AC_2(7)

Canada Federal PBMM 3-1-2020 AC 2(7)

Account Management

Account Management | Role-Based Schemes

Shared

1. The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; 2. The organization monitors privileged role assignments; and 3. The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate.

To strengthen the security posture and safeguard sensitive data and critical resources.

Canada_Federal_PBMM_3-1-2020_AC_2(9)

AC_2(9)

Canada Federal PBMM 3-1-2020 AC 2(9)

Account Management

Account Management | Restrictions on Use of Shared Groups / Accounts

Shared

The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.

To maintain security and accountability.

Canada_Federal_PBMM_3-1-2020_AC_3

AC_3

Canada Federal PBMM 3-1-2020 AC 3

Access Enforcement

Shared

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

To mitigate the risk of unauthorized access.

Canada_Federal_PBMM_3-1-2020_AC_6

AC_6

Canada Federal PBMM 3-1-2020 AC 6

Least Privilege

Shared

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

To mitigate the risk of unauthorized access, data breaches, and system compromises.

Canada_Federal_PBMM_3-1-2020_AC_6(1)

AC_6(1)

Canada Federal PBMM 3-1-2020 AC 6(1)

Least Privilege

Least Privilege | Authorize Access to Security Functions

Shared

The organization explicitly authorizes access to all security functions not publicly accessible and all security-relevant information not publicly available.

To ensure appropriate oversight and control over critical security measures and information.

Canada_Federal_PBMM_3-1-2020_AC_6(10)

AC_6(10)

Canada Federal PBMM 3-1-2020 AC 6(10)

Least Privilege

Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions

Shared

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

To mitigate the risk of unauthorized access or malicious activities.

Canada_Federal_PBMM_3-1-2020_AC_6(2)

AC_6(2)

Canada Federal PBMM 3-1-2020 AC 6(2)

Least Privilege

Least Privilege | Non-Privileged Access for Non-Security Functions

Shared

The organization requires that users of information system accounts, or roles, with access to any security function, use non-privileged accounts or roles, when accessing non-security functions.

To enhance security measures and minimise the risk of unauthorized access or misuse of privileges.

Canada_Federal_PBMM_3-1-2020_AC_6(5)

AC_6(5)

Canada Federal PBMM 3-1-2020 AC 6(5)

Least Privilege

Least Privilege | Privileged Accounts

Shared

The organization restricts privileged accounts on the information system to the minimum number of personnel required to securely administer, manage, and protect the information systems.

To reduce the potential attack surface and enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_AC_6(9)

AC_6(9)

Canada Federal PBMM 3-1-2020 AC 6(9)

Least Privilege

Least Privilege | Auditing Use of Privileged Functions

Shared

The information system audits the execution of privileged functions.

To enhance oversight and detect potential security breaches or unauthorized activities.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_SI_4

SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(1)

SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020_SI_4(2)

SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

CCCS

AU-12

CCCS_AU-12

CCCS AU-12

Audit and Accountability

Audit Generation

n/a

(A) The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. (B) The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. (C) The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

CCCS

AU-5

CCCS_AU-5

CCCS AU-5

Audit and Accountability

Response to Audit Processing Failures

n/a

(A) The information system alerts organization-defined personnel or roles in the event of an audit processing failure; and (B) The information system overwrites the oldest audit records.

CIS_Azure_1.1.0

2.14

CIS_Azure_1.1.0_2.14

CIS Microsoft Azure Foundations Benchmark recommendation 2.14

2 Security Center

Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"

Shared

The customer is responsible for implementing this recommendation.

Enable SQL auditing recommendations.

CIS_Azure_1.1.0

4.1

CIS_Azure_1.1.0_4.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.1

4 Database Services

Ensure that 'Auditing' is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Enable auditing on SQL Servers.

CIS_Azure_1.3.0

4.1.1

CIS_Azure_1.3.0_4.1.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1

4 Database Services

Ensure that 'Auditing' is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Enable auditing on SQL Servers.

CIS_Azure_1.4.0

4.1.1

CIS_Azure_1.4.0_4.1.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1

4 Database Services

Ensure that 'Auditing' is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Enable auditing on SQL Servers.

