compliance controls are associated with this Policy definition 'Microsoft Defender for Azure Cosmos DB should be enabled' (adbe85b5-83e6-4350-ab58-bf3a4f736e5e)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Canada_Federal_PBMM_3-1-2020 |
AC_2 |
Canada_Federal_PBMM_3-1-2020_AC_2 |
Canada Federal PBMM 3-1-2020 AC 2 |
Account Management |
Account Management |
Shared |
1. The organization identifies and selects which types of information system accounts support organizational missions/business functions.
2. The organization assigns account managers for information system accounts.
3. The organization establishes conditions for group and role membership.
4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account.
5. The organization requires approvals by responsible managers for requests to create information system accounts.
6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures.
7. The organization monitors the use of information system accounts.
8. The organization notifies account managers:
a. When accounts are no longer required;
b. When users are terminated or transferred; and
c. When individual information system usage or need-to-know changes.
9. The organization authorizes access to the information system based on:
a. A valid access authorization;
b. Intended system usage; and
c. Other attributes as required by the organization or associated missions/business functions.
10. The organization reviews accounts for compliance with account management requirements at least annually.
11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
To ensure the security, integrity, and efficiency of the information systems.
|
|
24 |
Canada_Federal_PBMM_3-1-2020 |
AC_2(1) |
Canada_Federal_PBMM_3-1-2020_AC_2(1) |
Canada Federal PBMM 3-1-2020 AC 2(1) |
Account Management |
Account Management | Automated System Account Management |
Shared |
The organization employs automated mechanisms to support the management of information system accounts. |
To streamline and enhance information system account management processes. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CA_2 |
Canada_Federal_PBMM_3-1-2020_CA_2 |
Canada Federal PBMM 3-1-2020 CA 2 |
Security Assessments |
Security Assessments |
Shared |
1. The organization develops a security assessment plan that describes the scope of the assessment including:
a. Security controls and control enhancements under assessment;
b. Assessment procedures to be used to determine security control effectiveness; and
c. Assessment environment, assessment team, and assessment roles and responsibilities.
2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements.
3. The organization produces a security assessment report that documents the results of the assessment.
4. The organization provides the results of the security control assessment to organization-defined individuals or roles. |
To enhance the overall security posture of the organization. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
125 |
Canada_Federal_PBMM_3-1-2020 |
CM_2 |
Canada_Federal_PBMM_3-1-2020_CM_2 |
Canada Federal PBMM 3-1-2020 CM 2 |
Baseline Configuration |
Baseline Configuration |
Shared |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
To support effective management and security practices. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CM_2(1) |
Canada_Federal_PBMM_3-1-2020_CM_2(1) |
Canada Federal PBMM 3-1-2020 CM 2(1) |
Baseline Configuration |
Baseline Configuration | Reviews and Updates |
Shared |
The organization reviews and updates the baseline configuration of the information system:
1. at least annually; or
2. When required due to significant changes as defined in NIST SP 800-37 rev1; and
3. As an integral part of information system component installations and upgrades.
|
To ensure alignment with current security standards and operational requirements. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CM_2(2) |
Canada_Federal_PBMM_3-1-2020_CM_2(2) |
Canada Federal PBMM 3-1-2020 CM 2(2) |
Baseline Configuration |
Baseline Configuration | Automation Support for Accuracy / Currency |
Shared |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration |
|
23 |
Canada_Federal_PBMM_3-1-2020 |
CM_8(3) |
Canada_Federal_PBMM_3-1-2020_CM_8(3) |
Canada Federal PBMM 3-1-2020 CM 8(3) |
Information System Component Inventory |
Information System Component Inventory | Automated Unauthorized Component Detection |
Shared |
1. The organization employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
2. The organization takes the organization-defined actions when unauthorized components are detected such as disables network access by such components; isolates the components; notifies organization-defined personnel or roles. |
To employ automated mechanisms for timely detection of unauthorized hardware, software, and firmware components in the information system. |
|
17 |
Canada_Federal_PBMM_3-1-2020 |
CM_8(5) |
Canada_Federal_PBMM_3-1-2020_CM_8(5) |
Canada Federal PBMM 3-1-2020 CM 8(5) |
Information System Component Inventory |
Information System Component Inventory | No Duplicate Accounting of Components |
Shared |
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
To ensure that all components within the authorization boundary of the information system are uniquely identified and not duplicated in other information system component inventories. |
