last sync: 2025-Feb-18 18:37:08 UTC

An activity log alert should exist for specific Administrative operations

Azure BuiltIn Policy definition

Source Azure Portal
Display name An activity log alert should exist for specific Administrative operations
Id b954148f-4c11-4c38-8221-be76711e194a
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Monitoring
Microsoft Learn
Description This policy audits specific Administrative operations with no activity log alerts configured.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (4)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*] microsoft.insights activityLogAlerts properties.condition.allOf[*] True False
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals microsoft.insights activityLogAlerts properties.condition.allOf[*].equals True False
Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field microsoft.insights activityLogAlerts properties.condition.allOf[*].field True False
Microsoft.Insights/ActivityLogAlerts/enabled microsoft.insights activityLogAlerts properties.enabled True False
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 170 compliance controls are associated with this Policy definition 'An activity log alert should exist for specific Administrative operations' (b954148f-4c11-4c38-8221-be76711e194a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Canada_Federal_PBMM_3-1-2020 AC_14 Canada_Federal_PBMM_3-1-2020_AC_14 Canada Federal PBMM 3-1-2020 AC 14 Permitted Actions Without Identification or Authentication Permitted Actions without Identification or Authentication Shared 1. The organization identifies user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. 2. The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. To ensure transparency and accountability in the system's security measures. 19
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 53
Canada_Federal_PBMM_3-1-2020 AC_3 Canada_Federal_PBMM_3-1-2020_AC_3 Canada Federal PBMM 3-1-2020 AC 3 Access Enforcement Access Enforcement Shared The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. To mitigate the risk of unauthorized access. 33
Canada_Federal_PBMM_3-1-2020 AC_6(9) Canada_Federal_PBMM_3-1-2020_AC_6(9) Canada Federal PBMM 3-1-2020 AC 6(9) Least Privilege Least Privilege | Auditing Use of Privileged Functions Shared The information system audits the execution of privileged functions. To enhance oversight and detect potential security breaches or unauthorized activities. 15
Canada_Federal_PBMM_3-1-2020 AU_1 Canada_Federal_PBMM_3-1-2020_AU_1 Canada Federal PBMM 3-1-2020 AU 1 Audit and Accountability Policy and Procedures Audit and Accountability Policy and Procedures Shared 1. The organization develops, documents, and disseminates to personnel or roles with audit responsibilities; a. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. 2. The organization reviews and updates the current: a. Audit and accountability policy at least every three years; and b. Audit and accountability procedures at least annually. To ensure adherence to policies, alignment with regulatory requirements, and ongoing effectiveness of controls. 5
Canada_Federal_PBMM_3-1-2020 AU_12 Canada_Federal_PBMM_3-1-2020_AU_12 Canada Federal PBMM 3-1-2020 AU 12 Audit Generation Audit Generation Shared 1. The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. 2. The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. 3. The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. To support effective monitoring and logging of security events. 5
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 IA_1 Canada_Federal_PBMM_3-1-2020_IA_1 Canada Federal PBMM 3-1-2020 IA 1 Identification and Authentication Policy and Procedures Identification and Authentication Policy and Procedures Shared 1. The organization Develops, documents, and disseminates to all personnel: a. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. 2. The organization Reviews and updates the current: a. Identification and authentication policy at least every 3 years; and b. Identification and authentication procedures at least annually. To ensure secure access control and compliance with established standards. 19
Canada_Federal_PBMM_3-1-2020 IA_2 Canada_Federal_PBMM_3-1-2020_IA_2 Canada Federal PBMM 3-1-2020 IA 2 Identification and Authentication (Organizational Users) Identification and Authentication (Organizational Users) Shared The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). To prevent unauthorized access and maintain system security. 19
Canada_Federal_PBMM_3-1-2020 IA_4(2) Canada_Federal_PBMM_3-1-2020_IA_4(2) Canada Federal PBMM 3-1-2020 IA 4(2) Identifier Management Identifier Management | Supervisor Authorization Shared The organization requires that the registration process to receive an individual identifier includes supervisor authorization. To ensure accountability and authorization by requiring supervisor approval during the registration process for individual identifiers. 18