CIS_Azure_2.0.0

4.1.1

CIS_Azure_2.0.0_4.1.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1

4.1

Ensure that 'Auditing' is set to 'On'

Shared

n/a

Enable auditing on SQL Servers. The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

CIS_Azure_Foundations_v2.1.0

4.1.1

CIS_Azure_Foundations_v2.1.0_4.1.1

CIS Azure Foundations v2.1.0 4.1.1

Database Services

Ensure that 'Auditing' is set to 'On'

Shared

n/a

Enable auditing on SQL Servers.

CIS_Controls_v8.1

4.1

CIS_Controls_v8.1_4.1

CIS Controls v8.1 4.1

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process.

Shared

1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure data integrity and safety of enterprise assets.

CIS_Controls_v8.1

8.5

CIS_Controls_v8.1_8.5

CIS Controls v8.1 8.5

Audit Log Management

Collect detailed audit logs.

Shared

1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

To ensure that audit logs contain all pertinent information that might be required in a forensic investigation.

CMMC_2.0_L2

AU.L2-3.3.1

CMMC_2.0_L2_AU.L2-3.3.1

404 not found

n/a

CMMC_2.0_L2

AU.L2-3.3.2

CMMC_2.0_L2_AU.L2-3.3.2

404 not found

n/a

CMMC_L2_v1.9.0_AU.L2_3.3.1

AU.L2_3.3.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1

Audit and Accountability

System Auditing

Shared

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

To enhance security and accountability measures.

CMMC_L2_v1.9.0_AU.L2_3.3.2

AU.L2_3.3.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.2

Audit and Accountability

User Accountability

Shared

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

To ensure that the actions of individual system users can be uniquely traced back to them.

CMMC_L2_v1.9.0_AU.L2_3.3.3

AU.L2_3.3.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3

Audit and Accountability

Event Review

Shared

Review and update logged events.

To enhance the effectiveness of security measures.

CMMC_L2_v1.9.0_AU.L2_3.3.7

AU.L2_3.3.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.7

Audit and Accountability

Authoritative Time Source

Shared

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

To ensure accurate time stamping of audit records for reliable monitoring, analysis, and reporting of system activity.

AU.2.041

CMMC_L3_AU.2.041

CMMC L3 AU.2.041

Audit and Accountability

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).

AU.2.042

CMMC_L3_AU.2.042

CMMC L3 AU.2.042

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.

AU.3.046

CMMC_L3_AU.3.046

CMMC L3 AU.3.046

Audit and Accountability

Alert in the event of an audit logging process failure.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.

CA.2.158

CMMC_L3_CA.2.158

CMMC L3 CA.2.158

Security Assessment

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle.

CA.3.161

CMMC_L3_CA.3.161

CMMC L3 CA.3.161

Security Assessment

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements.

LOG_07

CSA_v4.0.12_LOG_07

CSA Cloud Controls Matrix v4.0.12 LOG 07

Logging and Monitoring

Logging Scope

Shared

n/a

Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.

LOG_08

CSA_v4.0.12_LOG_08

CSA Cloud Controls Matrix v4.0.12 LOG 08

Logging and Monitoring

Log Records

Shared

n/a

Generate audit records containing relevant security information.

LOG_10

CSA_v4.0.12_LOG_10

CSA Cloud Controls Matrix v4.0.12 LOG 10

Logging and Monitoring

Encryption Monitoring and Reporting

Shared

n/a

Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.

LOG_11

CSA_v4.0.12_LOG_11

CSA Cloud Controls Matrix v4.0.12 LOG 11

Logging and Monitoring

Transaction/Activity Logging

Shared

n/a

Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.4

404 not found

n/a

AU-12

FedRAMP_High_R4_AU-12

FedRAMP High AU-12

Audit And Accountability

Audit Generation

Shared

n/a

The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. References: None.

AU-12(1)

FedRAMP_High_R4_AU-12(1)

FedRAMP High AU-12 (1)

Audit And Accountability

System-Wide / Time-Correlated Audit Trail

Shared

n/a

The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Supplemental Guidance: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12.

AU-6(4)

FedRAMP_High_R4_AU-6(4)

FedRAMP High AU-6 (4)

Audit And Accountability

Central Review And Analysis

Shared

n/a

The information system provides the capability to centrally review and analyze audit records from multiple components within the system. Supplemental Guidance: Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12.

