compliance controls are associated with this Policy definition 'An activity log alert should exist for specific Policy operations' (c5447c04-a4d7-4ba8-a263-c9ee321a6858)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
AC_2(4) |
Canada_Federal_PBMM_3-1-2020_AC_2(4) |
Canada Federal PBMM 3-1-2020 AC 2(4) |
Account Management |
Account Management | Automated Audit Actions |
Shared |
1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers.
2. Related controls: AU-2, AU-12. |
To ensure accountability and transparency within the information system. |
|
52 |
| Canada_Federal_PBMM_3-1-2020 |
AC_6(9) |
Canada_Federal_PBMM_3-1-2020_AC_6(9) |
Canada Federal PBMM 3-1-2020 AC 6(9) |
Least Privilege |
Least Privilege | Auditing Use of Privileged Functions |
Shared |
The information system audits the execution of privileged functions. |
To enhance oversight and detect potential security breaches or unauthorized activities.
|
|
15 |
| Canada_Federal_PBMM_3-1-2020 |
AU_1 |
Canada_Federal_PBMM_3-1-2020_AU_1 |
Canada Federal PBMM 3-1-2020 AU 1 |
Audit and Accountability Policy and Procedures |
Audit and Accountability Policy and Procedures |
Shared |
1. The organization develops, documents, and disseminates to personnel or roles with audit responsibilities;
a. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
2. The organization reviews and updates the current:
a. Audit and accountability policy at least every three years; and
b. Audit and accountability procedures at least annually. |
To ensure adherence to policies, alignment with regulatory requirements, and ongoing effectiveness of controls. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
AU_12 |
Canada_Federal_PBMM_3-1-2020_AU_12 |
Canada Federal PBMM 3-1-2020 AU 12 |
Audit Generation |
Audit Generation |
Shared |
1. The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available.
2. The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
3. The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
To support effective monitoring and logging of security events. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
AU_2 |
Canada_Federal_PBMM_3-1-2020_AU_2 |
Canada Federal PBMM 3-1-2020 AU 2 |
Auditable Events |
Audit Events |
Shared |
1. The organization determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.
2. The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events.
3. The organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents.
4. The organization determines what organizationally-defined audited events (a subset of the auditable events defined in AU-2 a.) and the frequency of (or situation requiring) auditing for each identified event. |
To ensure comprehensive auditing capabilities to facilitate post-incident investigations and ensure alignment with organizational security objectives.
|
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_2(3) |
Canada_Federal_PBMM_3-1-2020_AU_2(3) |
Canada Federal PBMM 3-1-2020 AU 2(3) |
Auditable Events |
Audit Events | Reviews and Updates |
Shared |
The organization reviews and updates the audited events annually or whenever there is a change in the threat environment. |
To maintain alignment with evolving security needs and ensure effective incident detection and response. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_3 |
Canada_Federal_PBMM_3-1-2020_AU_3 |
Canada Federal PBMM 3-1-2020 AU 3 |
Content of Audit Records |
Content of Audit Records |
Shared |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
To enable thorough event tracking and analysis for security purposes. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_3(1) |
Canada_Federal_PBMM_3-1-2020_AU_3(1) |
Canada Federal PBMM 3-1-2020 AU 3(1) |
Content of Audit Records |
Content of Audit Records | Additional Audit Information |
Shared |
The information system generates audit records containing the following additional information: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon. |
To enhance event analysis and aid in identifying and diagnosing security-related activities. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_6 |
Canada_Federal_PBMM_3-1-2020_AU_6 |
Canada Federal PBMM 3-1-2020 AU 6 |
Audit Review, Analysis, and Reporting |
Audit Review, Analysis, and Reporting |
Shared |
1. The organization reviews and analyses information system audit records at least every 7 days for indications of compromise identified in SI-4(5).