Canada_Federal_PBMM_3-1-2020 IA_4(3) Canada_Federal_PBMM_3-1-2020_IA_4(3) Canada Federal PBMM 3-1-2020 IA 4(3) Identifier Management Identifier Management | Multiple Forms of Certification Shared The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. To enhance the reliability and accuracy of individual identification. 18
Canada_Federal_PBMM_3-1-2020 IA_5(3) Canada_Federal_PBMM_3-1-2020_IA_5(3) Canada Federal PBMM 3-1-2020 IA 5(3) Authenticator Management Authenticator Management | In-Person or Trusted Third-Party Registration Shared The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles. To enhance security and accountability within the organization's registration procedures. 25
Canada_Federal_PBMM_3-1-2020 IA_8 Canada_Federal_PBMM_3-1-2020_IA_8 Canada Federal PBMM 3-1-2020 IA 8 Identification and Authentication (Non-Organizational Users) Identification and Authentication (Non-Organizational Users) Shared The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). To ensure secure access and accountability. 16
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 94
CIS_Azure_1.1.0 5.2.2 CIS_Azure_1.1.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link 4
CIS_Azure_1.1.0 5.2.3 CIS_Azure_1.1.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link 4
CIS_Azure_1.1.0 5.2.4 CIS_Azure_1.1.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link 4
CIS_Azure_1.1.0 5.2.5 CIS_Azure_1.1.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link 4
CIS_Azure_1.1.0 5.2.8 CIS_Azure_1.1.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link 4
CIS_Azure_1.3.0 5.2.3 CIS_Azure_1.3.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link 4
CIS_Azure_1.3.0 5.2.4 CIS_Azure_1.3.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link 4
CIS_Azure_1.3.0 5.2.5 CIS_Azure_1.3.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link 4
CIS_Azure_1.3.0 5.2.6 CIS_Azure_1.3.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link 4
CIS_Azure_1.3.0 5.2.9 CIS_Azure_1.3.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link 4
CIS_Azure_1.4.0 5.2.3 CIS_Azure_1.4.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link 4
CIS_Azure_1.4.0 5.2.4 CIS_Azure_1.4.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link 4
CIS_Azure_1.4.0 5.2.5 CIS_Azure_1.4.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link 4
CIS_Azure_1.4.0 5.2.6 CIS_Azure_1.4.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link 4
CIS_Azure_1.4.0 5.2.9 CIS_Azure_1.4.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link 4
CIS_Azure_2.0.0 5.1.2 CIS_Azure_2.0.0_5.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 5.1 Ensure Diagnostic Setting captures appropriate categories Shared n/a **Prerequisite**: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists." The diagnostic setting should be configured to log the appropriate activities from the control/management plane. A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting. link 8
CIS_Azure_2.0.0 5.2.3 CIS_Azure_2.0.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared n/a Create an Activity Log Alert for the Create or Update Network Security Group event. Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.4 CIS_Azure_2.0.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5.2 Ensure that Activity Log Alert exists for Delete Network Security Group Shared n/a Create an activity log alert for the Delete Network Security Group event. Monitoring for "Delete Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.5 CIS_Azure_2.0.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5.2 Ensure that Activity Log Alert exists for Create or Update Security Solution Shared n/a Create an activity log alert for the Create or Update Security Solution event. Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.6 CIS_Azure_2.0.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5.2 Ensure that Activity Log Alert exists for Delete Security Solution Shared n/a Create an activity log alert for the Delete Security Solution event. Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.7 CIS_Azure_2.0.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5.2 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Shared There will be a substantial increase in log size if there are a large number of administrative actions on a server. Create an activity log alert for the Create or Update SQL Server Firewall Rule event. Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_2.0.0 5.2.8 CIS_Azure_2.0.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5.2 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Shared There will be a substantial increase in log size if there are a large number of administrative actions on a server. Create an activity log alert for the "Delete SQL Server Firewall Rule." Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity. link 4
CIS_Azure_Foundations_v2.1.0 5.2.1 CIS_Azure_Foundations_v2.1.0_5.2.1 CIS Azure Foundations v2.1.0 5.2.1 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared n/a Ensure that an activity log alert exists for the creation of policy assignments. 2
