Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_2

AC_2

Canada Federal PBMM 3-1-2020 AC 2

Account Management

Shared

1. The organization identifies and selects which types of information system accounts support organizational missions/business functions. 2. The organization assigns account managers for information system accounts. 3. The organization establishes conditions for group and role membership. 4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. 5. The organization requires approvals by responsible managers for requests to create information system accounts. 6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. 7. The organization monitors the use of information system accounts. 8. The organization notifies account managers: a. When accounts are no longer required; b. When users are terminated or transferred; and c. When individual information system usage or need-to-know changes. 9. The organization authorizes access to the information system based on: a. A valid access authorization; b. Intended system usage; and c. Other attributes as required by the organization or associated missions/business functions. 10. The organization reviews accounts for compliance with account management requirements at least annually. 11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

To ensure the security, integrity, and efficiency of the information systems.

Canada_Federal_PBMM_3-1-2020_AC_2(1)

AC_2(1)

Canada Federal PBMM 3-1-2020 AC 2(1)

Account Management

Account Management | Automated System Account Management

Shared

The organization employs automated mechanisms to support the management of information system accounts.

To streamline and enhance information system account management processes.

Canada_Federal_PBMM_3-1-2020_CA_2

CA_2

Canada Federal PBMM 3-1-2020 CA 2

Security Assessments

Shared

1. The organization develops a security assessment plan that describes the scope of the assessment including: a. Security controls and control enhancements under assessment; b. Assessment procedures to be used to determine security control effectiveness; and c. Assessment environment, assessment team, and assessment roles and responsibilities. 2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. 3. The organization produces a security assessment report that documents the results of the assessment. 4. The organization provides the results of the security control assessment to organization-defined individuals or roles.

To enhance the overall security posture of the organization.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

120

Canada_Federal_PBMM_3-1-2020_CM_2

CM_2

Canada Federal PBMM 3-1-2020 CM 2

Baseline Configuration

Shared

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

To support effective management and security practices.

Canada_Federal_PBMM_3-1-2020_CM_2(1)

CM_2(1)

Canada Federal PBMM 3-1-2020 CM 2(1)

Baseline Configuration

Baseline Configuration | Reviews and Updates

Shared

The organization reviews and updates the baseline configuration of the information system: 1. at least annually; or 2. When required due to significant changes as defined in NIST SP 800-37 rev1; and 3. As an integral part of information system component installations and upgrades.

To ensure alignment with current security standards and operational requirements.

Canada_Federal_PBMM_3-1-2020_CM_2(2)

CM_2(2)

Canada Federal PBMM 3-1-2020 CM 2(2)

Baseline Configuration

Baseline Configuration | Automation Support for Accuracy / Currency

Shared

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration

Canada_Federal_PBMM_3-1-2020_IA_5

IA_5

Canada Federal PBMM 3-1-2020 IA 5

Authenticator Management

Shared

1. The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. 2. The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. 3. The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. 4. The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. 5. The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. 6. The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. 7. The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. 8. The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. 9. The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. 10. The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.

To effectively manage information system authenticators through verification of recipient identity.

Canada_Federal_PBMM_3-1-2020_IA_5(11)

IA_5(11)

Canada Federal PBMM 3-1-2020 IA 5(11)

Authenticator Management

Authenticator Management | Hardware Token-Based Authentication

Shared

The information system, for hardware token-based authentication, employs mechanisms that satisfy CCCS's ITSP.30.031 token quality requirements.

To enhance overall security and compliance with CCCS guidelines.

Canada_Federal_PBMM_3-1-2020_MP_1

MP_1

Canada Federal PBMM 3-1-2020 MP 1

Media Protection Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to all personnel: a. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the media protection policy and associated media protection controls. 2. The organization reviews and updates the current: a. Media protection policy at least every 3 years; and b. Media protection procedures at least annually.

To implement media protection policy and procedures.

Canada_Federal_PBMM_3-1-2020_PL_1

PL_1

Canada Federal PBMM 3-1-2020 PL 1

Security Planning Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with security planning responsibilities a. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the security planning policy and associated security planning controls. 2. The organization reviews and updates the current: a. Security planning policy at least every 3 years; and b. Security planning procedures at least annually.

To ensure safety of data and enhance security posture.

Canada_Federal_PBMM_3-1-2020_PL_2

PL_2

Canada Federal PBMM 3-1-2020 PL 2

System Security Plan

Shared

1. The organization develops a security plan for the information system that: a. Is consistent with the organization’s enterprise architecture; b. Explicitly defines the authorization boundary for the system; c. Describes the operational context of the information system in terms of missions and business processes; d. Provides the security categorization of the information system including supporting rationale; e. Describes the operational environment for the information system and relationships with or connections to other information systems; f. Provides an overview of the security requirements for the system; g. Identifies any relevant overlays, if applicable; h. Describes the security controls in place or planned for meeting those requirements including a rationale for tailoring decisions; and i. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation. 2. The organization distributes copies of the security plan and communicates subsequent changes to the plan to personnel or roles with security planning responsibilities. 3. The organization reviews the security plan for the information system at least annually. 4. The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. 5. The organization protects the security plan from unauthorized disclosure and modification.

To ensure safety of data and enhance security posture.

Canada_Federal_PBMM_3-1-2020_RA_5(1)

RA_5(1)

Canada Federal PBMM 3-1-2020 RA 5(1)

Vulnerability Scanning

Vulnerability Scanning | Update Tool Capability

Shared

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

To employ vulnerability scanning tools.

CIS_Azure_2.0.0

2.1.13

CIS_Azure_2.0.0_2.1.13

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.13

2.1

Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

Shared

Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour.

Ensure that the latest OS patches for all virtual machines are applied. Windows and Linux virtual machines should be kept updated to: - Address a specific bug or flaw - Improve an OS or application’s general stability - Fix a security vulnerability The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.

link

CIS_Azure_Foundations_v2.1.0

2.1.12

CIS_Azure_Foundations_v2.1.0_2.1.12

CIS Azure Foundations v2.1.0 2.1.12

Security Monitoring

Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

Shared

n/a

Ensure that the recommendation for applying system updates is marked as completed.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

4.1

CIS_Controls_v8.1_4.1

CIS Controls v8.1 4.1

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process.

Shared

1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure data integrity and safety of enterprise assets.

7.3

CIS_Controls_v8.1_7.3

CIS Controls v8.1 7.3

Continuous Vulnerability Management

Perform automated operating system patch management

Shared

Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

To close security vulnerabilities and optimize performance of operating systems.

CMMC_L2_v1.9.0_SI.L1_3.14.1

8.11

CIS_Controls_v8.1_8.11

CIS Controls v8.1 8.11

Audit Log Management

Conduct audit log reviews

Shared

1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis.

To ensure the integrity of the data in audit logs.

CMMC_L2_v1.9.0

SI.L1_3.14.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1

System and Information Integrity

Flaw Remediation

Shared

Identify, report, and correct information and information system flaws in a timely manner.

To safeguard assets and maintain operational continuity.

AIS_07

CSA_v4.0.12_AIS_07

CSA Cloud Controls Matrix v4.0.12 AIS 07

Application & Interface Security

Application Vulnerability Remediation

Shared

n/a

Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.

CCC_07

CSA_v4.0.12_CCC_07

CSA Cloud Controls Matrix v4.0.12 CCC 07

Change Control and Configuration Management

Detection of Baseline Deviation

Shared

n/a

Implement detection measures with proactive notification in case of changes deviating from the established baseline.

TVM_04

CSA_v4.0.12_TVM_04

CSA Cloud Controls Matrix v4.0.12 TVM 04

Threat & Vulnerability Management

Detection Updates

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

TVM_08

CSA_v4.0.12_TVM_08

CSA Cloud Controls Matrix v4.0.12 TVM 08

Threat & Vulnerability Management

Vulnerability Prioritization

Shared

n/a

Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.