2. The organization reports findings to organization-defined personnel or roles. |
To ensure prompt response and mitigation of identified security threats or compromises. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_6(1) |
Canada_Federal_PBMM_3-1-2020_AU_6(1) |
Canada Federal PBMM 3-1-2020 AU 6(1) |
Audit Review, Analysis, and Reporting |
Audit Review, Analysis, and Reporting | Process Integration |
Shared |
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
To enhance organizational capabilities for investigating and responding to suspicious activities efficiently and effectively. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_6(3) |
Canada_Federal_PBMM_3-1-2020_AU_6(3) |
Canada Federal PBMM 3-1-2020 AU 6(3) |
Audit Review, Analysis, and Reporting |
Audit Review, Analysis, and Reporting | Correlate Audit Repositories |
Shared |
The organization analyses and correlates audit records across different repositories to gain organization-wide situational awareness. |
To enable comprehensive understanding and detection of security-related events and trends.
|
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
AU_7 |
Canada_Federal_PBMM_3-1-2020_AU_7 |
Canada Federal PBMM 3-1-2020 AU 7 |
Audit Reduction and Report Generation |
Audit Reduction and Report Generation |
Shared |
1. The information system provides an audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents.
2. The information system provides an audit reduction and report generation capability that does not alter the original content or time ordering of audit records. |
To ensure accurate and reliable results. |
|
4 |
| Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
124 |
| Canada_Federal_PBMM_3-1-2020 |
SI_4 |
Canada_Federal_PBMM_3-1-2020_SI_4 |
Canada Federal PBMM 3-1-2020 SI 4 |
Information System Monitoring |
Information System Monitoring |
Shared |
1. The organization monitors the information system to detect:
a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and
b. Unauthorized local, network, and remote connections;
2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods.
3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.
4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information.
6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards.
7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. |
To enhance overall security posture.
|
|
95 |
| Canada_Federal_PBMM_3-1-2020 |
SI_4(1) |
Canada_Federal_PBMM_3-1-2020_SI_4(1) |
Canada Federal PBMM 3-1-2020 SI 4(1) |
Information System Monitoring |
Information System Monitoring | System-Wide Intrusion Detection System |
Shared |
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
To enhance overall security posture.
|
|
95 |
| Canada_Federal_PBMM_3-1-2020 |
SI_4(2) |
Canada_Federal_PBMM_3-1-2020_SI_4(2) |
Canada Federal PBMM 3-1-2020 SI 4(2) |
Information System Monitoring |
Information System Monitoring | Automated Tools for Real-Time Analysis |
Shared |
The organization employs automated tools to support near real-time analysis of events. |
To enhance overall security posture.
|
|
94 |
| CIS_Azure_1.1.0 |
5.2.1 |
CIS_Azure_1.1.0_5.2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create Policy Assignment |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create Policy Assignment event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.1 |
CIS_Azure_1.3.0_5.2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create Policy Assignment |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create Policy Assignment event. |
link |
4 |
| CIS_Azure_1.3.0 |
5.2.2 |
CIS_Azure_1.3.0_5.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Policy Assignment event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.1 |
CIS_Azure_1.4.0_5.2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Create Policy Assignment |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Create Policy Assignment event. |
link |
4 |
| CIS_Azure_1.4.0 |
5.2.2 |
CIS_Azure_1.4.0_5.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 |
5 Logging and Monitoring |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
Shared |
The customer is responsible for implementing this recommendation. |
Create an activity log alert for the Delete Policy Assignment event. |
link |
4 |
| CIS_Azure_2.0.0 |
5.1.2 |
CIS_Azure_2.0.0_5.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 |
5.1 |
Ensure Diagnostic Setting captures appropriate categories |
Shared |
n/a |
**Prerequisite**: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting. |
link |
8 |
| CIS_Azure_2.0.0 |
5.2.1 |
CIS_Azure_2.0.0_5.2.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 |
5.2 |
Ensure that Activity Log Alert exists for Create Policy Assignment |
Shared |
n/a |
Create an activity log alert for the Create Policy Assignment event.
Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes. |
link |
4 |
| CIS_Azure_2.0.0 |
5.2.2 |
CIS_Azure_2.0.0_5.2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 |
5.2 |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
Shared |
n/a |
Create an activity log alert for the Delete Policy Assignment event.
