compliance controls are associated with this Policy definition 'Activity log should be retained for at least one year' (b02aacc0-b073-424e-8298-42b22829ee0a)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
AC_2(4) |
Canada_Federal_PBMM_3-1-2020_AC_2(4) |
Canada Federal PBMM 3-1-2020 AC 2(4) |
Account Management |
Account Management | Automated Audit Actions |
Shared |
1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers.
2. Related controls: AU-2, AU-12. |
To ensure accountability and transparency within the information system. |
|
52 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
33 |
| Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
| CIS_Azure_1.1.0 |
5.1.2 |
CIS_Azure_1.1.0_5.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 |
5 Logging and Monitoring |
Ensure that Activity Log Retention is set 365 days or greater |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure activity log retention is set for 365 days or greater. |
link |
4 |
| CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
99 |
| CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
101 |
| CIS_Controls_v8.1 |
13.11 |
CIS_Controls_v8.1_13.11 |
CIS Controls v8.1 13.11 |
Network Monitoring and Defense |
Tune security event alerting thresholds |
Shared |
Tune security event alerting thresholds monthly, or more frequently.
|
To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. |
|
50 |
| CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
99 |
| CIS_Controls_v8.1 |
16.3 |
CIS_Controls_v8.1_16.3 |
CIS Controls v8.1 16.3 |
Application Software Security |
Perform root cause analysis on security vulnerabilities |
Shared |
1. Perform root cause analysis on security vulnerabilities.
2. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. |
To enable development teams to identify and address systemic issues. |
|
1 |
| CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
93 |
| CIS_Controls_v8.1 |
3.13 |
CIS_Controls_v8.1_3.13 |
CIS Controls v8.1 3.13 |
Data Protection |
Deploy a data loss prevention solution |
Shared |
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensitive data inventory.
|
To facilitate effective data protection, compliance, and risk mitigation. |
|
1 |
| CIS_Controls_v8.1 |
3.14 |
CIS_Controls_v8.1_3.14 |
CIS Controls v8.1 3.14 |
Data Protection |
Log sensitive data access |
Shared |
Log sensitive data access, including modification and disposal.
|
To enhance accountability, traceability, and security measures within the enterprise. |
|
47 |
| CIS_Controls_v8.1 |
8.1 |
CIS_Controls_v8.1_8.1 |
CIS Controls v8.1 8.1 |
Audit Log Management |
Establish and maintain an audit log management process |
Shared |
1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements.
2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets.
3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure appropriate management of audit log systems. |
|
31 |
| CIS_Controls_v8.1 |
8.11 |
CIS_Controls_v8.1_8.11 |
CIS Controls v8.1 8.11 |
Audit Log Management |
Conduct audit log reviews |
Shared |
1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat.
2. Conduct reviews on a weekly, or more frequent, basis.
|
To ensure the integrity of the data in audit logs. |
|
62 |
| CIS_Controls_v8.1 |
8.2 |
CIS_Controls_v8.1_8.2 |
CIS Controls v8.1 8.2 |
Audit Log Management |
Collect audit logs. |
Shared |
1. Collect audit logs.
2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. |
To assist in troubleshooting of system issues and ensure integrity of data systems. |
|
32 |
| CIS_Controls_v8.1 |
8.5 |
CIS_Controls_v8.1_8.5 |
CIS Controls v8.1 8.5 |
Audit Log Management |
Collect detailed audit logs. |
Shared |
1. Configure detailed audit logging for enterprise assets containing sensitive data.
2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. |
To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. |
|
34 |
| CIS_Controls_v8.1 |
8.7 |
CIS_Controls_v8.1_8.7 |
CIS Controls v8.1 8.7 |
Audit Log Management |
Collect URL request audit logs |
Shared |
Collect URL request audit logs on enterprise assets, where appropriate and supported. |
To maintain an audit trail of all URL requests made.
|
|
31 |
| CIS_Controls_v8.1 |
8.8 |
CIS_Controls_v8.1_8.8 |
CIS Controls v8.1 8.8 |
Audit Log Management |
Collect command-line audit logs |
Shared |
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. |
To ensure recording of the commands and arguments used by a process. |
|
31 |
| CIS_Controls_v8.1 |
8.9 |
CIS_Controls_v8.1_8.9 |
CIS Controls v8.1 8.9 |
Audit Log Management |
Centralize audit logs |
Shared |
Centralize, to the extent possible, audit log collection and retention across enterprise assets. |
To optimize and simply the process of audit log management. |
|
31 |
| CMMC_L3 |
AU.2.042 |
CMMC_L3_AU.2.042 |
CMMC L3 AU.2.042 |
Audit and Accountability |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.
Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred).
Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. |
link |
15 |
| CMMC_L3 |
SI.2.217 |
CMMC_L3_SI.2.217 |
CMMC L3 SI.2.217 |
System and Information Integrity |
Identify unauthorized use of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs.
Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. |
link |
11 |
| CSA_v4.0.12 |
DSP_16 |
CSA_v4.0.12_DSP_16 |
CSA Cloud Controls Matrix v4.0.12 DSP 16 |
Data Security and Privacy Lifecycle Management |
Data Retention and Deletion |
Shared |
n/a |
Data retention, archiving and deletion is managed in accordance with
business requirements, applicable laws and regulations. |
|
1 |
| CSA_v4.0.12 |
LOG_02 |
CSA_v4.0.12_LOG_02 |
CSA Cloud Controls Matrix v4.0.12 LOG 02 |
Logging and Monitoring |
Audit Logs Protection |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to ensure the security and retention of audit logs. |
|
1 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.4 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 |
404 not found |
|
|
|
n/a |
n/a |
|
42 |
| HITRUST_CSF_v11.3 |
09.aa |
HITRUST_CSF_v11.3_09.aa |
HITRUST CSF v11.3 09.aa |
Monitoring |
Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. |
Shared |
1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly.
2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system.
3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. |
Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. |
|
39 |
| HITRUST_CSF_v11.3 |
09.h |
HITRUST_CSF_v11.3_09.h |
HITRUST CSF v11.3 09.h |
System Planning and Acceptance |
Ensure that systems meet the businesses current and projected needs to minimize failures. |
Shared |
Use of information systems resources is to be monitored. |
The availability of adequate capacity and resources shall be planned, prepared, and managed to deliver the required system performance. Projections of future capacity requirements shall be made to mitigate the risk of system overload. |
|
4 |
| ISO_IEC_27001_2022 |
10.2 |
ISO_IEC_27001_2022_10.2 |
ISO IEC 27001 2022 10.2 |
Improvement |
Nonconformity and corrective action |
Shared |
1. When a nonconformity occurs, the organization shall:
a. react to the nonconformity, and as applicable:
i. take action to control and correct it;
ii. deal with the consequences;
b. evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
i. reviewing the nonconformity;
ii. determining the causes of the nonconformity; and
iii. determining if similar nonconformities exist, or could potentially occur;
c. implement any action needed;
d. review the effectiveness of any corrective action taken; and
e. make changes to the information security management system, if necessary.
2. Corrective actions shall be appropriate to the effects of the nonconformities encountered.
3. Documented information shall be available as evidence of:
a. the nature of the nonconformities and any subsequent actions taken,
b. the results of any corrective action. |
Specifies the actions that the organisation shall take in cases of nonconformity. |
|
18 |
| ISO_IEC_27001_2022 |
6.1.2 |
ISO_IEC_27001_2022_6.1.2 |
ISO IEC 27001 2022 6.1.2 |
Planning |
Information security risk assessment |
Shared |
The organization shall define and apply an information security risk assessment process that:
(a) establishes and maintains information security risk criteria that include:
(1) the risk acceptance criteria; and
(2) criteria for performing information security risk assessments;
(b) ensures that repeated information security risk assessments produce consistent, valid and comparable results;
(c) identifies the information security risks:
(1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
(2) identify the risk owners;
(d) analyses the information security risks:
(1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
(2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
(3) determine the levels of risk;
(e) evaluates the information security risks:
(1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
(2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk assessment process. |
Specifies that organisation must determine risks and opportunities that need to be addressed for the information security management system to achieve its intended outcome, prevent, or reduce, undesired effects; and achieve continual improvement |
|
1 |
| ISO_IEC_27001_2022 |
6.1.3 |
ISO_IEC_27001_2022_6.1.3 |
ISO IEC 27001 2022 6.1.3 |
Planning |
Information security risk treatment |
Shared |
The organization shall define and apply an information security risk treatment process to:
(a) select appropriate information security risk treatment options, taking account of the risk assessment results;
(b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
(c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
(d) produce a Statement of Applicability that contains:
— the necessary controls (see 6.1.3 b) and c));
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the Annex A controls.
(e) formulate an information security risk treatment plan; and
(f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
The organization shall retain documented information about the information security risk treatment process. |
Specifies that organisation must determine risks and opportunities that need to be addressed for the information security management system to achieve its intended outcome, prevent, or reduce, undesired effects; and achieve continual improvement |
|
1 |
| ISO_IEC_27001_2022 |
6.2 |
ISO_IEC_27001_2022_6.2 |
ISO IEC 27001 2022 6.2 |
Planning |
Information security objectives and planning to achieve them |
Shared |
1. The information security objectives shall:
a. be consistent with the information security policy;
b. be measurable (if practicable);
c. take into account applicable information security requirements, and results from risk assessment and risk treatment;
d. be monitored;
e. be communicated;
f. be updated as appropriate;
g. be available as documented information.
2. The organization shall retain documented information on the information security objectives.
3. When planning how to achieve its information security objectives, the organization shall determine:
a. what will be done;
b. what resources will be required;
c. who will be responsible;
d. when it will be completed; and
e. how the results will be evaluated. |
Specifies that organisation must establish information security objectives at relevant functions and levels. |
|
1 |
| ISO_IEC_27001_2022 |
8.2 |
ISO_IEC_27001_2022_8.2 |
ISO IEC 27001 2022 8.2 |
Operation |
Information security risk assessment |
Shared |
1. The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur.
2. The organization shall retain documented information of the results of the information security risk assessments. |
Specifies when information security risk assessments need to be undertaken and steps to be taken post assessment. |
|
1 |
| ISO_IEC_27001_2022 |
8.3 |
ISO_IEC_27001_2022_8.3 |
ISO IEC 27001 2022 8.3 |
Operation |
Information security risk treatment |
Shared |
1. The organization shall implement the information security risk treatment plan.
2. The organization shall retain documented information of the results of the information security risk treatment. |
Specifies the plan to be implemented regarding the treatment of information security risk and steps to be taken thereafter. |
|
1 |
| ISO_IEC_27001_2022 |
9.1 |
ISO_IEC_27001_2022_9.1 |
ISO IEC 27001 2022 9.1 |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
1. The organization shall determine:
a. what needs to be monitored and measured, including information security processes and controls;
b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
c. when the monitoring and measuring shall be performed;
d. who shall monitor and measure;
e. when the results from monitoring and measurement shall be analysed and evaluated;
f. who shall analyse and evaluate these results.
2. Documented information shall be available as evidence of the results. |
Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. |
|
44 |
| ISO_IEC_27001_2022 |
9.2.2 |
ISO_IEC_27001_2022_9.2.2 |
ISO IEC 27001 2022 9.2.2 |
Internal Audit |
Internal Audit Programme |
Shared |
1. The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
2. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.
3. The organization shall:
a. define the audit criteria and scope for each audit;
b. select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c. ensure that the results of the audits are reported to relevant management;
4. Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. |
Specifies that the organization shall plan, establish, implement and maintain an audit programme. |
|
1 |
| ISO_IEC_27001_2022 |
9.3.3 |
ISO_IEC_27001_2022_9.3.3 |
ISO IEC 27001 2022 9.3.3 |
Internal Audit |
Management Review Results |
Shared |
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. |
Specifies the considertions that the management review results shall include. |
|
16 |
| LGPD_2018_Art. |
16 |
LGPD_2018_Art._16 |
Brazilian General Data Protection Law (LGPD) 2018 Art. 16 |
Termination of Data Processing |
Art. 16. Personal data shall be deleted following the termination of their processing |
Shared |
n/a |
Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized. |
|
18 |
| NIST_SP_800-171_R3_3 |
.14.8 |
NIST_SP_800-171_R3_3.14.8 |
NIST 800-171 R3 3.14.8 |
System and Information Integrity Control |
Information Management and Retention |
Shared |
Federal agencies consider data retention requirements for nonfederal organizations. Retaining CUI on nonfederal systems after contracts or agreements have concluded increases the attack surface for those systems and the risk of the information being compromised. NARA provides federal policy and guidance on records retention and schedules. |
Manage and retain CUI within the system and CUI output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements. |
|
1 |
| NIST_SP_800-171_R3_3 |
.3.3 |
NIST_SP_800-171_R3_3.3.3 |
404 not found |
|
|
|
n/a |
n/a |
|
1 |
| NIST_SP_800-53_R5.1.1 |
AU.11 |
NIST_SP_800-53_R5.1.1_AU.11 |
NIST SP 800-53 R5.1.1 AU.11 |
Audit and Accountability Control |
Audit Record Retention |
Shared |
Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. |
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
AU.4 |
NIST_SP_800-53_R5.1.1_AU.4 |
NIST SP 800-53 R5.1.1 AU.4 |
Audit and Accountability Control |
Audit Log Storage Capacity |
Shared |
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. |
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. |
|
1 |
| NZISM_v3.7 |
14.1.9.C.01. |
NZISM_v3.7_14.1.9.C.01. |
NZISM v3.7 14.1.9.C.01. |
Standard Operating Environments |
14.1.9.C.01. - maintain system reliability, protect sensitive information, and fulfill security requirements. |
Shared |
n/a |
Agencies MUST ensure that for all servers and workstations:
1. a technical specification is agreed for each platform with specified controls;
2. a standard configuration created and updated for each operating system type and version;
3. system users do not have the ability to install or disable software without approval; and
4. installed software and operating system patching is up to date. |
|
5 |
| NZISM_v3.7 |
16.6.10.C.01. |
NZISM_v3.7_16.6.10.C.01. |
NZISM v3.7 16.6.10.C.01. |
Event Logging and Auditing |
16.6.10.C.01. - enhance system security and accountability. |
Shared |
n/a |
Agencies SHOULD log the events listed in the table below for specific software components.
