last sync: 2024-Oct-11 17:51:27 UTC

Develop and establish a system security plan | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Develop and establish a system security plan
Id b2ea1058-8998-3dd1-84f1-82132ad482fd
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0151 - Develop and establish a system security plan
Additional metadata Name/Id: CMA_0151 / CMA_0151
Category: Operational
Title: Develop and establish a system security plan
Ownership: Customer
Description: Microsoft recommends that your organization develop a security plan for the information system that: - Is consistent with the organization's enterprise architecture - Defines explicitly the authorization boundary for the system - Describes the operational context of the information system in terms of missions and business processes - Provides the security categorization of the information system including supporting rationale - Describes the operational environment for the information system and relationships with or connections to other information systems - Provides an overview of the security requirements for the system - Identifies any relevant overlays, if applicable - Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions and - Is reviewed and approved by the authorizing official or designated representative prior to plan implementation. Microsoft recommends that your organization should: - Distribute copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or role - Review the security plan for the information system at organization-defined frequency - Update the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments and - Protect the security plan from unauthorized disclosure and modification. It is recommended that your organization plan and coordinate security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities. Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e. Planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 46 compliance controls are associated with this Policy definition 'Develop and establish a system security plan' (b2ea1058-8998-3dd1-84f1-82132ad482fd)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PL-2 FedRAMP_High_R4_PL-2 FedRAMP High PL-2 Planning System Security Plan Shared n/a The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification. Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. References: NIST Special Publication 800-18. link 6
FedRAMP_High_R4 PL-2(3) FedRAMP_High_R4_PL-2(3) FedRAMP High PL-2 (3) Planning Plan / Coordinate With Other Organizational Entities Shared n/a The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. link 3
FedRAMP_Moderate_R4 PL-2 FedRAMP_Moderate_R4_PL-2 FedRAMP Moderate PL-2 Planning System Security Plan Shared n/a The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification. Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. References: NIST Special Publication 800-18. link 6
FedRAMP_Moderate_R4 PL-2(3) FedRAMP_Moderate_R4_PL-2(3) FedRAMP Moderate PL-2 (3) Planning Plan / Coordinate With Other Organizational Entities Shared n/a The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. link 3
hipaa 0103.00a3Organizational.1234567-00.a hipaa-0103.00a3Organizational.1234567-00.a 0103.00a3Organizational.1234567-00.a 01 Information Protection Program 0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program Shared n/a Independent audits are conducted at least annually to determine whether the information protection program is approved by executive management, communicated to stakeholders, adequately resourced, conforms to relevant legislation or regulations and other business requirements, and adjusted as needed to ensure the program continues to meet defined objectives. 3
hipaa 0118.05a1Organizational.2-05.a hipaa-0118.05a1Organizational.2-05.a 0118.05a1Organizational.2-05.a 01 Information Protection Program 0118.05a1Organizational.2-05.a 05.01 Internal Organization Shared n/a Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. 8
hipaa 0119.05a1Organizational.3-05.a hipaa-0119.05a1Organizational.3-05.a 0119.05a1Organizational.3-05.a 01 Information Protection Program 0119.05a1Organizational.3-05.a 05.01 Internal Organization Shared n/a Security contacts are appointed by name for each major organizational area or business unit. 6
hipaa 0162.04b1Organizational.2-04.b hipaa-0162.04b1Organizational.2-04.b 0162.04b1Organizational.2-04.b 01 Information Protection Program 0162.04b1Organizational.2-04.b 04.01 Information Security Policy Shared n/a The organization ensures individuals may make complaints concerning the information security policies, procedures, or the organization's compliance with its policies and procedures; documents the complaints and requests for changes; and records their disposition, if applicable. 4
hipaa 0641.10k2Organizational.11-10.k hipaa-0641.10k2Organizational.11-10.k 0641.10k2Organizational.11-10.k 06 Configuration Management 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes Shared n/a The organization does not use automated updates on critical systems. 13
hipaa 0863.09m2Organizational.910-09.m hipaa-0863.09m2Organizational.910-09.m 0863.09m2Organizational.910-09.m 08 Network Protection 0863.09m2Organizational.910-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. 25
hipaa 0866.09m3Organizational.1516-09.m hipaa-0866.09m3Organizational.1516-09.m 0866.09m3Organizational.1516-09.m 08 Network Protection 0866.09m3Organizational.1516-09.m 09.06 Network Security Management Shared n/a The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. 11
hipaa 1782.10a1Organizational.4-10.a hipaa-1782.10a1Organizational.4-10.a 1782.10a1Organizational.4-10.a 17 Risk Management 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems Shared n/a Security requirements and controls reflect the business value of the information assets involved, and the potential business damage that might result from a failure or absence of security. 6
hipaa 1793.10a2Organizational.91011-10.a hipaa-1793.10a2Organizational.91011-10.a 1793.10a2Organizational.91011-10.a 17 Risk Management 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems Shared n/a The requirement definition phase includes (i) consideration of system requirements for information security and the processes for implementing security, and (ii) data classification and risk to information assets are assigned and approved (signed-off) by management to ensure appropriate controls are considered and the correct project team members are involved. 6