Monitoring for delete policy assignment events gives insight into changes done in "azure policy - assignments" and can reduce the time it takes to detect unsolicited changes. |
link |
4 |
| CIS_Azure_Foundations_v2.1.0 |
5.2.1 |
CIS_Azure_Foundations_v2.1.0_5.2.1 |
CIS Azure Foundations v2.1.0 5.2.1 |
Logging and Monitoring |
Ensure that Activity Log Alert exists for Create Policy Assignment |
Shared |
n/a |
Ensure that an activity log alert exists for the creation of policy assignments. |
|
2 |
| CIS_Azure_Foundations_v2.1.0 |
5.2.2 |
CIS_Azure_Foundations_v2.1.0_5.2.2 |
CIS Azure Foundations v2.1.0 5.2.2 |
Logging and Monitoring |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
Shared |
n/a |
Ensure that an activity log alert exists for the deletion of policy assignments. |
|
1 |
| CIS_Azure_Foundations_v2.1.0 |
5.2.3 |
CIS_Azure_Foundations_v2.1.0_5.2.3 |
CIS Azure Foundations v2.1.0 5.2.3 |
Logging and Monitoring |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
Shared |
n/a |
Ensure that an activity log alert exists for the creation or update of network security groups. |
|
2 |
| CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
101 |
| CIS_Controls_v8.1 |
4.1 |
CIS_Controls_v8.1_4.1 |
CIS Controls v8.1 4.1 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process. |
Shared |
1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure data integrity and safety of enterprise assets. |
|
44 |
| CIS_Controls_v8.1 |
8.5 |
CIS_Controls_v8.1_8.5 |
CIS Controls v8.1 8.5 |
Audit Log Management |
Collect detailed audit logs. |
Shared |
1. Configure detailed audit logging for enterprise assets containing sensitive data.
2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. |
To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. |
|
34 |
| CIS_Controls_v8.1 |
9.3 |
CIS_Controls_v8.1_9.3 |
CIS Controls v8.1 9.3 |
Email and Web Browser Protections |
Maintain and enforce network-based URL filters |
Shared |
1. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites.
2. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists.
3. Enforce filters for all enterprise assets. |
To prevent users from connecting to unsafe websites. |
|
9 |
| CMMC_L2_v1.9.0 |
AU.L2_3.3.1 |
CMMC_L2_v1.9.0_AU.L2_3.3.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 |
Audit and Accountability |
System Auditing |
Shared |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
To enhance security and accountability measures. |
|
41 |
| CMMC_L2_v1.9.0 |
AU.L2_3.3.3 |
CMMC_L2_v1.9.0_AU.L2_3.3.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 |
Audit and Accountability |
Event Review |
Shared |
Review and update logged events. |
To enhance the effectiveness of security measures. |
|
35 |
| CMMC_L3 |
AU.2.041 |
CMMC_L3_AU.2.041 |
CMMC L3 AU.2.041 |
Audit and Accountability |
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). |
link |
15 |
| CMMC_L3 |
AU.2.042 |
CMMC_L3_AU.2.042 |
CMMC L3 AU.2.042 |
Audit and Accountability |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.
Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred).
Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. |
link |
15 |
| CMMC_L3 |
AU.3.049 |
CMMC_L3_AU.3.049 |
CMMC L3 AU.3.049 |
Audit and Accountability |
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. |
link |
2 |
| CMMC_L3 |
CM.2.061 |
CMMC_L3_CM.2.061 |
CMMC L3 CM.2.061 |
Configuration Management |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration
Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. |
link |
2 |
| CMMC_L3 |
CM.2.065 |
CMMC_L3_CM.2.065 |
CMMC L3 CM.2.065 |
Configuration Management |
Track, review, approve or disapprove, and log changes to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities.
Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. |
link |
6 |
| CMMC_L3 |
SI.2.216 |
CMMC_L3_SI.2.216 |
CMMC L3 SI.2.216 |
System and Information Integrity |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives.
System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.
Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. |
link |
23 |
| CMMC_L3 |
SI.2.217 |
CMMC_L3_SI.2.217 |
CMMC L3 SI.2.217 |
System and Information Integrity |
Identify unauthorized use of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs.
Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. |
link |
11 |
| CSA_v4.0.12 |
IAM_01 |
CSA_v4.0.12_IAM_01 |
CSA Cloud Controls Matrix v4.0.12 IAM 01 |
Identity & Access Management |
Identity and Access Management Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain policies and procedures for identity and access management. Review
and update the policies and procedures at least annually. |
|
24 |
| CSA_v4.0.12 |
IAM_02 |
CSA_v4.0.12_IAM_02 |
CSA Cloud Controls Matrix v4.0.12 IAM 02 |
Identity & Access Management |
Strong Password Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually. |
|
52 |
| CSA_v4.0.12 |
IAM_04 |
CSA_v4.0.12_IAM_04 |
CSA Cloud Controls Matrix v4.0.12 IAM 04 |
Identity & Access Management |
Separation of Duties |
Shared |
n/a |
Employ the separation of duties principle when implementing information
system access. |
|
43 |
| CSA_v4.0.12 |
IAM_07 |
CSA_v4.0.12_IAM_07 |
CSA Cloud Controls Matrix v4.0.12 IAM 07 |
Identity & Access Management |
User Access Changes and Revocation |
Shared |
n/a |
De-provision or respectively modify access of movers / leavers or
system identity changes in a timely manner in order to effectively adopt and
communicate identity and access management policies. |
|
56 |
| CSA_v4.0.12 |
IAM_10 |
CSA_v4.0.12_IAM_10 |
CSA Cloud Controls Matrix v4.0.12 IAM 10 |
Identity & Access Management |
Management of Privileged Access Roles |
Shared |
n/a |
Define and implement an access process to ensure privileged access
roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access. |
|
56 |
| CSA_v4.0.12 |
IAM_12 |
CSA_v4.0.12_IAM_12 |
CSA Cloud Controls Matrix v4.0.12 IAM 12 |
Identity & Access Management |
Safeguard Logs Integrity |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to ensure the logging infrastructure is read-only for all with write
access, including privileged access roles, and that the ability to disable it
is controlled through a procedure that ensures the segregation of duties and
break glass procedures. |
|
42 |
| CSA_v4.0.12 |
IAM_13 |
CSA_v4.0.12_IAM_13 |
CSA Cloud Controls Matrix v4.0.12 IAM 13 |
Identity & Access Management |
Uniquely Identifiable Users |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs. |
|
49 |
| CSA_v4.0.12 |
IAM_14 |
CSA_v4.0.12_IAM_14 |
CSA Cloud Controls Matrix v4.0.12 IAM 14 |
Identity & Access Management |
Strong Authentication |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities. |
|
32 |
| CSA_v4.0.12 |
IAM_15 |
CSA_v4.0.12_IAM_15 |
CSA Cloud Controls Matrix v4.0.12 IAM 15 |
Identity & Access Management |
Passwords Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for the secure management of passwords. |
|
26 |
| CSA_v4.0.12 |
IAM_16 |
CSA_v4.0.12_IAM_16 |
CSA Cloud Controls Matrix v4.0.12 IAM 16 |
Identity & Access Management |
Authorization Mechanisms |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to verify access to data and system functions is authorized. |
|
46 |
| CSA_v4.0.12 |
LOG_05 |
CSA_v4.0.12_LOG_05 |
CSA Cloud Controls Matrix v4.0.12 LOG 05 |
Logging and Monitoring |
Audit Logs Monitoring and Response |
Shared |
n/a |
Monitor security audit logs to detect activity outside of typical
or expected patterns. Establish and follow a defined process to review and take
appropriate and timely actions on detected anomalies. |
|
9 |
| CSA_v4.0.12 |
LOG_07 |
CSA_v4.0.12_LOG_07 |
CSA Cloud Controls Matrix v4.0.12 LOG 07 |
Logging and Monitoring |
Logging Scope |
Shared |
n/a |
Establish, document and implement which information meta/data system
events should be logged. Review and update the scope at least annually or whenever
there is a change in the threat environment. |
|
35 |
| CSA_v4.0.12 |
LOG_08 |
CSA_v4.0.12_LOG_08 |
CSA Cloud Controls Matrix v4.0.12 LOG 08 |
Logging and Monitoring |
Log Records |
Shared |
n/a |
Generate audit records containing relevant security information. |
|
24 |
| CSA_v4.0.12 |
LOG_10 |
CSA_v4.0.12_LOG_10 |
CSA Cloud Controls Matrix v4.0.12 LOG 10 |
Logging and Monitoring |
Encryption Monitoring and Reporting |
Shared |
n/a |
Establish and maintain a monitoring and internal reporting capability
over the operations of cryptographic, encryption and key management policies,
processes, procedures, and controls. |
|
24 |
| CSA_v4.0.12 |
LOG_11 |
CSA_v4.0.12_LOG_11 |
CSA Cloud Controls Matrix v4.0.12 LOG 11 |
Logging and Monitoring |
Transaction/Activity Logging |
Shared |
n/a |
Log and monitor key lifecycle management events to enable auditing
and reporting on usage of cryptographic keys. |
|
24 |
| Cyber_Essentials_v3.1 |
2 |
Cyber_Essentials_v3.1_2 |
Cyber Essentials v3.1 2 |
Cyber Essentials |
Secure Configuration |
Shared |
n/a |
Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. |
|
61 |
| Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.4 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 |
404 not found |
|
|
|
n/a |
n/a |
|
42 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
| FFIEC_CAT_2017 |
2.2.1 |
FFIEC_CAT_2017_2.2.1 |
FFIEC CAT 2017 2.2.1 |
Threat Intelligence and Collaboration |
Monitoring and Analyzing |
Shared |
n/a |
- Audit log records and other security event logs are reviewed and retained in a secure manner.