AU-6(5)

FedRAMP_High_R4_AU-6(5)

FedRAMP High AU-6 (5)

Audit And Accountability

Integration / Scanning And Monitoring Capabilities

Shared

n/a

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5.

FedRAMP_Moderate_R4_AU-12

FedRAMP_Moderate_R4

AU-12

FedRAMP Moderate AU-12

Audit And Accountability

Audit Generation

Shared

n/a

hipaa-1211.09aa3System.4-09.aa

hipaa

1211.09aa3System.4-09.aa

1211.09aa3System.4-09.aa

12 Audit Logging & Monitoring

1211.09aa3System.4-09.aa 09.10 Monitoring

Shared

n/a

The organization verifies every 90 days for each extract of covered information recorded that the data is erased or its use is still required.

HITRUST_CSF_v11.3

09.aa

HITRUST_CSF_v11.3_09.aa

HITRUST CSF v11.3 09.aa

Monitoring

Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements.

Shared

1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information.

Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

HITRUST_CSF_v11.3

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

113

IRS_1075_9.3

.3.11

IRS_1075_9.3.3.11

IRS 1075 9.3.3.11

Awareness and Training

Audit Generation (AU-12)

n/a

The information system must: a. Provide audit record generation capability for the auditable events defined in Section 9.3.3.2, Audit Events (AU-2) b. Allow designated agency officials to select which auditable events are to be audited by specific components of the information system c. Generate audit records for the events with the content defined in Section 9.3.3.4, Content of Audit Records (AU-3).

IRS_1075_9.3

.3.5

IRS_1075_9.3.3.5

IRS 1075 9.3.3.5

Awareness and Training

Response to Audit Processing Failures (AU-5)

n/a

The information system must: a. Alert designated agency officials in the event of an audit processing failure b. Monitor system operational status using operating system or system audit logs and verify functions and performance of the system. Logs shall be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system administrator c. Provide a warning when allocated audit record storage volume reaches a maximum audit record storage capacity (CE1)

ISO_IEC_27017_2015_12.4.1

ISO_IEC_27001_2022

9.1

ISO_IEC_27001_2022_9.1

ISO IEC 27001 2022 9.1

Performance Evaluation

Monitoring, measurement, analysis and evaluation

Shared

1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results.

Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system.

ISO_IEC_27002_2022

8.15

ISO_IEC_27002_2022_8.15

ISO IEC 27002 2022 8.15

Detection Control

Logging

Shared

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations.

ISO_IEC_27017_2015

12.4.1

ISO IEC 27017 2015 12.4.1

Operations Security

Event Logging

Shared

For Cloud Service Customer: The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. For Cloud Service Provider: The cloud service provider should provide logging capabilities to the cloud service customer.

ISO27001-2013

A.12.4.1

ISO27001-2013_A.12.4.1

ISO 27001:2013 A.12.4.1

Operations Security

Event Logging

Shared

n/a

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

ISO27001-2013

A.12.4.3

ISO27001-2013_A.12.4.3

ISO 27001:2013 A.12.4.3

Operations Security

Administrator and operator logs

Shared

n/a

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

ISO27001-2013

A.12.4.4

ISO27001-2013_A.12.4.4

ISO 27001:2013 A.12.4.4

Operations Security

Clock Synchronization

Shared

n/a

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.

New_Zealand_ISM_23.5.11.C.01

New_Zealand_ISM

23.5.11.C.01

23. Public Cloud Security

23.5.11.C.01 Logging requirements

n/a

Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements.

NIST_CSF_v2.0

DE.AE_03

NIST_CSF_v2.0_DE.AE_03

NIST CSF v2.0 DE.AE 03

DETECT-Adverse Event Analysis

Information is correlated from multiple sources.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_SP_800-171_R2_3

.3.1

NIST_SP_800-171_R2_3.3.1

NIST SP 800-171 R2 3.3.1

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management.