CIS_Azure_Foundations_v2.1.0 5.2.3 CIS_Azure_Foundations_v2.1.0_5.2.3 CIS Azure Foundations v2.1.0 5.2.3 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared n/a Ensure that an activity log alert exists for the creation or update of network security groups. 2
CIS_Azure_Foundations_v2.1.0 5.2.5 CIS_Azure_Foundations_v2.1.0_5.2.5 CIS Azure Foundations v2.1.0 5.2.5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared n/a Ensure that an activity log alert exists for the creation or update of security solutions. 1
CIS_Azure_Foundations_v2.1.0 5.2.6 CIS_Azure_Foundations_v2.1.0_5.2.6 CIS Azure Foundations v2.1.0 5.2.6 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared n/a Ensure that an activity log alert exists for the deletion of security solutions. 1
CIS_Azure_Foundations_v2.1.0 5.2.7 CIS_Azure_Foundations_v2.1.0_5.2.7 CIS Azure Foundations v2.1.0 5.2.7 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule Shared n/a Ensure that an activity log alert exists for the creation or update of SQL Server firewall rules. 1
CIS_Azure_Foundations_v2.1.0 5.2.8 CIS_Azure_Foundations_v2.1.0_5.2.8 CIS Azure Foundations v2.1.0 5.2.8 Logging and Monitoring Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule Shared n/a Ensure that an activity log alert exists for the deletion of SQL Server firewall rules. 1
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 100
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 102
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 100
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 94
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
CIS_Controls_v8.1 8.11 CIS_Controls_v8.1_8.11 CIS Controls v8.1 8.11 Audit Log Management Conduct audit log reviews Shared 1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis. To ensure the integrity of the data in audit logs. 62
CIS_Controls_v8.1 8.5 CIS_Controls_v8.1_8.5 CIS Controls v8.1 8.5 Audit Log Management Collect detailed audit logs. Shared 1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. 34
CIS_Controls_v8.1 9.3 CIS_Controls_v8.1_9.3 CIS Controls v8.1 9.3 Email and Web Browser Protections Maintain and enforce network-based URL filters Shared 1. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. 2. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. 3. Enforce filters for all enterprise assets. To prevent users from connecting to unsafe websites. 9
CMMC_L2_v1.9.0 AU.L2_3.3.1 CMMC_L2_v1.9.0_AU.L2_3.3.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 Audit and Accountability System Auditing Shared Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. To enhance security and accountability measures. 41
CMMC_L2_v1.9.0 AU.L2_3.3.3 CMMC_L2_v1.9.0_AU.L2_3.3.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 Audit and Accountability Event Review Shared Review and update logged events. To enhance the effectiveness of security measures. 35
CMMC_L2_v1.9.0 SI.L2_3.14.3 CMMC_L2_v1.9.0_SI.L2_3.14.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3 System and Information Integrity Security Alerts & Advisories Shared Monitor system security alerts and advisories and take action in response. To proactively defend against emerging threats and minimize the risk of security incidents or breaches. 20
CMMC_L2_v1.9.0 SI.L2_3.14.6 CMMC_L2_v1.9.0_SI.L2_3.14.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6 System and Information Integrity Monitor Communications for Attacks Shared Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. To protect systems and data from unauthorized access or compromise. 20
CMMC_L2_v1.9.0 SI.L2_3.14.7 CMMC_L2_v1.9.0_SI.L2_3.14.7 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7 System and Information Integrity Identify Unauthorized Use Shared Identify unauthorized use of organizational systems. To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access. 19
CMMC_L3 AC.3.018 CMMC_L3_AC.3.018 CMMC L3 AC.3.018 Access Control Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Shared Microsoft and the customer share responsibilities for implementing this requirement. Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in AC.1.002. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. link 3
CMMC_L3 AC.3.021 CMMC_L3_AC.3.021 CMMC L3 AC.3.021 Access Control Authorize remote execution of privileged commands and remote access to security-relevant information. Shared Microsoft and the customer share responsibilities for implementing this requirement. A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Securityrelevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. link 10
CMMC_L3 AU.2.041 CMMC_L3_AU.2.041 CMMC L3 AU.2.041 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 15
CMMC_L3 AU.2.042 CMMC_L3_AU.2.042 CMMC L3 AU.2.042 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. link 15
CMMC_L3 CM.2.065 CMMC_L3_CM.2.065 CMMC L3 CM.2.065 Configuration Management Track, review, approve or disapprove, and log changes to organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. link 6