1. Database -
a. System user access to the database.
b. Attempted access that is denied
c. Changes to system user roles or database rights.
d. Addition of new system users, especially privileged users
e. Modifications to the data.
f. Modifications to the format or structure of the database
2. Network/operating system
a. Successful and failed attempts to logon and logoff.
b. Changes to system administrator and system user accounts.
c. Failed attempts to access data and system resources.
d. Attempts to use special privileges.
e. Use of special privileges.
f. System user or group management.
g. Changes to the security policy.
h. Service failures and restarts.
i.System startup and shutdown.
j. Changes to system configuration data.
k. Access to sensitive data and processes.
l. Data import/export operations.
3. Web application
a. System user access to the Web application.
b. Attempted access that is denied.
c. System user access to the Web documents.
d. Search engine queries initiated by system users. |
|
33 |
| NZISM_v3.7 |
16.6.10.C.02. |
NZISM_v3.7_16.6.10.C.02. |
NZISM v3.7 16.6.10.C.02. |
Event Logging and Auditing |
16.6.10.C.02. - enhance system security and accountability. |
Shared |
n/a |
Agencies SHOULD log, at minimum, the following events for all software components:
1. user login;
2. all privileged operations;
3. failed attempts to elevate privileges;
4. security related system alerts and failures;
5. system user and group additions, deletions and modification to permissions; and
6. unauthorised or failed access attempts to systems and files identified as critical to the agency. |
|
50 |
| NZISM_v3.7 |
16.6.11.C.01. |
NZISM_v3.7_16.6.11.C.01. |
NZISM v3.7 16.6.11.C.01. |
Event Logging and Auditing |
16.6.11.C.01. - enhance system security and accountability. |
Shared |
n/a |
For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable:
1. date and time of the event;
2. relevant system user(s) or processes;
3. event description;
4. success or failure of the event;
5. event source (e.g. application name); and
6. IT equipment location/identification. |
|
50 |
| NZISM_v3.7 |
16.6.12.C.01. |
NZISM_v3.7_16.6.12.C.01. |
NZISM v3.7 16.6.12.C.01. |
Event Logging and Auditing |
16.6.12.C.01. - maintain integrity of the data. |
Shared |
n/a |
Event logs MUST be protected from:
1. modification and unauthorised access; and
2. whole or partial loss within the defined retention period. |
|
50 |
| NZISM_v3.7 |
16.6.6.C.01. |
NZISM_v3.7_16.6.6.C.01. |
NZISM v3.7 16.6.6.C.01. |
Event Logging and Auditing |
16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST maintain system management logs for the life of a system. |
|
50 |
| NZISM_v3.7 |
16.6.7.C.01. |
NZISM_v3.7_16.6.7.C.01. |
NZISM v3.7 16.6.7.C.01. |
Event Logging and Auditing |
16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations. |
Shared |
n/a |
A system management log SHOULD record the following minimum information:
1. all system start-up and shutdown;
2. service, application, component or system failures;
3. maintenance activities;
4. backup and archival activities;
5. system recovery activities; and
6. special or out of hours activities. |
|
50 |
| NZISM_v3.7 |
16.6.9.C.01. |
NZISM_v3.7_16.6.9.C.01. |
NZISM v3.7 16.6.9.C.01. |
Event Logging and Auditing |
16.6.9.C.01. - enhance system security and accountability. |
Shared |
n/a |
Agencies MUST log, at minimum, the following events for all software components:
1. logons;
2. failed logon attempts;
3. logoffs;
4 .date and time;
5. all privileged operations;
6. failed attempts to elevate privileges;
7. security related system alerts and failures;
8. system user and group additions, deletions and modification to permissions; and
9. unauthorised or failed access attempts to systems and files identified as critical to the agency. |