NIST_SP_800-171_R2_3

.3.2

NIST_SP_800-171_R2_3.3.2

NIST SP 800-171 R2 3.3.2

Audit and Accountability

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R3_3

.3.1

NIST_SP_800-171_R3_3.3.1

404 not found

n/a

NIST_SP_800-171_R3_3

.3.2

NIST_SP_800-171_R3_3.3.2

404 not found

n/a

NIST_SP_800-171_R3_3

.3.7

NIST_SP_800-171_R3_3.3.7

404 not found

n/a

AU-12

NIST_SP_800-53_R4_AU-12

NIST SP 800-53 Rev. 4 AU-12

Audit And Accountability

Audit Generation

Shared

n/a

NIST_SP_800-53_R4_AU-12(1)

AU-12(1)

NIST SP 800-53 Rev. 4 AU-12 (1)

Audit And Accountability

System-Wide / Time-Correlated Audit Trail

Shared

n/a

NIST_SP_800-53_R4_AU-6(4)

AU-6(4)

NIST SP 800-53 Rev. 4 AU-6 (4)

Audit And Accountability

Central Review And Analysis

Shared

n/a

NIST_SP_800-53_R4_AU-6(5)

AU-6(5)

NIST SP 800-53 Rev. 4 AU-6 (5)

Audit And Accountability

Integration / Scanning And Monitoring Capabilities

Shared

n/a

NIST_SP_800-53_R5.1.1_AU.2

NIST_SP_800-53_R5.1.1

AU.2

NIST SP 800-53 R5.1.1 AU.2

Audit and Accountability Control

Event Logging

Shared

a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency].

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

NIST_SP_800-53_R5.1.1

AU.3

NIST_SP_800-53_R5.1.1_AU.3

NIST SP 800-53 R5.1.1 AU.3

Audit and Accountability Control

Content of Audit Records

Shared

Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

AU-12

NIST_SP_800-53_R5_AU-12

NIST SP 800-53 Rev. 5 AU-12

Audit and Accountability

Audit Record Generation

Shared

n/a

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

NIST_SP_800-53_R5_AU-12(1)

AU-12(1)

NIST SP 800-53 Rev. 5 AU-12 (1)

Audit and Accountability

System-wide and Time-correlated Audit Trail

Shared

n/a

Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].

NIST_SP_800-53_R5_AU-6(4)

AU-6(4)

NIST SP 800-53 Rev. 5 AU-6 (4)

Audit and Accountability

Central Review and Analysis

Shared

n/a

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

NIST_SP_800-53_R5_AU-6(5)

AU-6(5)

NIST SP 800-53 Rev. 5 AU-6 (5)

Audit and Accountability

Integrated Analysis of Audit Records

Shared

n/a

Integrate analysis of audit records with analysis of [Selection (OneOrMore): vulnerability scanning information;performance data;system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity.

NZ_ISM_v3.5

AC-18

NZ_ISM_v3.5_AC-18

NZISM Security Benchmark AC-18

Access Control and Passwords

16.6.9 Events to be logged

Customer

n/a

The events to be logged are key elements in the monitoring of the security posture of systems and contributing to reviews, audits, investigations and incident management.

NZISM_Security_Benchmark_v1.1

AC-17

NZISM_Security_Benchmark_v1.1_AC-17

NZISM Security Benchmark AC-17

Access Control and Passwords

16.6.9 Events to be logged

Customer

Agencies MUST log, at minimum, the following events for all software components: logons; failed logon attempts; logoffs; date and time; all privileged operations; failed attempts to elevate privileges; security related system alerts and failures; system user and group additions, deletions and modification to permissions; and unauthorised or failed access attempts to systems and files identified as critical to the agency.

The events to be logged are key elements in the monitoring of the security posture of systems and contributing to reviews, audits, investigations and incident management.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

16.6.10.C.01.

NZISM_v3.7_16.6.10.C.01.

NZISM v3.7 16.6.10.C.01.

Event Logging and Auditing

16.6.10.C.01. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users.

16.6.10.C.02.

NZISM_v3.7_16.6.10.C.02.

NZISM v3.7 16.6.10.C.02.

Event Logging and Auditing

16.6.10.C.02. - enhance system security and accountability.

Shared

n/a

Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency.

16.6.11.C.01.

NZISM_v3.7_16.6.11.C.01.

NZISM v3.7 16.6.11.C.01.

Event Logging and Auditing

16.6.11.C.01. - enhance system security and accountability.

Shared

n/a

For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification.

16.6.12.C.01.

NZISM_v3.7_16.6.12.C.01.