CMMC_L3 SI.2.216 CMMC_L3_SI.2.216 CMMC L3 SI.2.216 System and Information Integrity Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Shared Microsoft and the customer share responsibilities for implementing this requirement. System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. link 23
CMMC_L3 SI.2.217 CMMC_L3_SI.2.217 CMMC L3 SI.2.217 System and Information Integrity Identify unauthorized use of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. link 11
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 IAM_01 CSA_v4.0.12_IAM_01 CSA Cloud Controls Matrix v4.0.12 IAM 01 Identity & Access Management Identity and Access Management Policy and Procedures Shared n/a Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually. 24
CSA_v4.0.12 IAM_02 CSA_v4.0.12_IAM_02 CSA Cloud Controls Matrix v4.0.12 IAM 02 Identity & Access Management Strong Password Policy and Procedures Shared n/a Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually. 52
CSA_v4.0.12 IAM_04 CSA_v4.0.12_IAM_04 CSA Cloud Controls Matrix v4.0.12 IAM 04 Identity & Access Management Separation of Duties Shared n/a Employ the separation of duties principle when implementing information system access. 43
CSA_v4.0.12 IAM_07 CSA_v4.0.12_IAM_07 CSA Cloud Controls Matrix v4.0.12 IAM 07 Identity & Access Management User Access Changes and Revocation Shared n/a De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies. 56
CSA_v4.0.12 IAM_10 CSA_v4.0.12_IAM_10 CSA Cloud Controls Matrix v4.0.12 IAM 10 Identity & Access Management Management of Privileged Access Roles Shared n/a Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access. 56
CSA_v4.0.12 IAM_12 CSA_v4.0.12_IAM_12 CSA Cloud Controls Matrix v4.0.12 IAM 12 Identity & Access Management Safeguard Logs Integrity Shared n/a Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures. 42
CSA_v4.0.12 IAM_13 CSA_v4.0.12_IAM_13 CSA Cloud Controls Matrix v4.0.12 IAM 13 Identity & Access Management Uniquely Identifiable Users Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs. 49
CSA_v4.0.12 IAM_14 CSA_v4.0.12_IAM_14 CSA Cloud Controls Matrix v4.0.12 IAM 14 Identity & Access Management Strong Authentication Shared n/a Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities. 32
CSA_v4.0.12 IAM_15 CSA_v4.0.12_IAM_15 CSA Cloud Controls Matrix v4.0.12 IAM 15 Identity & Access Management Passwords Management Shared n/a Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords. 26
CSA_v4.0.12 IAM_16 CSA_v4.0.12_IAM_16 CSA Cloud Controls Matrix v4.0.12 IAM 16 Identity & Access Management Authorization Mechanisms Shared n/a Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized. 46
CSA_v4.0.12 LOG_05 CSA_v4.0.12_LOG_05 CSA Cloud Controls Matrix v4.0.12 LOG 05 Logging and Monitoring Audit Logs Monitoring and Response Shared n/a Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies. 9
CSA_v4.0.12 LOG_07 CSA_v4.0.12_LOG_07 CSA Cloud Controls Matrix v4.0.12 LOG 07 Logging and Monitoring Logging Scope Shared n/a Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment. 35
CSA_v4.0.12 LOG_08 CSA_v4.0.12_LOG_08 CSA Cloud Controls Matrix v4.0.12 LOG 08 Logging and Monitoring Log Records Shared n/a Generate audit records containing relevant security information. 24
CSA_v4.0.12 LOG_10 CSA_v4.0.12_LOG_10 CSA Cloud Controls Matrix v4.0.12 LOG 10 Logging and Monitoring Encryption Monitoring and Reporting Shared n/a Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls. 24
CSA_v4.0.12 LOG_11 CSA_v4.0.12_LOG_11 CSA Cloud Controls Matrix v4.0.12 LOG 11 Logging and Monitoring Transaction/Activity Logging Shared n/a Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys. 24
Cyber_Essentials_v3.1 2 Cyber_Essentials_v3.1_2 Cyber Essentials v3.1 2 Cyber Essentials Secure Configuration Shared n/a Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. 61
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 69
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 67
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 67
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 65
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .4 FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 404 not found n/a n/a 42
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FFIEC_CAT_2017 2.2.1 FFIEC_CAT_2017_2.2.1 FFIEC CAT 2017 2.2.1 Threat Intelligence and Collaboration Monitoring and Analyzing Shared n/a - Audit log records and other security event logs are reviewed and retained in a secure manner. - Computer event logs are used for investigations once an event has occurred. 24
FFIEC_CAT_2017 3.2.2 FFIEC_CAT_2017_3.2.2 FFIEC CAT 2017 3.2.2 Cybersecurity Controls Anomalous Activity Detection Shared n/a - The institution is able to detect anomalous activities through monitoring across the environment. - Customer transactions generating anomalous activity alerts are monitored and reviewed. - Logs of physical and/or logical access are reviewed following events. - Access to critical systems by third parties is monitored for unauthorized or unusual activity. - Elevated privileges are monitored. 27