|
48 |
| NZISM_v3.7 |
17.1.58.C.02. |
NZISM_v3.7_17.1.58.C.02. |
NZISM v3.7 17.1.58.C.02. |
Cryptographic Fundamentals |
17.1.58.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. |
|
24 |
| NZISM_v3.7 |
17.5.7.C.02. |
NZISM_v3.7_17.5.7.C.02. |
NZISM v3.7 17.5.7.C.02. |
Secure Shell |
17.5.7.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password. |
|
42 |
| NZISM_v3.7 |
22.1.24.C.02. |
NZISM_v3.7_22.1.24.C.02. |
NZISM v3.7 22.1.24.C.02. |
Cloud Computing |
22.1.24.C.02. - enhance security posture. |
Shared |
n/a |
Agencies intending to adopt cloud technologies or services SHOULD apply separation and access controls to protect data and systems where support is provided by offshore technical staff. |
|
5 |
| NZISM_v3.7 |
23.1.56.C.01. |
NZISM_v3.7_23.1.56.C.01. |
NZISM v3.7 23.1.56.C.01. |
Public Cloud Security Concepts |
23.1.56.C.01. - reduce manual errors and ensure adherence to security standards. |
Shared |
n/a |
Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available. |
|
5 |
| NZISM_v3.7 |
23.2.20.C.01. |
NZISM_v3.7_23.2.20.C.01. |
NZISM v3.7 23.2.20.C.01. |
Governance, Risk Assessment & Assurance |
23.2.20.C.01. - enhance confidence in the security and reliability of cloud services and mitigate risks associated with potential vulnerabilities or non-compliance with security standards. |
Shared |
n/a |
Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants. |
|
5 |
| PCI_DSS_v4.0.1 |
5.3.4 |
PCI_DSS_v4.0.1_5.3.4 |
PCI DSS v4.0.1 5.3.4 |
Protect All Systems and Networks from Malicious Software |
Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1 |
Shared |
n/a |
Examine anti-malware solution(s) configurations to verify logs are enabled and retained in accordance with Requirement 10.5.1 |
|
1 |
| RBI_ITF_NBFC_v2017 |
3.1.g |
RBI_ITF_NBFC_v2017_3.1.g |
RBI IT Framework 3.1.g |
Information and Cyber Security |
Trails-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. |
link |
36 |
| RMiT_v1.0 |
10.66 |
RMiT_v1.0_10.66 |
RMiT 10.66 |
Security of Digital Services |
Security of Digital Services - 10.66 |
Shared |
n/a |
A financial institution must implement robust technology security controls in providing digital services which assure the following:
(a) confidentiality and integrity of customer and counterparty information and transactions;
(b) reliability of services delivered via channels and devices with minimum disruption to services;
(c) proper authentication of users or devices and authorisation of transactions;
(d) sufficient audit trail and monitoring of anomalous transactions;
(e) ability to identify and revert to the recovery point prior to incident or service disruption; and
(f) strong physical control and logical control measures |
link |
31 |
| SOC_2023 |
CC.5.3 |
SOC_2023_CC.5.3 |
404 not found |
|
|
|
n/a |
n/a |
|
37 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC4.1 |
SOC_2023_CC4.1 |
SOC 2023 CC4.1 |
Monitoring Activities |
Enhance the ability to manage risks and achieve objectives. |
Shared |
n/a |
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
|
38 |
| SOC_2023 |
CC4.2 |
SOC_2023_CC4.2 |
SOC 2023 CC4.2 |
Monitoring Activities |
Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. |
Shared |
n/a |
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. |
|
37 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SWIFT_CSCF_v2021 |
6.4 |
SWIFT_CSCF_v2021_6.4 |
SWIFT CSCF v2021 6.4 |
Detect Anomalous Activity to Systems or Transaction Records |
Logging and Monitoring |
|
n/a |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
link |
32 |
| SWIFT_CSCF_v2022 |
6.4 |
SWIFT_CSCF_v2022_6.4 |
SWIFT CSCF v2022 6.4 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
Shared |
n/a |
Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. |
link |
50 |