|
17 |
Canada_Federal_PBMM_3-1-2020 |
IA_5 |
Canada_Federal_PBMM_3-1-2020_IA_5 |
Canada Federal PBMM 3-1-2020 IA 5 |
Authenticator Management |
Authenticator Management |
Shared |
1. The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
2. The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization.
3. The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.
4. The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators.
5. The organization manages information system authenticators by changing the default content of authenticators prior to information system installation.
6. The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators.
7. The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031.
8. The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification.
9. The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators.
10. The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. |
To effectively manage information system authenticators through verification of recipient identity. |
|
21 |
Canada_Federal_PBMM_3-1-2020 |
IA_5(11) |
Canada_Federal_PBMM_3-1-2020_IA_5(11) |
Canada Federal PBMM 3-1-2020 IA 5(11) |
Authenticator Management |
Authenticator Management | Hardware Token-Based Authentication |
Shared |
The information system, for hardware token-based authentication, employs mechanisms that satisfy CCCS's ITSP.30.031 token quality requirements. |
To enhance overall security and compliance with CCCS guidelines. |
|
20 |
Canada_Federal_PBMM_3-1-2020 |
MP_1 |
Canada_Federal_PBMM_3-1-2020_MP_1 |
Canada Federal PBMM 3-1-2020 MP 1 |
Media Protection Policy and Procedures |
Media Protection Policy and Procedures |
Shared |
1. The organization develops, documents, and disseminates to all personnel:
a. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the media protection policy and associated media protection controls.
2. The organization reviews and updates the current:
a. Media protection policy at least every 3 years; and
b. Media protection procedures at least annually. |
To implement media protection policy and procedures. |
|
14 |
Canada_Federal_PBMM_3-1-2020 |
PL_1 |
Canada_Federal_PBMM_3-1-2020_PL_1 |
Canada Federal PBMM 3-1-2020 PL 1 |
Security Planning Policy and Procedures |
Security Planning Policy and Procedures |
Shared |
1. The organization develops, documents, and disseminates to personnel or roles with security planning responsibilities
a. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the security planning policy and associated security planning controls.
2. The organization reviews and updates the current:
a. Security planning policy at least every 3 years; and
b. Security planning procedures at least annually. |
To ensure safety of data and enhance security posture. |
|
14 |
CIS_Azure_2.0.0 |
2.1.3 |
CIS_Azure_2.0.0_2.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.3 |
2.1 |
Ensure That Microsoft Defender for Databases Is Set To 'On' |
Shared |
Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities. |
Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.
Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC). |
link |
4 |
CIS_Azure_2.0.0 |
2.1.9 |
CIS_Azure_2.0.0_2.1.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.9 |
2.1 |
Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' |
Shared |
Enabling Microsoft Defender for Azure Cosmos DB requires enabling Microsoft Defender for your subscription. Both will incur additional charges. |
Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.
In scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced. |
link |
1 |
CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
100 |
CIS_Controls_v8.1 |
12.1 |
CIS_Controls_v8.1_12.1 |
CIS Controls v8.1 12.1 |
Network Infrastructure Management |
Ensure network infrastructure is up to date |
Shared |
1. Ensure network infrastructure is kept up-to-date.
2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings.
3. Review software versions monthly, or more frequently, to verify software support. |
To prevent any unauthorized or malicious activity on network systems. |
|
23 |
CIS_Controls_v8.1 |
12.3 |
CIS_Controls_v8.1_12.3 |
CIS Controls v8.1 12.3 |
Network Infrastructure Management |
Securely manage network infrastructure |
Shared |
1. Securely manage network infrastructure.
2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS. |
To ensure proper management of network infrastructure. |
|
39 |
CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
102 |
CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
100 |
CIS_Controls_v8.1 |
16.12 |
CIS_Controls_v8.1_16.12 |
CIS Controls v8.1 16.12 |
Application Software Security |
Implement code-level security checks |
Shared |
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. |
To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application.
|
|
23 |
CIS_Controls_v8.1 |
16.13 |
CIS_Controls_v8.1_16.13 |
CIS Controls v8.1 16.13 |
Application Software Security |
Conduct application penetration testing |
Shared |
1. Conduct application penetration testing.
2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.