FFIEC_CAT_2017 3.2.3 FFIEC_CAT_2017_3.2.3 FFIEC CAT 2017 3.2.3 Cybersecurity Controls Event Detection Shared n/a - A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access. 35
hipaa 1270.09ad1System.12-09.ad hipaa-1270.09ad1System.12-09.ad 1270.09ad1System.12-09.ad 12 Audit Logging & Monitoring 1270.09ad1System.12-09.ad 09.10 Monitoring Shared n/a The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. 18
hipaa 1271.09ad1System.1-09.ad hipaa-1271.09ad1System.1-09.ad 1271.09ad1System.1-09.ad 12 Audit Logging & Monitoring 1271.09ad1System.1-09.ad 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 8
HITRUST_CSF_v11.3 09.aa HITRUST_CSF_v11.3_09.aa HITRUST CSF v11.3 09.aa Monitoring To ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. Shared 1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. 39
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 114
HITRUST_CSF_v11.3 11.a HITRUST_CSF_v11.3_11.a HITRUST CSF v11.3 11.a Reporting Information Security Incidents and Weaknesses To ensure information security events and weaknesses associated with information systems are handled in a manner allowing timely corrective action to be taken. Shared A designated and widely known point of contact is to be established within the organization to promptly report information security events, ensuring availability and timely responses; additionally, a maintained list of third-party contacts, such as information security officers' email addresses, facilitates for the reporting of security incidents. Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible. 11
ISO_IEC_27001_2022 9.1 ISO_IEC_27001_2022_9.1 ISO IEC 27001 2022 9.1 Performance Evaluation Monitoring, measurement, analysis and evaluation Shared 1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results. Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. 44
ISO_IEC_27002_2022 8.15 ISO_IEC_27002_2022_8.15 ISO IEC 27002 2022 8.15 Detection Control Logging Shared Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 30
ISO_IEC_27002_2022 8.16 ISO_IEC_27002_2022_8.16 ISO IEC 27002 2022 8.16 Response, Detection, Corrective Control Monitoring activities Shared Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. To detect anomalous behaviour and potential information security incidents. 20
ISO_IEC_27017_2015 12.4.1 ISO_IEC_27017_2015_12.4.1 ISO IEC 27017 2015 12.4.1 Operations Security Event Logging Shared For Cloud Service Customer: The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. For Cloud Service Provider: The cloud service provider should provide logging capabilities to the cloud service customer. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 25
ISO_IEC_27017_2015 Annex_A:_CLD.6.3.1 ISO_IEC_27017_2015_Annex_A:_CLD.6.3.1 404 not found n/a n/a 5
NIST_CSF_v2.0 DE.AE_03 NIST_CSF_v2.0_DE.AE_03 NIST CSF v2.0 DE.AE 03 DETECT-Adverse Event Analysis Information is correlated from multiple sources. Shared n/a To identify and analyze the cybersecurity attacks and compromises. 26
NIST_CSF_v2.0 DE.CM NIST_CSF_v2.0_DE.CM 404 not found n/a n/a 20
NIST_SP_800-171_R3_3 .14.6 NIST_SP_800-171_R3_3.14.6 NIST 800-171 R3 3.14.6 System and Information Integrity Control System Monitoring Shared System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives. Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements. a. Monitor the system to detect: 1. Attacks and indicators of potential attacks; and 2. Unauthorized connections. b. Identify unauthorized use of the system. c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions. 19
NIST_SP_800-171_R3_3 .15.3 NIST_SP_800-171_R3_3.15.3 NIST 800-171 R3 3.15.3 Planning Control Rules of Behavior Shared Rules of behavior represent a type of access agreement for system users. Organizations consider rules of behavior for the handling of CUI based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. a. Establish and provide to individuals requiring access to the system, rules that describe their responsibilities and expected behavior for handling CUI and system usage. b. Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system. c. Review and update the rules of behavior periodically. 4
NIST_SP_800-171_R3_3 .3.1 NIST_SP_800-171_R3_3.3.1 404 not found n/a n/a 35
NIST_SP_800-171_R3_3 .3.5 NIST_SP_800-171_R3_3.3.5 404 not found n/a n/a 17
NIST_SP_800-53_R5.1.1 AC.2.4 NIST_SP_800-53_R5.1.1_AC.2.4 NIST SP 800-53 R5.1.1 AC.2.4 Access Control Account Management | Automated Audit Actions Shared Automatically audit account creation, modification, enabling, disabling, and removal actions. Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6. 5
NIST_SP_800-53_R5.1.1 AU.2 NIST_SP_800-53_R5.1.1_AU.2 NIST SP 800-53 R5.1.1 AU.2 Audit and Accountability Control Event Logging Shared a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. 24
NIST_SP_800-53_R5.1.1 AU.6 NIST_SP_800-53_R5.1.1_AU.6 NIST SP 800-53 R5.1.1 AU.6 Audit and Accountability Control Audit Record Review, Analysis, and Reporting Shared a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. 9
NIST_SP_800-53_R5.1.1 SI.4 NIST_SP_800-53_R5.1.1_SI.4 NIST SP 800-53 R5.1.1 SI.4 System and Information Integrity Control System Monitoring Shared a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency] ]. System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 18
NZISM_v3.7 19.1.10.C.01. NZISM_v3.7_19.1.10.C.01. NZISM v3.7 19.1.10.C.01. Gateways 19.1.10.C.01. - To ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. Shared n/a When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. 50
NZISM_v3.7 19.1.11.C.01. NZISM_v3.7_19.1.11.C.01. NZISM v3.7 19.1.11.C.01. Gateways 19.1.11.C.01. - To ensure network protection through gateway mechanisms. Shared n/a Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. 49
NZISM_v3.7 19.1.11.C.02. NZISM_v3.7_19.1.11.C.02. NZISM v3.7 19.1.11.C.02. Gateways 19.1.11.C.02. - To maintain security and integrity across domains. Shared n/a For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. 48
NZISM_v3.7 19.1.12.C.01. NZISM_v3.7_19.1.12.C.01. NZISM v3.7 19.1.12.C.01. Gateways 19.1.12.C.01. - To minimize security risks and ensure effective control over network communications Shared n/a Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts. 47
NZISM_v3.7 19.1.14.C.01. NZISM_v3.7_19.1.14.C.01. NZISM v3.7 19.1.14.C.01. Gateways 19.1.14.C.01. - To enhance security by segregating resources from the internal network. Shared n/a Agencies MUST use demilitarised zones to house systems and information directly accessed externally. 40
NZISM_v3.7 19.1.14.C.02. NZISM_v3.7_19.1.14.C.02. NZISM v3.7 19.1.14.C.02. Gateways 19.1.14.C.02. - To enhance security by segregating resources from the internal network. Shared n/a Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. 39
NZISM_v3.7 19.1.19.C.01. NZISM_v3.7_19.1.19.C.01. NZISM v3.7 19.1.19.C.01. Gateways 19.1.19.C.01. - To enhance security posture. Shared n/a Agencies MUST limit access to gateway administration functions. 34
NZISM_v3.7 19.2.16.C.02. NZISM_v3.7_19.2.16.C.02. NZISM v3.7 19.2.16.C.02. Cross Domain Solutions (CDS) 19.2.16.C.02. - To maintain security and prevent unauthorized access or disclosure of sensitive information. Shared n/a Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network. 34
NZISM_v3.7 19.2.18.C.01. NZISM_v3.7_19.2.18.C.01. NZISM v3.7 19.2.18.C.01. Cross Domain Solutions (CDS) 19.2.18.C.01. - To enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. Shared n/a Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. 34
NZISM_v3.7 19.2.19.C.01. NZISM_v3.7_19.2.19.C.01. NZISM v3.7 19.2.19.C.01. Cross Domain Solutions (CDS) 19.2.19.C.01. - To ensure the integrity and reliability of information accessed or received. Shared n/a Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority. 34
NZISM_v3.7 19.2.19.C.02. NZISM_v3.7_19.2.19.C.02. NZISM v3.7 19.2.19.C.02. Cross Domain Solutions (CDS) 19.2.19.C.02. - To reduce the risk of unauthorized data transfers and potential breaches. Shared n/a Trusted sources MUST authorise all data to be exported from a security domain. 29
NZISM_v3.7 19.3.8.C.03. NZISM_v3.7_19.3.8.C.03. NZISM v3.7 19.3.8.C.03. Firewalls 19.3.8.C.03. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains. Your network: Restricted and below Their network: Unclassified You require: EAL4 firewall They require: N/A Your network: Restricted and below Their network: Restricted You require: EAL2 or PP firewall They require:EAL2 or PP firewall Your network: Restricted and below Their network: Confidential You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Secret You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Confidential Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Confidential Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Confidential Their network: Confidential You require: EAL2 or PP firewal They require: EAL2 or PP firewall Your network: Confidential Their network: Secret You require: EAL2 or PP firewal They require: EAL4 firewall Your network: Confidential Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Secret Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Confidential You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Secret You require: EAL2 or PP firewall They require: EAL2 or PP firewall Your network: Secret Their network: Top Secret You require: EAL2 or PP firewall They require: EAL4 firewall Your network: Top Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Top Secret Their network: Restricted You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Confidential You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Secret You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Top Secret Their network: Top Secret You require: EAL4 firewall They require: EAL4 firewall 19
