Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_CM_3

CM_3

Canada Federal PBMM 3-1-2020 CM 3

Configuration Change Control

Shared

1. The organization determines the types of changes to the information system that are configuration-controlled. 2. The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. 3. The organization documents configuration change decisions associated with the information system. 4. The organization implements approved configuration-controlled changes to the information system. 5. The organization retains records of configuration-controlled changes to the information system for at least 90 days. 6. The organization audits and reviews activities associated with configuration-controlled changes to the information system. 7. The organization coordinates and provides oversight for configuration change control activities through a central communication process that includes organizational governance bodies that convenes at least annually.

To ensure systematic control and oversight of configuration changes to the information system, mitigating risks and maintaining system integrity.

Canada_Federal_PBMM_3-1-2020_CM_6

CM_6

Canada Federal PBMM 3-1-2020 CM 6

Configuration Settings

Shared

1. The organization establishes and documents configuration settings for information technology products employed within the information system using checklists from one or more of the following: a. Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA) that reflect the most restrictive mode consistent with operational requirements. 2. The organization implements the configuration settings. 3. The organization identifies, documents, and approves any deviations from established configuration settings for any configurable information system components. 4. The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

To ensure systematic configuration management of information technology products.

Canada_Federal_PBMM_3-1-2020_CM_6(1)

CM_6(1)

Canada Federal PBMM 3-1-2020 CM 6(1)

Configuration Settings

Configuration Settings | Automated Central Management / Application / Verification

Shared

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for organization-defined information system components.

To enhance efficiency, consistency, and security in configuration management processes.

Canada_Federal_PBMM_3-1-2020_CM_6(2)

CM_6(2)

Canada Federal PBMM 3-1-2020 CM 6(2)

Configuration Settings

Configuration Settings | Respond to Unauthorized Changes

Shared

The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

To ensure prompt detection, mitigation, and resolution of potential security risks.

Canada_Federal_PBMM_3-1-2020_CM_7

CM_7

Canada Federal PBMM 3-1-2020 CM 7

Least Functionality

Shared

1. The organization configures the information system to provide only essential capabilities. 2. The organization prohibits or restricts the use of identified functions, ports, protocols, and/or services following one or more standards from Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), or Defense Information Systems Agency (DISA).

To minimise the attack surface of the information system.

Canada_Federal_PBMM_3-1-2020_CM_7(1)

CM_7(1)

Canada Federal PBMM 3-1-2020 CM 7(1)

Least Functionality

Least Functionality | Periodic Review

Shared

1. The organization reviews the information system at least annually to identify unnecessary and/or non-secure functions, ports, protocols, and services; and 2. The organization disables all functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

To strengthen overall cybersecurity posture.

Canada_Federal_PBMM_3-1-2020_CM_9

CM_9

Canada Federal PBMM 3-1-2020 CM 9

Configuration Management Plan

Shared

1. The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. 2. The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. 3. The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management; and 4. The organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

To protect configuration items throughout their lifecycle while safeguarding the integrity of the configuration management plan.

Canada_Federal_PBMM_3-1-2020_SA_10

SA_10

Canada Federal PBMM 3-1-2020 SA 10

Developer Configuration Management

Shared

1. The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service development, implementation, and operation. 2. The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to all items under configuration management; 3. The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service; 4. The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes; and 5. The organization requires the developer of the information system, system component, or information system service to track security flaws and flaw resolution within the system, component, or service and report findings to the Chief Information Officer or delegate.

To ensure systematic management of system integrity and security throughout the development lifecycle.

Canada_Federal_PBMM_3-1-2020_SA_4(9)

SA_4(9)

Canada Federal PBMM 3-1-2020 SA 4(9)

Acquisition Process

Acquisition Process | Functions / Ports / Protocols / Services in Use

Shared

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

To facilitate early identification and assessment of potential security risks.

Canada_Federal_PBMM_3-1-2020_SA_9(2)

SA_9(2)

Canada Federal PBMM 3-1-2020 SA 9(2)

External Information System Services

External Information System Services | Identification of Functions / Ports / Protocols / Services

Shared

The organization requires providers of all external information systems and services to identify the functions, ports, protocols, and other services required for the use of such services.

To manage security risks and ensure the secure and efficient operation of external systems and services.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

hipaa

0894.01m2Organizational.7-01.m

hipaa-0894.01m2Organizational.7-01.m

0894.01m2Organizational.7-01.m

08 Network Protection

0894.01m2Organizational.7-01.m 01.04 Network Access Control

Shared

n/a

Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers.

HITRUST_CSF_v11.3

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

HITRUST_CSF_v11.3

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

NIST_SP_800-171_R3_3

.4.6

NIST_SP_800-171_R3_3.4.6

404 not found

n/a

NIST_SP_800-53_R5.1.1

CM.7.1

NIST_SP_800-53_R5.1.1_CM.7.1

NIST SP 800-53 R5.1.1 CM.7.1

Configuration Management Control

Least Functionality | Periodic Review

Shared

(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

NIST_SP_800-53_R5.1.1

SI.14

NIST_SP_800-53_R5.1.1_SI.14

NIST SP 800-53 R5.1.1 SI.14

System and Information Integrity Control

Non-persistence

Shared

Implement non-persistent [Assignment: organization-defined system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency] ].

Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems. Non-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities.

NZISM_v3.7

22.3.11.C.01.

NZISM_v3.7_22.3.11.C.01.

NZISM v3.7 22.3.11.C.01.

Virtual Local Area Networks

22.3.11.C.01. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches MUST be disabled.

NZISM_v3.7

22.3.11.C.02.

NZISM_v3.7_22.3.11.C.02.

NZISM v3.7 22.3.11.C.02.

Virtual Local Area Networks

22.3.11.C.02. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches SHOULD be disabled.

PCI_DSS_v4.0.1

2.2.4

PCI_DSS_v4.0.1_2.2.4

PCI DSS v4.0.1 2.2.4

Apply Secure Configurations to All System Components

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled

Shared

n/a

Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213