3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. |
To identify potential security weaknesses and assess the overall security posture of the application. |
|
23 |
CIS_Controls_v8.1 |
16.2 |
CIS_Controls_v8.1_16.2 |
CIS Controls v8.1 16.2 |
Application Software Security |
Establish and maintain a process to accept and address software vulnerabilities |
Shared |
1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report.
2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing.
3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities.
4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.
5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. |
To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures. |
|
23 |
CIS_Controls_v8.1 |
16.5 |
CIS_Controls_v8.1_16.5 |
CIS Controls v8.1 16.5 |
Application Software Security |
Use up-to-date and trusted third-party software components |
Shared |
1. Use up-to-date and trusted third-party software components.
2. When possible, choose established and proven frameworks and libraries that provide adequate security.
3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. |
To utilize up-to-date and trusted third-party software components in application development. |
|
18 |
CIS_Controls_v8.1 |
16.6 |
CIS_Controls_v8.1_16.6 |
CIS Controls v8.1 16.6 |
Application Software Security |
Establish and maintain a severity rating system and process for application vulnerabilities |
Shared |
1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed.
2. This process includes setting a minimum level of security acceptability for releasing code or applications.
3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first.
4. Review and update the system and process annually. |
To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks. |
|
18 |
CIS_Controls_v8.1 |
16.7 |
CIS_Controls_v8.1_16.7 |
CIS Controls v8.1 16.7 |
Application Software Security |
Use standard hardening configuration templates for application infrastructure |
Shared |
1. Use standard, industry-recommended hardening configuration templates for application infrastructure components.
2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
3. Do not allow in-house developed software to weaken configuration hardening. |
To ensure that in-house developed software does not compromise the established configuration hardening standards. |
|
18 |
CIS_Controls_v8.1 |
18.1 |
CIS_Controls_v8.1_18.1 |
CIS Controls v8.1 18.1 |
Penetration Testing |
Establish and maintain a penetration testing program |
Shared |
1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise.
2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. |
To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise. |
|
18 |
CIS_Controls_v8.1 |
18.2 |
CIS_Controls_v8.1_18.2 |
CIS Controls v8.1 18.2 |
Penetration Testing |
Perform periodic external penetration tests |
Shared |
1. Perform periodic external penetration tests based on program requirements, no less than annually.
2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information.
3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party.
4. The testing may be clear box or opaque box.
|
To ensure thorough assessment and mitigation of potential vulnerabilities. |
|
17 |
CIS_Controls_v8.1 |
18.3 |
CIS_Controls_v8.1_18.3 |
CIS Controls v8.1 18.3 |
Penetration Testing |
Remediate penetration test findings |
Shared |
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. |
To mitigate security risks effectively. |
|
17 |
CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
94 |
CIS_Controls_v8.1 |
18.5 |
CIS_Controls_v8.1_18.5 |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
CMMC_L2_v1.9.0 |
AU.L2_3.3.1 |
CMMC_L2_v1.9.0_AU.L2_3.3.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 |
Audit and Accountability |
System Auditing |
Shared |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
To enhance security and accountability measures. |
|
41 |
CMMC_L2_v1.9.0 |
CA.L2_3.12.2 |
CMMC_L2_v1.9.0_CA.L2_3.12.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CA.L2 3.12.2 |
Security Assessment |
Plan of Action |
Shared |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
To enhance the resilience to cyber threats and protect systems and data from potential exploitation or compromise. |
|
17 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.3 |
CMMC_L2_v1.9.0_CM.L2_3.4.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.3 |
Configuration Management |
System Change Management |
Shared |
Track, review, approve or disapprove, and log changes to organizational systems. |
To ensure accountability, transparency, and compliance with established procedures and security requirements. |
|
15 |
CMMC_L2_v1.9.0 |
SI.L1_3.14.1 |
CMMC_L2_v1.9.0_SI.L1_3.14.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1 |
System and Information Integrity |
Flaw Remediation |
Shared |
Identify, report, and correct information and information system flaws in a timely manner. |
To safeguard assets and maintain operational continuity. |
|
24 |
CPS_234_(APRA)_2019 |
CPS_234_(APRA)_2019_27 |
CPS_234_(APRA)_2019_27 |
APRA CPS 234 2019 27 |
Testing control effectiveness |
To ensure that an APRA-regulated entity systematically tests the effectiveness of its information security controls. |
Shared |
n/a |
An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:
1. the rate at which the vulnerabilities and threats change;
2. the criticality and sensitivity of the information asset;
3. the consequences of an information security incident;
4. the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies;
5. the materiality and frequency of change to information assets. |
|
17 |
CSA_v4.0.12 |
AIS_07 |
CSA_v4.0.12_AIS_07 |
CSA Cloud Controls Matrix v4.0.12 AIS 07 |
Application & Interface Security |
Application Vulnerability Remediation |
Shared |
n/a |
Define and implement a process to remediate application security
vulnerabilities, automating remediation when possible. |
|
22 |
CSA_v4.0.12 |
CCC_07 |
CSA_v4.0.12_CCC_07 |
CSA Cloud Controls Matrix v4.0.12 CCC 07 |
Change Control and Configuration Management |
Detection of Baseline Deviation |
Shared |
n/a |
Implement detection measures with proactive notification in case
of changes deviating from the established baseline. |
|
22 |
CSA_v4.0.12 |
TVM_04 |
CSA_v4.0.12_TVM_04 |
CSA Cloud Controls Matrix v4.0.12 TVM 04 |
Threat & Vulnerability Management |
Detection Updates |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to update detection tools, threat signatures, and indicators of compromise
on a weekly, or more frequent basis. |
|
50 |
CSA_v4.0.12 |
TVM_08 |
CSA_v4.0.12_TVM_08 |
CSA Cloud Controls Matrix v4.0.12 TVM 08 |
Threat & Vulnerability Management |
Vulnerability Prioritization |
Shared |
n/a |
Use a risk-based model for effective prioritization of vulnerability
remediation using an industry recognized framework. |
|
22 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
69 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
67 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
65 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
FFIEC_CAT_2017 |
1.2.3 |
FFIEC_CAT_2017_1.2.3 |
FFIEC CAT 2017 1.2.3 |
Cyber Risk Management and Oversight |
Audit |
Shared |
n/a |
- Independent audit or review evaluates policies, procedures, and controls across the institution for significant risks and control issues associated with the institution's operations, including risks in new products, emerging technologies, and information systems.
- The independent audit function validates controls related to the storage or transmission of confidential data.
- Logging practices are independently reviewed periodically to ensure appropriate log management (e.g., access controls, retention, and maintenance).
- Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner. |
|
13 |
FFIEC_CAT_2017 |
3.2.2 |
FFIEC_CAT_2017_3.2.2 |
FFIEC CAT 2017 3.2.2 |
Cybersecurity Controls |
Anomalous Activity Detection |
Shared |
n/a |
- The institution is able to detect anomalous activities through monitoring across the environment.
- Customer transactions generating anomalous activity alerts are monitored and reviewed.
- Logs of physical and/or logical access are reviewed following events.
- Access to critical systems by third parties is monitored for unauthorized or unusual activity.
- Elevated privileges are monitored. |
|
27 |
HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
114 |
HITRUST_CSF_v11.3 |
10.c |
HITRUST_CSF_v11.3_10.c |
HITRUST CSF v11.3 10.c |
Correct Processing in Applications |
To incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. |
Shared |
Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. |
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
|
36 |
HITRUST_CSF_v11.3 |
10.m |
HITRUST_CSF_v11.3_10.m |
HITRUST CSF v11.3 10.m |
Technical Vulnerability Management |
To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. |
Shared |
1. The necessary secure services, protocols required for the function of the system are to be enabled.
2. Security features to be implemented for any required services that are considered to be insecure.
3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media.