NZISM_v3.7 19.3.8.C.04. NZISM_v3.7_19.3.8.C.04. NZISM v3.7 19.3.8.C.04. Firewalls 19.3.8.C.04. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a 1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments. 2. Shared equipment DOES NOT satisfy the requirements of this control. 15
NZISM_v3.7 19.3.9.C.01. NZISM_v3.7_19.3.9.C.01. NZISM v3.7 19.3.9.C.01. Firewalls 19.3.9.C.01. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains. 15
NZISM_v3.7 19.3.9.C.02. NZISM_v3.7_19.3.9.C.02. NZISM v3.7 19.3.9.C.02. Firewalls 19.3.9.C.02. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a In all other circumstances the table at 19.3.8.C.03 MUST apply. 5
NZISM_v3.7 19.3.9.C.03. NZISM_v3.7_19.3.9.C.03. NZISM v3.7 19.3.9.C.03. Firewalls 19.3.9.C.03. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a Agencies SHOULD use a firewall of at least an EAL2 assurance level or a Protection Profile between an NZEO network and another New Zealand controlled network within a single security domain. 4
PCI_DSS_v4.0.1 10.2.1.5 PCI_DSS_v4.0.1_10.2.1.5 PCI DSS v4.0.1 10.2.1.5 Log and Monitor All Access to System Components and Cardholder Data Credential Changes Audit Logging Shared n/a Audit logs capture all changes to identification and authentication credentials including, but not limited to: • Creation of new accounts. • Elevation of privileges. • All changes, additions, or deletions to accounts with administrative access. 5
PCI_DSS_v4.0.1 10.3.4 PCI_DSS_v4.0.1_10.3.4 PCI DSS v4.0.1 10.3.4 Log and Monitor All Access to System Components and Cardholder Data Log Integrity Monitoring Shared n/a File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. 29
PCI_DSS_v4.0.1 10.4.1 PCI_DSS_v4.0.1_10.4.1 PCI DSS v4.0.1 10.4.1 Log and Monitor All Access to System Components and Cardholder Data Daily Audit Log Review Shared n/a The following audit logs are reviewed at least once daily: • All security events. • Logs of all system components that store, process, or transmit CHD and/or SAD. • Logs of all critical system components. • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). 10
PCI_DSS_v4.0.1 10.4.1.1 PCI_DSS_v4.0.1_10.4.1.1 PCI DSS v4.0.1 10.4.1.1 Log and Monitor All Access to System Components and Cardholder Data Automated Log Review Mechanisms Shared n/a Automated mechanisms are used to perform audit log reviews. 10
PCI_DSS_v4.0.1 10.4.2 PCI_DSS_v4.0.1_10.4.2 PCI DSS v4.0.1 10.4.2 Log and Monitor All Access to System Components and Cardholder Data Periodic Review of Other Logs Shared n/a Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. 10
PCI_DSS_v4.0.1 10.4.2.1 PCI_DSS_v4.0.1_10.4.2.1 PCI DSS v4.0.1 10.4.2.1 Log and Monitor All Access to System Components and Cardholder Data Frequency of Log Reviews Shared n/a The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 26
PCI_DSS_v4.0.1 10.4.3 PCI_DSS_v4.0.1_10.4.3 PCI DSS v4.0.1 10.4.3 Log and Monitor All Access to System Components and Cardholder Data Addressing Log Anomalies Shared n/a Exceptions and anomalies identified during the review process are addressed. 9
PCI_DSS_v4.0.1 11.5.1 PCI_DSS_v4.0.1_11.5.1 PCI DSS v4.0.1 11.5.1 Test Security of Systems and Networks Regularly Intrusion Detection/Prevention Shared n/a Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date 24
PCI_DSS_v4.0.1 11.5.1.1 PCI_DSS_v4.0.1_11.5.1.1 PCI DSS v4.0.1 11.5.1.1 Test Security of Systems and Networks Regularly Covert Malware Detection Shared n/a Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. 22
PCI_DSS_v4.0.1 11.5.2 PCI_DSS_v4.0.1_11.5.2 PCI DSS v4.0.1 11.5.2 Test Security of Systems and Networks Regularly Change-Detection Mechanism Deployment Shared n/a A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly. 32
PCI_DSS_v4.0.1 12.2.1 PCI_DSS_v4.0.1_12.2.1 PCI DSS v4.0.1 12.2.1 Support Information Security with Organizational Policies and Programs Documented Acceptable Use Policies Shared n/a Acceptable use policies for end-user technologies are documented and implemented, including: • Explicit approval by authorized parties. • Acceptable uses of the technology. • List of products approved by the company for employee use, including hardware and software. 6
SOC_2 CC7.2 SOC_2_CC7.2 SOC 2 Type 2 CC7.2 System Operations Monitor system components for anomalous behavior Shared The customer is responsible for implementing this recommendation. • Implements Detection Policies, Procedures, and Tools — Detection policies and procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. • Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. • Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events. • Monitors Detection Tools for Effective Operation — Management has implemented processes to monitor the effectiveness of detection tools 20
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 112
SOC_2023 CC.5.3 SOC_2023_CC.5.3 404 not found n/a n/a 37
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC4.1 SOC_2023_CC4.1 SOC 2023 CC4.1 Monitoring Activities To enhance the ability to manage risks and achieve objectives. Shared n/a The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 38