- Computer event logs are used for investigations once an event has occurred. |
|
23 |
| FFIEC_CAT_2017 |
3.2.2 |
FFIEC_CAT_2017_3.2.2 |
FFIEC CAT 2017 3.2.2 |
Cybersecurity Controls |
Anomalous Activity Detection |
Shared |
n/a |
- The institution is able to detect anomalous activities through monitoring across the environment.
- Customer transactions generating anomalous activity alerts are monitored and reviewed.
- Logs of physical and/or logical access are reviewed following events.
- Access to critical systems by third parties is monitored for unauthorized or unusual activity.
- Elevated privileges are monitored. |
|
27 |
| HITRUST_CSF_v11.3 |
09.aa |
HITRUST_CSF_v11.3_09.aa |
HITRUST CSF v11.3 09.aa |
Monitoring |
Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. |
Shared |
1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly.
2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system.
3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. |
Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. |
|
39 |
| HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
113 |
| HITRUST_CSF_v11.3 |
11.a |
HITRUST_CSF_v11.3_11.a |
HITRUST CSF v11.3 11.a |
Reporting Information Security Incidents and Weaknesses |
Ensure information security events and weaknesses associated with information systems are handled in a manner allowing timely corrective action to be taken. |
Shared |
A designated and widely known point of contact is to be established within the organization to promptly report information security events, ensuring availability and timely responses; additionally, a maintained list of third-party contacts, such as information security officers' email addresses, facilitates for the reporting of security incidents. |
Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible. |
|
11 |
| ISO_IEC_27001_2022 |
9.1 |
ISO_IEC_27001_2022_9.1 |
ISO IEC 27001 2022 9.1 |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
1. The organization shall determine:
a. what needs to be monitored and measured, including information security processes and controls;
b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
c. when the monitoring and measuring shall be performed;
d. who shall monitor and measure;
e. when the results from monitoring and measurement shall be analysed and evaluated;
f. who shall analyse and evaluate these results.
2. Documented information shall be available as evidence of the results. |
Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. |
|
44 |
| ISO_IEC_27002_2022 |
8.15 |
ISO_IEC_27002_2022_8.15 |
ISO IEC 27002 2022 8.15 |
Detection Control |
Logging |
Shared |
Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.
|
To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. |
|
30 |
| ISO_IEC_27017_2015 |
12.4.1 |
ISO_IEC_27017_2015_12.4.1 |
ISO IEC 27017 2015 12.4.1 |
Operations Security |
Event Logging |
Shared |
For Cloud Service Customer:
The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements.
For Cloud Service Provider:
The cloud service provider should provide logging capabilities to the cloud service customer. |
To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. |
|
25 |
| ISO_IEC_27017_2015 |
Annex_A:_CLD.6.3.1 |
ISO_IEC_27017_2015_Annex_A:_CLD.6.3.1 |
404 not found |
|
|
|
n/a |
n/a |
|
5 |
| NIST_CSF_v2.0 |
DE.AE_03 |
NIST_CSF_v2.0_DE.AE_03 |
NIST CSF v2.0 DE.AE 03 |
DETECT-Adverse Event Analysis |
Information is correlated from multiple sources. |
Shared |
n/a |
To identify and analyze the cybersecurity attacks and compromises. |
|
26 |
| NIST_SP_800-171_R3_3 |
.15.3 |
NIST_SP_800-171_R3_3.15.3 |
NIST 800-171 R3 3.15.3 |
Planning Control |
Rules of Behavior |
Shared |
Rules of behavior represent a type of access agreement for system users. Organizations consider rules of behavior for the handling of CUI based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. |
a. Establish and provide to individuals requiring access to the system, rules that describe their responsibilities and expected behavior for handling CUI and system usage.
b. Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system.
c. Review and update the rules of behavior periodically. |
|
4 |
| NIST_SP_800-171_R3_3 |
.3.1 |
NIST_SP_800-171_R3_3.3.1 |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
| NIST_SP_800-171_R3_3 |
.3.5 |
NIST_SP_800-171_R3_3.3.5 |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
| NIST_SP_800-53_R5.1.1 |
AU.12 |
NIST_SP_800-53_R5.1.1_AU.12 |
NIST SP 800-53 R5.1.1 AU.12 |
Audit and Accountability Control |
Audit Record Generation |
Shared |
a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. |
Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. |
|
21 |
| NIST_SP_800-53_R5.1.1 |
AU.2 |
NIST_SP_800-53_R5.1.1_AU.2 |
NIST SP 800-53 R5.1.1 AU.2 |
Audit and Accountability Control |
Event Logging |
Shared |
a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. |
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.