hipaa 19134.05j1Organizational.5-05.j hipaa-19134.05j1Organizational.5-05.j 19134.05j1Organizational.5-05.j 19 Data Protection & Privacy 19134.05j1Organizational.5-05.j 05.02 External Parties Shared n/a The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. 12
ISO27001-2013 A.12.1.1 ISO27001-2013_A.12.1.1 ISO 27001:2013 A.12.1.1 Operations Security Documented operating procedures Shared n/a Operating procedures shall be documented and made available to all users who need them. link 31
ISO27001-2013 A.14.1.1 ISO27001-2013_A.14.1.1 ISO 27001:2013 A.14.1.1 System Acquisition, Development And Maintenance Information security requirements analysis and specification Shared n/a The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. link 24
ISO27001-2013 A.18.1.1 ISO27001-2013_A.18.1.1 ISO 27001:2013 A.18.1.1 Compliance Identification applicable legislation and contractual requirements Shared n/a All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. link 30
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
ISO27001-2013 A.5.1.2 ISO27001-2013_A.5.1.2 ISO 27001:2013 A.5.1.2 Information Security Policies Review of the policies for information security Shared n/a The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. link 29
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 C.7.4.a ISO27001-2013_C.7.4.a ISO 27001:2013 C.7.4.a Support Communication Shared n/a The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate. link 4
ISO27001-2013 C.7.4.b ISO27001-2013_C.7.4.b ISO 27001:2013 C.7.4.b Support Communication Shared n/a The organization shall determine the need for internal and external communications relevant to the information security management system including: b) when to communicate. link 4
ISO27001-2013 C.7.4.c ISO27001-2013_C.7.4.c ISO 27001:2013 C.7.4.c Support Communication Shared n/a The organization shall determine the need for internal and external communications relevant to the information security management system including: c) with whom to communicate. link 4
ISO27001-2013 C.7.4.d ISO27001-2013_C.7.4.d ISO 27001:2013 C.7.4.d Support Communication Shared n/a The organization shall determine the need for internal and external communications relevant to the information security management system including: d) who shall communicate. link 4
ISO27001-2013 C.7.4.e ISO27001-2013_C.7.4.e ISO 27001:2013 C.7.4.e Support Communication Shared n/a The organization shall determine the need for internal and external communications relevant to the information security management system including: e) the processes by which communication shall be effected. link 4
ISO27001-2013 C.7.5.3.b ISO27001-2013_C.7.5.3.b ISO 27001:2013 C.7.5.3.b Support Control of documented information Shared n/a Documented information required by the information security management system and by this International Standard shall be controlled to ensure: b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). link 3
ISO27001-2013 C.7.5.3.d ISO27001-2013_C.7.5.3.d ISO 27001:2013 C.7.5.3.d Support Control of documented information Shared n/a For the control of documented information, the organization shall address the following activities, as applicable: d) storage and preservation, including the preservation of legibility. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. link 3
ISO27001-2013 C.7.5.3.e ISO27001-2013_C.7.5.3.e ISO 27001:2013 C.7.5.3.e Support Control of documented information Shared n/a For the control of documented information, the organization shall address the following activities, as applicable: e) control of changes (e.g. version control); and Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. link 3
ISO27001-2013 C.7.5.3.f ISO27001-2013_C.7.5.3.f ISO 27001:2013 C.7.5.3.f Support Control of documented information Shared n/a For the control of documented information, the organization shall address the following activities, as applicable: f) retention and disposition. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. link 7
mp.info.1 Personal data mp.info.1 Personal data 404 not found n/a n/a 33
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .12.4 NIST_SP_800-171_R2_3.12.4 NIST SP 800-171 R2 3.12.4 Security Assessment Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans. link 8
NIST_SP_800-53_R4 PL-2 NIST_SP_800-53_R4_PL-2 NIST SP 800-53 Rev. 4 PL-2 Planning System Security Plan Shared n/a The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification. Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. References: NIST Special Publication 800-18. link 6
NIST_SP_800-53_R4 PL-2(3) NIST_SP_800-53_R4_PL-2(3) NIST SP 800-53 Rev. 4 PL-2 (3) Planning Plan / Coordinate With Other Organizational Entities Shared n/a The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. link 3
NIST_SP_800-53_R5 PL-2 NIST_SP_800-53_R5_PL-2 NIST SP 800-53 Rev. 5 PL-2 Planning System Security and Privacy Plans Shared n/a a. Develop security and privacy plans for the system that: 1. Are consistent with the organization???s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; c. Review the plans [Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification. link 6
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
SOC_2 CC1.2 SOC_2_CC1.2 SOC 2 Type 2 CC1.2 Control Environment COSO Principle 2 Shared The customer is responsible for implementing this recommendation. • Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. • Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. • Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. 5
SOC_2 CC1.3 SOC_2_CC1.3 SOC 2 Type 2 CC1.3 Control Environment COSO Principle 3 Shared The customer is responsible for implementing this recommendation. Considers All Structures of the Entity — Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. • Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. • Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization • Addresses Specific Requirements When Defining Authorities and Responsibilities — Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. • Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities 5
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SWIFT_CSCF_v2022 1.2 SWIFT_CSCF_v2022_1.2 SWIFT CSCF v2022 1.2 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Restrict and control the allocation and usage of administrator-level operating system accounts. Shared n/a Access to administrator-level operating system accounts is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, an account with the least privilege access is used. link 22
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add b2ea1058-8998-3dd1-84f1-82132ad482fd
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC