compliance controls are associated with this Policy definition 'A Microsoft Entra administrator should be provisioned for PostgreSQL servers' (b4dec045-250a-48c2-b5cc-e0c4eec8b5b4)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
IM-1 |
Azure_Security_Benchmark_v3.0_IM-1 |
Microsoft cloud security benchmark IM-1 |
Identity Management |
Use centralized identity and authentication system |
Shared |
**Security Principle:**
Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources.
**Azure Guidance:**
Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in:
- Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications.
- Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy.
Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration.
**Implementation and additional context:**
Tenancy in Microsoft Entra ID:
https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps
How to create and configure a Microsoft Entra instance:
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
Define Microsoft Entra ID tenants:
https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/
Use external identity providers for an application:
https://docs.microsoft.com/azure/active-directory/b2b/identity-providers
|
n/a |
link |
15 |
| Canada_Federal_PBMM_3-1-2020 |
AC_14 |
Canada_Federal_PBMM_3-1-2020_AC_14 |
Canada Federal PBMM 3-1-2020 AC 14 |
Permitted Actions Without Identification or Authentication |
Permitted Actions without Identification or Authentication |
Shared |
1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
To ensure transparency and accountability in the system's security measures. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
AC_3 |
Canada_Federal_PBMM_3-1-2020_AC_3 |
Canada Federal PBMM 3-1-2020 AC 3 |
Access Enforcement |
Access Enforcement |
Shared |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
To mitigate the risk of unauthorized access. |
|
33 |
| Canada_Federal_PBMM_3-1-2020 |
IA_1 |
Canada_Federal_PBMM_3-1-2020_IA_1 |
Canada Federal PBMM 3-1-2020 IA 1 |
Identification and Authentication Policy and Procedures |
Identification and Authentication Policy and Procedures |
Shared |
1. The organization Develops, documents, and disseminates to all personnel:
a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
2. The organization Reviews and updates the current:
a. Identification and authentication policy at least every 3 years; and
b. Identification and authentication procedures at least annually. |
To ensure secure access control and compliance with established standards. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_2 |
Canada_Federal_PBMM_3-1-2020_IA_2 |
Canada Federal PBMM 3-1-2020 IA 2 |
Identification and Authentication (Organizational Users) |
Identification and Authentication (Organizational Users) |
Shared |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
To prevent unauthorized access and maintain system security. |
|
19 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(2) |
Canada_Federal_PBMM_3-1-2020_IA_4(2) |
Canada Federal PBMM 3-1-2020 IA 4(2) |
Identifier Management |
Identifier Management | Supervisor Authorization |
Shared |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_4(3) |
Canada_Federal_PBMM_3-1-2020_IA_4(3) |
Canada Federal PBMM 3-1-2020 IA 4(3) |
Identifier Management |
Identifier Management | Multiple Forms of Certification |
Shared |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
To enhance the reliability and accuracy of individual identification. |
|
18 |
| Canada_Federal_PBMM_3-1-2020 |
IA_8 |
Canada_Federal_PBMM_3-1-2020_IA_8 |
Canada Federal PBMM 3-1-2020 IA 8 |
Identification and Authentication (Non-Organizational Users) |
Identification and Authentication (Non-Organizational Users) |
Shared |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
To ensure secure access and accountability. |
|
16 |
| CMMC_L2_v1.9.0 |
IA.L2_3.5.7 |
CMMC_L2_v1.9.0_IA.L2_3.5.7 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.7 |
Identification and Authentication |
Password Complexity |
Shared |
Enforce a minimum password complexity and change of characters when new passwords are created. |
To reduce the risk of unauthorized access through password guessing or brute force attacks. |
|
6 |
| CSA_v4.0.12 |
IAM_01 |
CSA_v4.0.12_IAM_01 |
CSA Cloud Controls Matrix v4.0.12 IAM 01 |
Identity & Access Management |
Identity and Access Management Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain policies and procedures for identity and access management. Review
and update the policies and procedures at least annually. |
|
24 |
| CSA_v4.0.12 |
IAM_02 |
CSA_v4.0.12_IAM_02 |
CSA Cloud Controls Matrix v4.0.12 IAM 02 |
Identity & Access Management |
Strong Password Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually. |
|
52 |
| CSA_v4.0.12 |
IAM_03 |
CSA_v4.0.12_IAM_03 |
CSA Cloud Controls Matrix v4.0.12 IAM 03 |
Identity & Access Management |
Identity Inventory |
Shared |
n/a |
Manage, store, and review the information of system identities, and
level of access. |
|
7 |
| CSA_v4.0.12 |
IAM_14 |
CSA_v4.0.12_IAM_14 |
CSA Cloud Controls Matrix v4.0.12 IAM 14 |
Identity & Access Management |
Strong Authentication |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities. |
|
32 |
| CSA_v4.0.12 |
IAM_15 |
CSA_v4.0.12_IAM_15 |
CSA Cloud Controls Matrix v4.0.12 IAM 15 |
Identity & Access Management |
Passwords Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for the secure management of passwords. |
|
26 |
| Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.6 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.6 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6 |
Policy and Implementation - Identification And Authentication |
Identification And Authentication |
Shared |
Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft. |
1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity.
2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources. |
|
19 |
| HITRUST_CSF_v11.3 |
01.q |
HITRUST_CSF_v11.3_01.q |
HITRUST CSF v11.3 01.q |
Operating System Access Control |
Prevent unauthorized access to operating systems and implement authentication technique to verify user. |
Shared |
1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability.
2. Multi-factor authentication to be implemented for network and local access to privileged accounts.
3. Users to be uniquely identified and authenticated for local access and remote access.
4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts. |
All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user. |
|
30 |
| ISO_IEC_27002_2022 |
5.17 |
ISO_IEC_27002_2022_5.17 |
ISO IEC 27002 2022 5.17 |
Protection,
Preventive Control |
Authentication information |
Shared |
Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.
|
To ensure proper entity authentication and prevent failures of authentication processes. |
|
4 |
| ISO_IEC_27017_2015 |
9.2.4 |
ISO_IEC_27017_2015_9.2.4 |
ISO IEC 27017 2015 9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
For Cloud Service Customer:
The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements.
For Cloud Service Provider:
The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication.
|
To ensure proper entity authentication and prevent failures of authentication processes. |
|
6 |
| New_Zealand_ISM |
16.1.32.C.01 |
New_Zealand_ISM_16.1.32.C.01 |
New_Zealand_ISM_16.1.32.C.01 |
16. Access Control and Passwords |
16.1.32.C.01 System user identification |
|
n/a |
Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system. |
|
18 |
| NIST_CSF_v2.0 |
PR.AA_01 |
NIST_CSF_v2.0_PR.AA_01 |
NIST CSF v2.0 PR.AA 01 |
PROTECT- Identity Management, Authentication, and Access |
Identities and credentials for authorized users, services, and hardware are managed by the organization. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
4 |
| NIST_SP_800-171_R3_3 |
.5.12 |
NIST_SP_800-171_R3_3.5.12 |
NIST 800-171 R3 3.5.12 |
Identification and Authentication Control |
Authenticator Management |
Shared |
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication).
The requirement to protect individual authenticators may be implemented by 03.15.03 for authenticators in the possession of individuals and by 03.01.01, 03.01.02, 03.01.05, and 03.13.08 for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators. |
a. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.
b. Establish initial authenticator content for any authenticators issued by the organization.
c. Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators.
d. Change default authenticators at first use.
e. Change or refresh authenticators periodically or when the following events occur:[Assignment: organization-defined events].
f. Protect authenticator content from unauthorized disclosure and modification. |
|
6 |
| NIST_SP_800-171_R3_3 |
.5.7 |
NIST_SP_800-171_R3_3.5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
| NIST_SP_800-53_R5.1.1 |
IA.5 |
NIST_SP_800-53_R5.1.1_IA.5 |
NIST SP 800-53 R5.1.1 IA.5 |
Identification and Authentication Control |
Authenticator Management |
Shared |
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes. |
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.
Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. |
|
4 |
| NZISM_v3.7 |
16.1.33.C.01. |
NZISM_v3.7_16.1.33.C.01. |
NZISM v3.7 16.1.33.C.01. |
Identification, Authentication and Passwords |
16.1.33.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies MUST NOT use shared credentials to access accounts. |
|
25 |
| NZISM_v3.7 |
16.1.33.C.02. |
NZISM_v3.7_16.1.33.C.02. |
NZISM v3.7 16.1.33.C.02. |
Identification, Authentication and Passwords |
16.1.33.C.02. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies SHOULD NOT use shared credentials to access accounts. |
|
25 |
| NZISM_v3.7 |
16.1.34.C.01. |
NZISM_v3.7_16.1.34.C.01. |
NZISM v3.7 16.1.34.C.01. |
Identification, Authentication and Passwords |
16.1.34.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
If agencies choose to allow shared, non user-specific accounts they MUST ensure that an independent means of determining the identification of the system user is implemented. |
|
25 |
| NZISM_v3.7 |
16.1.35.C.02. |
NZISM_v3.7_16.1.35.C.02. |
NZISM v3.7 16.1.35.C.02. |
Identification, Authentication and Passwords |
16.1.35.C.02. - implement additional authentication factors to enhance security.
|
Shared |
n/a |
Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users. |
|
25 |
| NZISM_v3.7 |
16.1.36.C.01. |
NZISM_v3.7_16.1.36.C.01. |
NZISM v3.7 16.1.36.C.01. |
Identification, Authentication and Passwords |
16.1.36.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT allow storage of unprotected authentication information that grants system access, or decrypts an encrypted device, to be located on, or with the system or device, to which the authentication information grants access. |
|
17 |
| NZISM_v3.7 |
16.1.37.C.01. |
NZISM_v3.7_16.1.37.C.01. |
NZISM v3.7 16.1.37.C.01. |
Identification, Authentication and Passwords |
16.1.37.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST ensure that system authentication data is protected when in transit on agency networks or All-of-Government systems. |
|
17 |
| NZISM_v3.7 |
16.1.38.C.01. |
NZISM_v3.7_16.1.38.C.01. |
NZISM v3.7 16.1.38.C.01. |
Identification, Authentication and Passwords |
16.1.38.C.01. - enhance overall security posture. |
Shared |
n/a |
Password and other authentication data SHOULD be hashed before storage using an approved cryptographic protocol and algorithm. |
|
2 |
| NZISM_v3.7 |
16.1.39.C.01. |
NZISM_v3.7_16.1.39.C.01. |
NZISM v3.7 16.1.39.C.01. |
Identification, Authentication and Passwords |
16.1.39.C.01. - enhance overall security posture. |
Shared |
n/a |
Where systems contain NZEO or other nationalities releasability marked or protectively marked information, agencies MUST provide a mechanism that allows system users and processes to identify users who are foreign nationals, including seconded foreign nationals. |
|
17 |
| NZISM_v3.7 |
16.1.39.C.02. |
NZISM_v3.7_16.1.39.C.02. |
NZISM v3.7 16.1.39.C.02. |
Identification, Authentication and Passwords |
16.1.39.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies using NZEO systems SHOULD ensure that identification includes specific nationality for all foreign nationals, including seconded foreign nationals. |
|
17 |
| NZISM_v3.7 |
16.1.41.C.01. |
NZISM_v3.7_16.1.41.C.01. |
NZISM v3.7 16.1.41.C.01. |
Identification, Authentication and Passwords |
16.1.41.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST:
1. ensure that passwords are changed at least every 90 days;
2. prevent system users from changing their password more than once a day;
3. check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements; and
4. force the system user to change an expired password on initial logon or if reset. |
|
2 |
| NZISM_v3.7 |
16.1.41.C.02. |
NZISM_v3.7_16.1.41.C.02. |
NZISM v3.7 16.1.41.C.02. |
Identification, Authentication and Passwords |
16.1.41.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT:
1. allow predictable reset passwords;
2. reuse passwords when resetting multiple accounts;
3. store passwords in the clear on the system;
4. allow passwords to be reused within eight password changes; and
5. allow system users to use sequential passwords. |
|
17 |
| NZISM_v3.7 |
16.1.41.C.03. |
NZISM_v3.7_16.1.41.C.03. |
NZISM v3.7 16.1.41.C.03. |
Identification, Authentication and Passwords |
16.1.41.C.03. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD:
1. ensure that passwords are changed at least every 90 days;
2. prevent system users from changing their password more than once a day;
3. check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements; and
4. force the system user to change an expired password on initial logon or if the password is reset. |
|
2 |
| NZISM_v3.7 |
16.1.41.C.04. |
NZISM_v3.7_16.1.41.C.04. |
NZISM v3.7 16.1.41.C.04. |
Identification, Authentication and Passwords |
16.1.41.C.04. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD NOT:
1. allow predictable reset passwords;
2. reuse passwords when resetting multiple accounts;
3. store passwords in the clear on the system;