DORA_2022_2554

9.3c

DORA_2022_2554_9.3c

DORA 2022 2554 9.3c

Prevent Data Availability and Integrity Issues in ICT Systems

Shared

n/a

Implement measures in information and communication technology (ICT) to prevent issues related to data availability, authenticity, integrity, confidentiality breaches, and data loss.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

189

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

3.3.1

FFIEC_CAT_2017_3.3.1

FFIEC CAT 2017 3.3.1

Cybersecurity Controls

Patch Management

Shared

n/a

- A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. - Patches are tested before being applied to systems and/or software. - Patch management reports are reviewed and reflect missing security patches.

HITRUST_CSF_v11.3

10.c

HITRUST_CSF_v11.3_10.c

HITRUST CSF v11.3 10.c

Correct Processing in Applications

Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Shared

Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented.

Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

HITRUST_CSF_v11.3

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

455

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

431

2.10.8

K_ISMS_P_2018_2.10.8

K ISMS P 2018 2.10.8

2.10

Apply the Latest Patches to Software and Hardware

Shared

n/a

Apply the latest patches to software and hardware to prevent vulnerabilities in operating systems and security systems. If the latest patch cannot be applied, supplemental protective measures must be implemented such as exception approval.

New_Zealand_ISM_12.4.4.C.02

2.11.2

K_ISMS_P_2018_2.11.2

K ISMS P 2018 2.11.2

2.11

Perform Periodic Inspections of the Information System to Identify and Address Vulnerabilities

Shared

n/a

Perform periodic inspections of the information system to identify and address vulnerabilities in a timely manner. Continuous monitoring for new security vulnerabilities with analysis of its potential impacts to the information system must also be performed.

New_Zealand_ISM

12.4.4.C.02

12. Product Security

12.4.4.C.02 Patching vulnerabilities in products

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

NIST_CSF_v2.0

DE.CM_09

NIST_CSF_v2.0_DE.CM_09

NIST CSF v2.0 DE.CM 09

DETECT- Continuous Monitoring

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_SP_800-171_R3_3

.14.1

NIST_SP_800-171_R3_3.14.1

NIST 800-171 R3 3.14.1

System and Information Integrity Control

Flaw Remediation

Shared

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

a. Identify, report, and correct system flaws. b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

NIST_SP_800-53_R5.1.1

SI.2

NIST_SP_800-53_R5.1.1_SI.2

NIST SP 800-53 R5.1.1 SI.2

System and Information Integrity Control

Flaw Remediation

Shared

a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process.

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

NIST_SP_800-53_R5.1.1

SI.2.4

NIST_SP_800-53_R5.1.1_SI.2.4

NIST SP 800-53 R5.1.1 SI.2.4

System and Information Integrity Control

Flaw Remediation | Automated Patch Management Tools

Shared

Employ automated patch management tools to facilitate flaw remediation to the following system components: [Assignment: organization-defined system components].

Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations.

12.4.4.C.01.

NZISM_v3.7_12.4.4.C.01.

NZISM v3.7 12.4.4.C.01.

Product Patching and Updating

12.4.4.C.01. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update.

12.4.4.C.02.

NZISM_v3.7_12.4.4.C.02.

NZISM v3.7 12.4.4.C.02.

Product Patching and Updating

12.4.4.C.02. - minimise the risk of disruptions or vulnerabilities introduced by the patches.

Shared

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

12.4.4.C.04.

NZISM_v3.7_12.4.4.C.04.

NZISM v3.7 12.4.4.C.04.

Product Patching and Updating

12.4.4.C.04. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update.

12.4.4.C.05.

NZISM_v3.7_12.4.4.C.05.

NZISM v3.7 12.4.4.C.05.

Product Patching and Updating

12.4.4.C.05. - reduce the potential attack surface for malicious actors.

Shared

n/a

Agencies SHOULD apply all non-critical security patches as soon as possible.

12.4.4.C.06.

NZISM_v3.7_12.4.4.C.06.

NZISM v3.7 12.4.4.C.06.

Product Patching and Updating

12.4.4.C.06. - maintain the integrity and effectiveness of the patching process.

Shared

n/a

Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process.