NZISM v3.7 16.6.12.C.01.

Event Logging and Auditing

16.6.12.C.01. - maintain integrity of the data.

Shared

n/a

Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period.

16.6.6.C.01.

NZISM_v3.7_16.6.6.C.01.

NZISM v3.7 16.6.6.C.01.

Event Logging and Auditing

16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST maintain system management logs for the life of a system.

16.6.7.C.01.

NZISM_v3.7_16.6.7.C.01.

NZISM v3.7 16.6.7.C.01.

Event Logging and Auditing

16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations.

Shared

n/a

A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities.

16.6.9.C.01.

NZISM_v3.7_16.6.9.C.01.

NZISM v3.7 16.6.9.C.01.

Event Logging and Auditing

16.6.9.C.01. - enhance system security and accountability.

Shared

n/a

Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency.

op.exp.8 Recording of the activity

404 not found

n/a

PCI_DSS_V3.2.1

10.3

PCI_DSS_V3.2.1_10.3

404 not found

n/a

PCI_DSS_V3.2.1

10.5.4

PCI_DSS_v3.2.1_10.5.4

PCI DSS v3.2.1 10.5.4

Requirement 10

PCI DSS requirement 10.5.4

shared

n/a

PCI_DSS_v4.0.1

10.2.2

PCI_DSS_v4.0.1_10.2.2

PCI DSS v4.0.1 10.2.2

Log and Monitor All Access to System Components and Cardholder Data

Details for Auditable Events

Shared

n/a

Audit logs record the following details for each auditable event: • User identification. • Type of event. • Date and time. • Success and failure indication. • Origination of event. • Identity or name of affected data, system component, resource, or service (for example, name and protocol).

PCI_DSS_v4.0.1

10.4.2.1

PCI_DSS_v4.0.1_10.4.2.1

PCI DSS v4.0.1 10.4.2.1

Log and Monitor All Access to System Components and Cardholder Data

Frequency of Log Reviews

Shared

n/a

The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1

PCI_DSS_v4.0

10.2.2

PCI_DSS_v4.0_10.2.2

PCI DSS v4.0 10.2.2

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

Shared

n/a

PCI_DSS_v4.0

10.3.3

PCI_DSS_v4.0_10.3.3

PCI DSS v4.0 10.3.3

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Audit logs are protected from destruction and unauthorized modifications

Shared

n/a

Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.

RMiT_v1.0

11.18

RMiT_v1.0_11.18

RMiT 11.18

Security Operations Centre (SOC)

Security Operations Centre (SOC) - 11.18

Shared

n/a

The SOC must be able to perform the following functions: (a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM); (b) incident coordination and response; (c) vulnerability management; (d) threat hunting; (e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and (f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers.

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

Effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

111

CC.5.3

SOC_2023_CC.5.3

404 not found

n/a

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC4.1

SOC_2023_CC4.1

SOC 2023 CC4.1

Monitoring Activities

Enhance the ability to manage risks and achieve objectives.

Shared

n/a

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.2

SOC_2023_CC4.2

SOC 2023 CC4.2

Monitoring Activities

Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives.

Shared

n/a

The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors.

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

SWIFT_CSCF_2024

6.4

SWIFT_CSCF_2024_6.4

SWIFT Customer Security Controls Framework 2024 6.4

Access Control

Logging and Monitoring

Shared

1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring.

To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment.

SWIFT_CSCF_v2021

6.3

SWIFT_CSCF_v2021_6.3

SWIFT CSCF v2021 6.3

Detect Anomalous Activity to Systems or Transaction Records

Database Integrity

n/a

Ensure the integrity of the database records for the SWIFT messaging interface and act upon results

SWIFT_CSCF_v2021

6.4

SWIFT_CSCF_v2021_6.4

SWIFT CSCF v2021 6.4

Detect Anomalous Activity to Systems or Transaction Records

Logging and Monitoring

n/a

Record security events and detect anomalous actions and operations within the local SWIFT environment.

U.15.1 - Events Logged

404 not found

n/a

U.15.3 - Events Logged

U.15.3 - Events logged

404 not found

n/a

UK_NCSC_CSP

UK_NCSC_CSP_13

UK NCSC CSP 13

Audit information for users

Shared

n/a

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.