4. allow passwords to be reused within eight password changes; and
5. allow system users to use sequential passwords. |
|
2 |
| NZISM_v3.7 |
16.1.42.C.01. |
NZISM_v3.7_16.1.42.C.01. |
NZISM v3.7 16.1.42.C.01. |
Identification, Authentication and Passwords |
16.1.42.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST ensure system users provide sufficient evidence to verify their identity when requesting a password reset for their system account. |
|
2 |
| NZISM_v3.7 |
16.1.43.C.01. |
NZISM_v3.7_16.1.43.C.01. |
NZISM v3.7 16.1.43.C.01. |
Identification, Authentication and Passwords |
16.1.43.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD disable LAN Manager for password authentication on workstations and servers. |
|
17 |
| NZISM_v3.7 |
16.1.48.C.02. |
NZISM_v3.7_16.1.48.C.02. |
NZISM v3.7 16.1.48.C.02. |
Identification, Authentication and Passwords |
16.1.48.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD seek legal advice on the exact wording of logon banners. |
|
16 |
| PCI_DSS_v4.0.1 |
2.2.2 |
PCI_DSS_v4.0.1_2.2.2 |
PCI DSS v4.0.1 2.2.2 |
Apply Secure Configurations to All System Components |
Vendor default accounts are managed as follows: If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6. If the vendor default account(s) will not be used, the account is removed or disabled |
Shared |
n/a |
Examine system configuration standards to verify they include managing vendor default accounts in accordance with all elements specified in this requirement. Examine vendor documentation and observe a system administrator logging on using vendor default accounts to verify accounts are implemented in accordance with all elements specified in this requirement. Examine configuration files and interview personnel to verify that all vendor default accounts that will not be used are removed or disabled |
|
4 |
| PCI_DSS_v4.0.1 |
2.3.1 |
PCI_DSS_v4.0.1_2.3.1 |
PCI DSS v4.0.1 2.3.1 |
Apply Secure Configurations to All System Components |
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: Default wireless encryption keys. Passwords on wireless access points. SNMP defaults. Any other security-related wireless vendor defaults |
Shared |
n/a |
Examine policies and procedures and interview responsible personnel to verify that processes are defined for wireless vendor defaults to either change them upon installation or to confirm them to be secure in accordance with all elements of this requirement. Examine vendor documentation and observe a system administrator logging into wireless devices to verify: SNMP defaults are not used. Default passwords/passphrases on wireless access points are not used. Examine vendor documentation and wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable |
|
4 |
| PCI_DSS_v4.0.1 |
3.2.1 |
PCI_DSS_v4.0.1_3.2.1 |
PCI DSS v4.0.1 3.2.1 |
Protect Stored Account Data |
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: coverage for all locations of stored account data, coverage for any sensitive authentication data (SAD) stored prior to completion of authorization, limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements, specific retention requirements for stored account data that defines length of retention period and includes a documented business justification, processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy, a process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable |
Shared |
n/a |
Examine the data retention and disposal policies, procedures, and processes and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine files and system records on system components where account data is stored to verify that the data storage amount and retention time does not exceed the requirements defined in the data retention policy. Observe the mechanisms used to render account data unrecoverable to verify data cannot be recovered |
|
4 |
| PCI_DSS_v4.0.1 |
3.3.3 |
PCI_DSS_v4.0.1_3.3.3 |
PCI DSS v4.0.1 3.3.3 |
Protect Stored Account Data |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need and is secured. Encrypted using strong cryptography |
Shared |
n/a |
Additional testing procedure for issuers and companies that support issuing services and store sensitive authentication data: Examine documented policies and interview personnel to verify there is a documented business justification for the storage of sensitive authentication data. Examine data stores and system configurations to verify that the sensitive authentication data is stored securely |
|
6 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SWIFT_CSCF_2024 |
4.1 |
SWIFT_CSCF_2024_4.1 |
SWIFT Customer Security Controls Framework 2024 4.1 |
Password Management |
Password Policy |
Shared |
1. Implementing a password policy that protects against common password attacks (for example, guessing and brute force) is effective for protecting against account compromise. Attackers often use the privileges of a compromised account to move laterally within an environment and progress the attack.