SOC_2023 CC4.2 SOC_2023_CC4.2 SOC 2023 CC4.2 Monitoring Activities To facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. Shared n/a The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. 37
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 129
SOC_2023 CC6.2 SOC_2023_CC6.2 SOC 2023 CC6.2 Logical and Physical Access Controls To ensure effective access control and ensuring the security of the organization's systems and data. Shared n/a 1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. 50
SOC_2023 CC6.3 SOC_2023_CC6.3 404 not found n/a n/a 56
SOC_2023 CC6.7 SOC_2023_CC6.7 404 not found n/a n/a 52
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 168
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 148
SWIFT_CSCF_2024 1.2 SWIFT_CSCF_2024_1.2 SWIFT Customer Security Controls Framework 2024 1.2 Privileged Account Control Operating System Privileged Account Control Shared Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). To restrict and control the allocation and usage of administrator-level operating system accounts. 53
SWIFT_CSCF_2024 11.2 SWIFT_CSCF_2024_11.2 404 not found n/a n/a 26
SWIFT_CSCF_2024 2.9 SWIFT_CSCF_2024_2.9 SWIFT Customer Security Controls Framework 2024 2.9 Transaction Controls Transaction Business Controls Shared 1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions. 2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity. To ensure outbound transaction activity within the expected bounds of normal business. 26
SWIFT_CSCF_2024 5.1 SWIFT_CSCF_2024_5.1 SWIFT Customer Security Controls Framework 2024 5.1 Access Control Logical Access Control Shared 1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure. 2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack. To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. 26
SWIFT_CSCF_2024 6.4 SWIFT_CSCF_2024_6.4 SWIFT Customer Security Controls Framework 2024 6.4 Access Control Logging and Monitoring Shared 1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. 43
SWIFT_CSCF_2024 6.5 SWIFT_CSCF_2024_6.5 404 not found n/a n/a 23
UK_NCSC_CAF_v3.2 B4.b UK_NCSC_CAF_v3.2_B4.b NCSC Cyber Assurance Framework (CAF) v3.2 B4.b System Security Secure Configuration Shared 1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function. 2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment. 3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented. 4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration. 5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation. 6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. Securely configure the network and information systems that support the operation of essential functions. 37
UK_NCSC_CAF_v3.2 C UK_NCSC_CAF_v3.2_C 404 not found n/a n/a 19
UK_NCSC_CAF_v3.2 C1 UK_NCSC_CAF_v3.2_C1 404 not found n/a n/a 20
UK_NCSC_CAF_v3.2 C1.c UK_NCSC_CAF_v3.2_C1.c NCSC Cyber Assurance Framework (CAF) v3.2 C1.c Security Monitoring Generating Alerts Shared 1. Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. 2. A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts. 3. Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time. 4. Security alerts relating to all essential functions are prioritised and this information is used to support incident management. 5. Logs are reviewed almost continuously, in real time. 6. Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms. Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. 23
UK_NCSC_CAF_v3.2 C1.d UK_NCSC_CAF_v3.2_C1.d NCSC Cyber Assurance Framework (CAF) v3.2 C1.d Security Monitoring Identifying Security Incidents Shared 1. Select threat intelligence sources or services using risk-based and threat-informed decisions based on the business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based info share, special interest groups). 2. Apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them. 3. Receive signature updates for all the protective technologies (e.g. AV, IDS). 4. Track the effectiveness of the intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies). Contextualise alerts with knowledge of the threat and the systems, to identify those security incidents that require some form of response. 22
UK_NCSC_CAF_v3.2 C2 UK_NCSC_CAF_v3.2_C2 404 not found n/a n/a 20
UK_NCSC_CAF_v3.2 C2.b UK_NCSC_CAF_v3.2_C2.b NCSC Cyber Assurance Framework (CAF) v3.2 C2.b Proactive Security Event Discovery Proactive Attack Discovery Shared 1. Routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches. 2. Have justified confidence in the effectiveness of the searches for system abnormalities indicative of malicious activity. Use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. 20
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v2.1.0 fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27001 2022 5e4ff661-23bf-42fa-8e3a-309a55091cc7 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-01-29 21:53:30 add b954148f-4c11-4c38-8221-be76711e194a
JSON compare n/a
JSON
api-version=2021-06-01
EPAC