4. Configuration standards to be consistent with industry-accepted system hardening standards.
5. An enterprise security posture review within every 365 days is to be conducted.
6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. |
Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. |
|
47 |
ISO_IEC_27001_2022 |
10.2 |
ISO_IEC_27001_2022_10.2 |
ISO IEC 27001 2022 10.2 |
Improvement |
Nonconformity and corrective action |
Shared |
1. When a nonconformity occurs, the organization shall:
a. react to the nonconformity, and as applicable:
i. take action to control and correct it;
ii. deal with the consequences;
b. evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
i. reviewing the nonconformity;
ii. determining the causes of the nonconformity; and
iii. determining if similar nonconformities exist, or could potentially occur;
c. implement any action needed;
d. review the effectiveness of any corrective action taken; and
e. make changes to the information security management system, if necessary.
2. Corrective actions shall be appropriate to the effects of the nonconformities encountered.
3. Documented information shall be available as evidence of:
a. the nature of the nonconformities and any subsequent actions taken,
b. the results of any corrective action. |
Specifies the actions that the organisation shall take in cases of nonconformity. |
|
18 |
ISO_IEC_27001_2022 |
7.5.3 |
ISO_IEC_27001_2022_7.5.3 |
ISO IEC 27001 2022 7.5.3 |
Support |
Control of documented information |
Shared |
1. Documented information required by the information security management system and by this document shall be controlled to ensure:
a. it is available and suitable for use, where and when it is needed; and
b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
2. For the control of documented information, the organization shall address the following activities, as applicable:
a. distribution, access, retrieval and use;
b. storage and preservation, including the preservation of legibility;
c. control of changes (e.g. version control); and
d. retention and disposition. |
Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled |
|
32 |
ISO_IEC_27001_2022 |
9.1 |
ISO_IEC_27001_2022_9.1 |
ISO IEC 27001 2022 9.1 |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
1. The organization shall determine:
a. what needs to be monitored and measured, including information security processes and controls;
b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
c. when the monitoring and measuring shall be performed;
d. who shall monitor and measure;
e. when the results from monitoring and measurement shall be analysed and evaluated;
f. who shall analyse and evaluate these results.
2. Documented information shall be available as evidence of the results. |
Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. |
|
44 |
ISO_IEC_27001_2022 |
9.3.3 |
ISO_IEC_27001_2022_9.3.3 |
ISO IEC 27001 2022 9.3.3 |
Internal Audit |
Management Review Results |
Shared |
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. |
Specifies the considertions that the management review results shall include. |
|
16 |
ISO_IEC_27002_2022 |
8.6 |
ISO_IEC_27002_2022_8.6 |
ISO IEC 27002 2022 8.6 |
Identifying,
Protection,
Detection,
Preventive Control |
Capacity management |
Shared |
The use of resources should be monitored and adjusted in line with current and expected capacity requirements.
|
To ensure the required capacity of information processing facilities, human resources, offices and other facilities. |
|
3 |
New_Zealand_ISM |
07.1.7.C.02 |
New_Zealand_ISM_07.1.7.C.02 |
New_Zealand_ISM_07.1.7.C.02 |
07. Information Security Incidents |
07.1.7.C.02 Preventing and detecting information security incidents |
|
n/a |
Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating: user awareness and training; counter-measures against malicious code, known attack methods and types; intrusion detection strategies; data egress monitoring & control; access control anomalies; audit analysis; system integrity checking; and vulnerability assessments. |
|
16 |
NIST_CSF_v2.0 |
DE.CM_09 |
NIST_CSF_v2.0_DE.CM_09 |
NIST CSF v2.0 DE.CM 09 |
DETECT- Continuous Monitoring |
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. |
Shared |
n/a |
To identify and analyze the cybersecurity attacks and compromises. |
|
25 |
NIST_CSF_v2.0 |
GV.SC_07 |
NIST_CSF_v2.0_GV.SC_07 |
NIST CSF v2.0 GV.SC 07 |
GOVERN-Cybersecurity Supply Chain Risk Management |
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship. |
Shared |
n/a |
To establish, communicate, and monitor the risk management strategy, expectations, and policy. |
|
17 |
NIST_SP_800-171_R3_3 |
.12.3 |
NIST_SP_800-171_R3_3.12.3 |
NIST 800-171 R3 3.12.3 |
Security Assessment Control |
Continuous Monitoring |
Shared |
Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk based decisions. Different types of security requirements may require different monitoring frequencies. |
Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk based decisions. Different types of security requirements may require different monitoring frequencies. |
|
17 |
NIST_SP_800-171_R3_3 |
.14.1 |
NIST_SP_800-171_R3_3.14.1 |
NIST 800-171 R3 3.14.1 |
System and Information Integrity Control |
Flaw Remediation |
Shared |
Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. |
a. Identify, report, and correct system flaws.
b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates. |
|
24 |
NIST_SP_800-171_R3_3 |
.4.3 |
NIST_SP_800-171_R3_3.4.3 |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
NIST_SP_800-53_R5.1.1 |
CA.7 |
NIST_SP_800-53_R5.1.1_CA.7 |
NIST SP 800-53 R5.1.1 CA.7 |
Assessment, Authorization and Monitoring Control |
Continuous Monitoring |
Shared |
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing control assessments in accordance with the continuous monitoring strategy;
d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
e. Correlation and analysis of information generated by control assessments and monitoring;
f. Response actions to address results of the analysis of control assessment and monitoring information; and
g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles]
[Assignment: organization-defined frequency]. |
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms “continuous” and “ongoing” imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, and SI-4. |
|
17 |
NIST_SP_800-53_R5.1.1 |
CA.7.4 |
NIST_SP_800-53_R5.1.1_CA.7.4 |
NIST SP 800-53 R5.1.1 CA.7.4 |
Assessment, Authorization and Monitoring Control |
Continuous Monitoring | Risk Monitoring |
Shared |
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
(a) Effectiveness monitoring;
(b) Compliance monitoring; and
(c) Change monitoring. |
Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk. |
|
14 |
NIST_SP_800-53_R5.1.1 |
SC.5.3 |
NIST_SP_800-53_R5.1.1_SC.5.3 |
NIST SP 800-53 R5.1.1 SC.5.3 |
System and Communications Protection |
Denial-of-service Protection | Detection and Monitoring |
Shared |
(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and
(b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]. |
Organizations consider the utilization and capacity of system resources when managing risk associated with a denial of service due to malicious attacks. Denial-of-service attacks can originate from external or internal sources. System resources that are sensitive to denial of service include physical disk storage, memory, and CPU cycles. Techniques used to prevent denial-of-service attacks related to storage utilization and capacity include instituting disk quotas, configuring systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data. |
|
3 |
NIST_SP_800-53_R5.1.1 |
SI.2 |
NIST_SP_800-53_R5.1.1_SI.2 |
NIST SP 800-53 R5.1.1 SI.2 |
System and Information Integrity Control |
Flaw Remediation |
Shared |
a. Identify, report, and correct system flaws;
b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporate flaw remediation into the organizational configuration management process. |
The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. |
|
24 |
NZISM_v3.7 |
12.4.4.C.01. |
NZISM_v3.7_12.4.4.C.01. |
NZISM v3.7 12.4.4.C.01. |
Product Patching and Updating |
12.4.4.C.01. - To mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data. |
Shared |
n/a |
Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update. |
|
25 |
NZISM_v3.7 |
12.4.4.C.02. |
NZISM_v3.7_12.4.4.C.02. |
NZISM v3.7 12.4.4.C.02. |
Product Patching and Updating |
12.4.4.C.02. - To minimise the risk of disruptions or vulnerabilities introduced by the patches. |
Shared |
n/a |
Agencies MUST implement a patch management strategy, including an evaluation or testing process. |
|
29 |
NZISM_v3.7 |
12.4.4.C.04. |
NZISM_v3.7_12.4.4.C.04. |
NZISM v3.7 12.4.4.C.04. |
Product Patching and Updating |
12.4.4.C.04. - To mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data. |
Shared |
n/a |
Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update. |
|
29 |
NZISM_v3.7 |
14.2.4.C.01. |
NZISM_v3.7_14.2.4.C.01. |
NZISM v3.7 14.2.4.C.01. |
Application Allow listing |