2. Another risk is the compromise of local authentication keys to tamper with the integrity of transactions. However, it is important to recognise that passwords alone are generally not sufficient in the current cyber-threat landscape. Users should consider this control in close relationship with the multi-factor authentication requirement. |
To ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. |
|
7 |
| SWIFT_CSCF_2024 |
5.2 |
SWIFT_CSCF_2024_5.2 |
SWIFT Customer Security Controls Framework 2024 5.2 |
Access Control |
Token Management |
Shared |
1. The protection of connected and disconnected hardware authentication, personal tokens or software tokens is essential to safeguard the related operator or system account.
2. It also reinforces good security practice by providing an additional layer of protection from attackers. |
To ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal and software tokens (when tokens are used). |
|
7 |
| SWIFT_CSCF_2024 |
5.4 |
SWIFT_CSCF_2024_5.4 |
SWIFT Customer Security Controls Framework 2024 5.4 |
Password Management |
Password Repository Protection |
Shared |
1. The secure storage of recorded passwords (repository) makes sure that passwords are not easily accessible to others, thereby protecting against simple password theft.
2. Common unsecure methods include, but are not limited to: recording passwords in a spreadsheet or a text document saved in cleartext on a desktop, or in a shared directory, or a server, saved on a mobile phone, written/printed on a post-it or a leaflet.
3. This control covers the storage of emergency, privileged or any other account passwords.
4. All accounts have to be considered because (i) combination of compromised, not-privileged, accounts, such as transaction creator account and approver account can be damageable, and (ii) even monitoring accounts provide valuable information during the reconnaissance time. |
To protect physically and logically the repository of recorded passwords. |
|
7 |
|
U.10.5 - Competent |
U.10.5 - Competent |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
| UK_NCSC_CAF_v3.2 |
B2.a |
UK_NCSC_CAF_v3.2_B2.a |
NCSC Cyber Assurance Framework (CAF) v3.2 B2.a |
Identity and Access Control |
Identity Verification, Authentication and Authorisation |
Shared |
1. The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to networks and information systems that support the essential function.
2. Only authorised and individually authenticated users can physically access and logically connect to the networks or information systems on which that essential function depends.
3. The number of authorised users and systems that have access to all the networks and information systems supporting the essential function is limited to the minimum necessary.
4. Use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all systems that operate or support the essential function.
5. Use additional authentication mechanisms, such as multi-factor (MFA), when there is individual authentication and authorisation of all remote user access to all the networks and information systems that support the essential function.
6. The list of users and systems with access to networks and systems supporting and delivering the essential functions reviewed on a regular basis, at least every six months. |
The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. Robustly verify, authenticate and authorise access to the networks and information systems supporting the essential function. |
|
32 |
| UK_NCSC_CAF_v3.2 |
B4.b |
UK_NCSC_CAF_v3.2_B4.b |
NCSC Cyber Assurance Framework (CAF) v3.2 B4.b |
System Security |
Secure Configuration |
Shared |
1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function.
2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment.
3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented.
4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration.
5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation.
6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. |
Securely configure the network and information systems that support the operation of essential functions. |
|
36 |