To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.
Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. |
|
24 |
| NIST_SP_800-53_R5.1.1 |
AU.6 |
NIST_SP_800-53_R5.1.1_AU.6 |
NIST SP 800-53 R5.1.1 AU.6 |
Audit and Accountability Control |
Audit Record Review, Analysis, and Reporting |
Shared |
a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
b. Report findings to [Assignment: organization-defined personnel or roles]; and
c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. |
|
9 |
| NZISM_v3.7 |
19.1.10.C.01. |
NZISM_v3.7_19.1.10.C.01. |
NZISM v3.7 19.1.10.C.01. |
Gateways |
19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. |
Shared |
n/a |
When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. |
|
50 |
| NZISM_v3.7 |
19.1.11.C.01. |
NZISM_v3.7_19.1.11.C.01. |
NZISM v3.7 19.1.11.C.01. |
Gateways |
19.1.11.C.01. - ensure network protection through gateway mechanisms. |
Shared |
n/a |
Agencies MUST ensure that:
1. all agency networks are protected from networks in other security domains by one or more gateways;
2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
|
49 |
| NZISM_v3.7 |
19.1.11.C.02. |
NZISM_v3.7_19.1.11.C.02. |
NZISM v3.7 19.1.11.C.02. |
Gateways |
19.1.11.C.02. - maintain security and integrity across domains. |
Shared |
n/a |
For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. |
|
48 |
| NZISM_v3.7 |
19.1.12.C.01. |
NZISM_v3.7_19.1.12.C.01. |
NZISM v3.7 19.1.12.C.01. |
Gateways |
19.1.12.C.01. - minimize security risks and ensure effective control over network communications |
Shared |
n/a |
Agencies MUST ensure that gateways:
1. are the only communications paths into and out of internal networks;
2. by default, deny all connections into and out of the network;
3. allow only explicitly authorised connections;
4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network);
5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and
6. provide real-time alerts. |
|
47 |
| NZISM_v3.7 |
19.1.14.C.01. |
NZISM_v3.7_19.1.14.C.01. |
NZISM v3.7 19.1.14.C.01. |
Gateways |
19.1.14.C.01. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies MUST use demilitarised zones to house systems and information directly accessed externally. |
|
40 |
| NZISM_v3.7 |
19.1.14.C.02. |
NZISM_v3.7_19.1.14.C.02. |
NZISM v3.7 19.1.14.C.02. |
Gateways |
19.1.14.C.02. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. |
|
39 |
| NZISM_v3.7 |
19.1.19.C.01. |
NZISM_v3.7_19.1.19.C.01. |
NZISM v3.7 19.1.19.C.01. |
Gateways |
19.1.19.C.01. - enhance security posture. |
Shared |
n/a |
Agencies MUST limit access to gateway administration functions. |
|
34 |
| NZISM_v3.7 |
19.2.16.C.02. |
NZISM_v3.7_19.2.16.C.02. |
NZISM v3.7 19.2.16.C.02. |
Cross Domain Solutions (CDS) |
19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.
|
Shared |
n/a |
Agencies MUST NOT implement a gateway permitting data to flow directly from:
1. a TOP SECRET network to any network below SECRET;
2. a SECRET network to an UNCLASSIFIED network; or
3. a CONFIDENTIAL network to an UNCLASSIFIED network. |
|
34 |
| NZISM_v3.7 |
19.2.18.C.01. |
NZISM_v3.7_19.2.18.C.01. |
NZISM v3.7 19.2.18.C.01. |
Cross Domain Solutions (CDS) |
19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. |
Shared |
n/a |
Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. |
|
34 |
| NZISM_v3.7 |
19.2.19.C.01. |
NZISM_v3.7_19.2.19.C.01. |
NZISM v3.7 19.2.19.C.01. |
Cross Domain Solutions (CDS) |
19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.