14.2.4.C.01. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD implement application allow listing as part of the SOE for workstations, servers and any other network device. |
|
25 |
NZISM_v3.7 |
14.2.5.C.01. |
NZISM_v3.7_14.2.5.C.01. |
NZISM v3.7 14.2.5.C.01. |
Application Allow listing |
14.2.5.C.01. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies MUST ensure that a system user cannot disable the application allow listing mechanism. |
|
16 |
NZISM_v3.7 |
14.2.5.C.02. |
NZISM_v3.7_14.2.5.C.02. |
NZISM v3.7 14.2.5.C.02. |
Application Allow listing |
14.2.5.C.02. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD prevent a system user from running arbitrary executables. |
|
16 |
NZISM_v3.7 |
14.2.5.C.03. |
NZISM_v3.7_14.2.5.C.03. |
NZISM v3.7 14.2.5.C.03. |
Application Allow listing |
14.2.5.C.03. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD restrict a system user's rights in order to permit them to only execute a specific set of predefined executables as required for them to complete their duties. |
|
16 |
NZISM_v3.7 |
14.2.5.C.04. |
NZISM_v3.7_14.2.5.C.04. |
NZISM v3.7 14.2.5.C.04. |
Application Allow listing |
14.2.5.C.04. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD ensure that application allow listing does not replace the antivirus and anti-malware software within a system. |
|
16 |
NZISM_v3.7 |
14.2.6.C.01. |
NZISM_v3.7_14.2.6.C.01. |
NZISM v3.7 14.2.6.C.01. |
Application Allow listing |
14.2.6.C.01. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD ensure that system administrators are not automatically exempt from application allow list policy. |
|
16 |
NZISM_v3.7 |
14.2.7.C.01. |
NZISM_v3.7_14.2.7.C.01. |
NZISM v3.7 14.2.7.C.01. |
Application Allow listing |
14.2.7.C.01. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD ensure that the default policy is to deny the execution of software. |
|
16 |
NZISM_v3.7 |
14.2.7.C.02. |
NZISM_v3.7_14.2.7.C.02. |
NZISM v3.7 14.2.7.C.02. |
Application Allow listing |
14.2.7.C.02. - To mitigate security risks, and ensure compliance with security policies and standards. |
Shared |
n/a |
Agencies SHOULD ensure that application allow listing is used in addition to a strong access control list model and the use of limited privilege accounts. |
|
16 |
NZISM_v3.7 |
14.3.12.C.01. |
NZISM_v3.7_14.3.12.C.01. |
NZISM v3.7 14.3.12.C.01. |
Web Applications |
14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. |
Shared |
n/a |
Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. |
|
82 |
NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
NZISM_v3.7 |
18.4.10.C.01. |
NZISM_v3.7_18.4.10.C.01. |
NZISM v3.7 18.4.10.C.01. |
Intrusion Detection and Prevention |
18.4.10.C.01. - To ensure user awareness of the policies, and handling outbreaks according to established procedures. |
Shared |
n/a |
Agencies MUST:
1. develop and maintain a set of policies and procedures covering how to:
a.minimise the likelihood of malicious code being introduced into a system;
b. prevent all unauthorised code from executing on an agency network;
c. detect any malicious code installed on a system;
d. make their system users aware of the agency's policies and procedures; and
e. ensure that all instances of detected malicious code outbreaks are handled according to established procedures. |
|
16 |
NZISM_v3.7 |
6.1.9.C.01. |
NZISM_v3.7_6.1.9.C.01. |
NZISM v3.7 6.1.9.C.01. |
Information Security Reviews |
6.1.9.C.01. - To ensure alignment with the vulnerability disclosure policy, and implement adjustments and changes consistent with the findings of vulnerability analysis |
Shared |
n/a |
Agencies SHOULD review the components detailed below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.
1. Information security documentation - The SecPol, Systems Architecture, SRMPs, SSPs, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports.
2. Dispensations - Prior to the identified expiry date.
3. Operating environment - When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.
4. Procedures - After an information security incident or test exercise.
5. System security - Items that could affect the security of the system on a regular basis.
6. Threats - Changes in threat environment and risk profile.
7. NZISM - Changes to baseline or other controls, any new controls and guidance. |
|
16 |
|
op.exp.6 Protection against harmful code |
op.exp.6 Protection against harmful code |
404 not found |
|
|
|
n/a |
n/a |
|
63 |
|
op.mon.3 Monitoring |
op.mon.3 Monitoring |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
PCI_DSS_v4.0.1 |
11.5.1 |
PCI_DSS_v4.0.1_11.5.1 |
PCI DSS v4.0.1 11.5.1 |
Test Security of Systems and Networks Regularly |
Intrusion Detection/Prevention |
Shared |
n/a |
Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows:
• All traffic is monitored at the perimeter of the CDE.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date |
|
24 |
PCI_DSS_v4.0.1 |
12.4.1 |
PCI_DSS_v4.0.1_12.4.1 |
PCI DSS v4.0.1 12.4.1 |
Support Information Security with Organizational Policies and Programs |
Executive Management Responsibility for PCI DSS |
Shared |
n/a |
Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management. |
|
17 |
PCI_DSS_v4.0.1 |
6.3.3 |
PCI_DSS_v4.0.1_6.3.3 |
PCI DSS v4.0.1 6.3.3 |
Develop and Maintain Secure Systems and Software |
All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1 |
Shared |
n/a |
Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement |
|
24 |
RBI_CSF_Banks_v2016 |
5.1 |
RBI_CSF_Banks_v2016_5.1 |
|
Secure Configuration |
Secure Configuration-5.1 |
|
n/a |
Document and apply baseline security requirements/configurations to all
categories of devices (end-points/workstations, mobile devices, operating systems,
databases, applications, network devices, security devices, security systems, etc.),
throughout the lifecycle (from conception to deployment) and carry out reviews
periodically. |
|
8 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
112 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
219 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
230 |
SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
129 |
SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
To maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
168 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
214 |
SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
148 |
SOC_2023 |
CC9.2 |
SOC_2023_CC9.2 |
SOC 2023 CC9.2 |
Risk Mitigation |
To ensure effective risk management throughout the supply chain and business ecosystem. |
Shared |
n/a |
Entity assesses and manages risks associated with vendors and business partners. |
|
43 |
SWIFT_CSCF_2024 |
1.3 |
SWIFT_CSCF_2024_1.3 |
SWIFT Customer Security Controls Framework 2024 1.3 |
Cloud Platform Protection |
Virtualisation or Cloud Platform Protection |
Shared |
1. Security controls that apply to non-virtualised (physical) systems are equally applicable to virtual systems.
2. The additional virtualisation layer needs extra attention from a security perspective. The uncontrolled proliferation of VMs could lead to unaccounted machines with the risk of unmanaged, unpatched systems open to unauthorised access to data.
3. If appropriate controls have been implemented to this underlying layer, then Swift does not limit the use of virtual technology for any component of the user’s Swift infrastructure or the associated supporting infrastructure (for example, virtual firewalls). |
To secure the virtualisation or cloud platform and virtual machines (VMs) that host Swift-related components to the same level as physical systems. |
|
7 |
SWIFT_CSCF_2024 |
2.2 |
SWIFT_CSCF_2024_2.2 |
SWIFT Customer Security Controls Framework 2024 2.2 |
Risk Management |
Security Updates |
Shared |
1. The closure of known security vulnerabilities is effective in reducing the various pathways that an attacker may use during an attack.
2. A security update process that is comprehensive, repeatable, and implemented in a timely manner is necessary to continuously close these known vulnerabilities when security updates are available. |
To minimise the occurrence of known technical vulnerabilities on operator PCs and within the user’s Swift infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. |
|
24 |
SWIFT_CSCF_2024 |
8.1 |
SWIFT_CSCF_2024_8.1 |
404 not found |
|
|
|
n/a |
n/a |
|
17 |