|
Shared |
n/a |
Trusted sources MUST be:
1. a strictly limited list derived from business requirements and the result of a security risk assessment;
2. where necessary an appropriate security clearance is held; and
3. approved by the Accreditation Authority. |
|
34 |
| NZISM_v3.7 |
19.2.19.C.02. |
NZISM_v3.7_19.2.19.C.02. |
NZISM v3.7 19.2.19.C.02. |
Cross Domain Solutions (CDS) |
19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches. |
Shared |
n/a |
Trusted sources MUST authorise all data to be exported from a security domain. |
|
29 |
| NZISM_v3.7 |
19.3.8.C.03. |
NZISM_v3.7_19.3.8.C.03. |
NZISM v3.7 19.3.8.C.03. |
Firewalls |
19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains.
Your network: Restricted and below
Their network: Unclassified
You require: EAL4 firewall
They require: N/A
Your network: Restricted and below
Their network: Restricted
You require: EAL2 or PP firewall
They require:EAL2 or PP firewall
Your network: Restricted and below
Their network: Confidential
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Secret
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Confidential
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Confidential
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Confidential
You require: EAL2 or PP firewal
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Secret
You require: EAL2 or PP firewal
They require: EAL4 firewall
Your network: Confidential
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Secret
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Confidential
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Secret
You require: EAL2 or PP firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Top Secret
You require: EAL2 or PP firewall
They require: EAL4 firewall
Your network: Top Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Top Secret
Their network: Restricted
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Confidential
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Secret
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Top Secret
You require: EAL4 firewall
They require: EAL4 firewall
|
|
19 |
| NZISM_v3.7 |
19.3.8.C.04. |
NZISM_v3.7_19.3.8.C.04. |
NZISM v3.7 19.3.8.C.04. |
Firewalls |
19.3.8.C.04. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments.
2. Shared equipment DOES NOT satisfy the requirements of this control. |
|
15 |
| NZISM_v3.7 |
19.3.9.C.01. |
NZISM_v3.7_19.3.9.C.01. |
NZISM v3.7 19.3.9.C.01. |
Firewalls |
19.3.9.C.01. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains. |
|
15 |
| NZISM_v3.7 |
19.3.9.C.02. |
NZISM_v3.7_19.3.9.C.02. |
NZISM v3.7 19.3.9.C.02. |
Firewalls |
19.3.9.C.02. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
In all other circumstances the table at 19.3.8.C.03 MUST apply. |
|
5 |
| NZISM_v3.7 |
19.3.9.C.03. |
NZISM_v3.7_19.3.9.C.03. |
NZISM v3.7 19.3.9.C.03. |
Firewalls |
19.3.9.C.03. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies SHOULD use a firewall of at least an EAL2 assurance level or a Protection Profile between an NZEO network and another New Zealand controlled network within a single security domain. |
|
4 |
| PCI_DSS_v4.0.1 |
10.2.1.2 |
PCI_DSS_v4.0.1_10.2.1.2 |
PCI DSS v4.0.1 10.2.1.2 |
Log and Monitor All Access to System Components and Cardholder Data |
Administrative Actions Logging |
Shared |
n/a |
Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. |
|
25 |
| PCI_DSS_v4.0.1 |
10.4.1 |
PCI_DSS_v4.0.1_10.4.1 |
PCI DSS v4.0.1 10.4.1 |
Log and Monitor All Access to System Components and Cardholder Data |
Daily Audit Log Review |
Shared |
n/a |
The following audit logs are reviewed at least once daily:
• All security events.
• Logs of all system components that store, process, or transmit CHD and/or SAD.
• Logs of all critical system components.
• Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). |
|
10 |
| PCI_DSS_v4.0.1 |
10.4.1.1 |
PCI_DSS_v4.0.1_10.4.1.1 |
PCI DSS v4.0.1 10.4.1.1 |
Log and Monitor All Access to System Components and Cardholder Data |
Automated Log Review Mechanisms |
Shared |
n/a |
Automated mechanisms are used to perform audit log reviews. |
|
10 |
| PCI_DSS_v4.0.1 |
10.4.2 |
PCI_DSS_v4.0.1_10.4.2 |
PCI DSS v4.0.1 10.4.2 |
Log and Monitor All Access to System Components and Cardholder Data |
Periodic Review of Other Logs |
Shared |
n/a |
Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. |
|
10 |
| PCI_DSS_v4.0.1 |
10.4.2.1 |
PCI_DSS_v4.0.1_10.4.2.1 |
PCI DSS v4.0.1 10.4.2.1 |
Log and Monitor All Access to System Components and Cardholder Data |
Frequency of Log Reviews |
Shared |
n/a |
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 |
|
26 |
| PCI_DSS_v4.0.1 |
10.4.3 |
PCI_DSS_v4.0.1_10.4.3 |
PCI DSS v4.0.1 10.4.3 |
Log and Monitor All Access to System Components and Cardholder Data |
Addressing Log Anomalies |
Shared |
n/a |
Exceptions and anomalies identified during the review process are addressed. |
|
9 |
| PCI_DSS_v4.0.1 |
12.2.1 |
PCI_DSS_v4.0.1_12.2.1 |
PCI DSS v4.0.1 12.2.1 |
Support Information Security with Organizational Policies and Programs |
Documented Acceptable Use Policies |
Shared |
n/a |
Acceptable use policies for end-user technologies are documented and implemented, including:
• Explicit approval by authorized parties.
• Acceptable uses of the technology.
• List of products approved by the company for employee use, including hardware and software. |
|
6 |
| SOC_2 |
CC7.2 |
SOC_2_CC7.2 |
SOC 2 Type 2 CC7.2 |
System Operations |
Monitor system components for anomalous behavior |
Shared |
The customer is responsible for implementing this recommendation. |
• Implements Detection Policies, Procedures, and Tools — Detection policies and
procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity
on systems. Procedures may include (1) a defined governance process for security
event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3)
logging of unusual system activities.
• Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers;
(2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.
• Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.
• Monitors Detection Tools for Effective Operation — Management has implemented
processes to monitor the effectiveness of detection tools |
|
20 |
| SOC_2023 |
A1.1 |
SOC_2023_A1.1 |
SOC 2023 A1.1 |
Additional Criteria for Availability |
Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. |
Shared |
n/a |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
|
111 |
| SOC_2023 |
CC.5.3 |
SOC_2023_CC.5.3 |
404 not found |
|
|
|
n/a |
n/a |
|
37 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC4.1 |
SOC_2023_CC4.1 |
SOC 2023 CC4.1 |
Monitoring Activities |
Enhance the ability to manage risks and achieve objectives. |
Shared |
n/a |
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
|
38 |
| SOC_2023 |
CC4.2 |
SOC_2023_CC4.2 |
SOC 2023 CC4.2 |
Monitoring Activities |
Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. |
Shared |
n/a |
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. |
|
37 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC6.2 |
SOC_2023_CC6.2 |
SOC 2023 CC6.2 |
Logical and Physical Access Controls |
Ensure effective access control and ensuring the security of the organization's systems and data. |
Shared |
n/a |
1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.
2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
|
50 |
| SOC_2023 |
CC6.3 |
SOC_2023_CC6.3 |
404 not found |
|
|
|
n/a |
n/a |
|
56 |
| SOC_2023 |
CC6.7 |
SOC_2023_CC6.7 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
| SWIFT_CSCF_2024 |
1.2 |
SWIFT_CSCF_2024_1.2 |
SWIFT Customer Security Controls Framework 2024 1.2 |
Privileged Account Control |
Operating System Privileged Account Control |
Shared |
Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). |
To restrict and control the allocation and usage of administrator-level operating system accounts. |
|
53 |
| SWIFT_CSCF_2024 |
11.2 |
SWIFT_CSCF_2024_11.2 |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
| SWIFT_CSCF_2024 |
5.1 |
SWIFT_CSCF_2024_5.1 |
SWIFT Customer Security Controls Framework 2024 5.1 |
Access Control |
Logical Access Control |
Shared |
1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure.
2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack. |
To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
|
26 |
| SWIFT_CSCF_2024 |
6.4 |
SWIFT_CSCF_2024_6.4 |
SWIFT Customer Security Controls Framework 2024 6.4 |
Access Control |
Logging and Monitoring |
Shared |
1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations.
2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. |
To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. |
|
42 |
| UK_NCSC_CAF_v3.2 |
B4.b |
UK_NCSC_CAF_v3.2_B4.b |
NCSC Cyber Assurance Framework (CAF) v3.2 B4.b |
System Security |
Secure Configuration |
Shared |
1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function.
2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment.
3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented.
4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration.
5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation.
6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. |
Securely configure the network and information systems that support the operation of essential functions. |
|
36 |