compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'Security Options - Microsoft Network Server'' (caf2d518-f029-4f6b-833b-d7081702f253)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
1.11 |
Azure_Security_Benchmark_v1.0_1.11 |
Azure Security Benchmark 1.11 |
Network Security |
Use automated tools to monitor network resource configurations and detect changes |
Customer |
Use Azure Policy to validate (and/or remediate) configuration for network resources.
How to configure and manage Azure Policy:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Policy samples for networking:
https://docs.microsoft.com/azure/governance/policy/samples/#network |
n/a |
link |
7 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.8 |
CMMC_L2_v1.9.0_CM.L2_3.4.8 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.8 |
Configuration Management |
Application Execution Policy |
Shared |
Apply deny by exception (blacklisting) policy to prevent the use of unauthorized software or deny all, permit by exception (whitelisting) policy to allow the execution of authorized software. |
To reduce the risk of malware infections or unauthorized access. |
|
5 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
| hipaa |
0709.10m1Organizational.1-10.m |
hipaa-0709.10m1Organizational.1-10.m |
0709.10m1Organizational.1-10.m |
07 Vulnerability Management |
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner. |
|
10 |
| HITRUST_CSF_v11.3 |
10.h |
HITRUST_CSF_v11.3_10.h |
HITRUST CSF v11.3 10.h |
Security of System Files |
Ensure the security of system files, access to system files and program source code shall be controlled, and IT projects and support activities conducted in a secure manner. |
Shared |
The updation of operational software, applications, and program libraries is to be performed by authorized administrators. |
There shall be procedures in place to control the installation of software on operational systems. |
|
3 |
| NIST_SP_800-171_R3_3 |
.4.8 |
NIST_SP_800-171_R3_3.4.8 |
404 not found |
|
|
|
n/a |
n/a |
|
5 |
| NIST_SP_800-53_R5.1.1 |
CM.7.2 |
NIST_SP_800-53_R5.1.1_CM.7.2 |
NIST SP 800-53 R5.1.1 CM.7.2 |
Configuration Management Control |
Least Functionality | Prevent Program Execution |
Shared |
Prevent program execution in accordance with [Selection (one or more):
[Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]
; rules authorizing the terms and conditions of software program usage]. |
Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time. |
|
2 |
| NZISM_v3.7 |
16.4.37.C.01. |
NZISM_v3.7_16.4.37.C.01. |
NZISM v3.7 16.4.37.C.01. |
Privileged Access Management |
16.4.37.C.01. - enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency's overall user training and awareness requirement. |
|
3 |
| NZISM_v3.7 |
16.4.37.R.02. |
NZISM_v3.7_16.4.37.R.02. |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
| NZISM_v3.7 |
19.5.29.C.01. |
NZISM_v3.7_19.5.29.C.01. |
NZISM v3.7 19.5.29.C.01. |
Session Border Controllers |
19.5.29.C.01. - enhance security measures and protect agency assets. |
Shared |
n/a |
Agencies MUST develop and implement user awareness and training programmes to support and enable safe use of VoIP and UC services. |
|
3 |
| NZISM_v3.7 |
2.1.49.C.01. |
NZISM_v3.7_2.1.49.C.01. |
NZISM v3.7 2.1.49.C.01. |
Overview of Key Agencies |
2.1.49.C.01. - facilitate collaboration and access to resources for effective security management and response. |
Shared |
n/a |
Security personnel MUST familiarise themselves with the information security roles and services provided by New Zealand Government organisations. |
|
4 |
| NZISM_v3.7 |
3.3.13.C.01. |
NZISM_v3.7_3.3.13.C.01. |
NZISM v3.7 3.3.13.C.01. |
Information Technology Security Managers |
3.3.13.C.01. - foster a culture of security awareness and equipping personnel with the knowledge and skills to effectively mitigate security risks. |
Shared |
n/a |
ITSMs SHOULD provide or arrange for the provision of information security awareness and training for all agency personnel. |
|
4 |
| NZISM_v3.7 |
5.1.12.C.02. |
NZISM_v3.7_5.1.12.C.02. |
NZISM v3.7 5.1.12.C.02. |
Documentation Fundamentals |
5.1.12.C.02. - enhance the agency's ability to mitigate risks and minimize disruptions to operations. |
Shared |
n/a |
Agency personnel MUST be trained in and periodically exercise the Incident Response Plan. |
|
4 |
| NZISM_v3.7 |
5.7.4.C.01. |
NZISM_v3.7_5.7.4.C.01. |
NZISM v3.7 5.7.4.C.01. |
Emergency Procedures |
5.7.4.C.01. - ensure the protection of classified information and systems. |
Shared |
n/a |
Agencies MUST include in procedures for personnel evacuating a facility the requirement to secure classified information and systems prior to the evacuation. |
|
4 |
| NZISM_v3.7 |
9.1.4.C.01. |
NZISM_v3.7_9.1.4.C.01. |
NZISM v3.7 9.1.4.C.01. |
Information Security Awareness and Training |
9.1.4.C.01. - enhance the capability to safeguard sensitive information and mitigate security risks effectively. |
Shared |
n/a |
Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness. |
|
4 |
| NZISM_v3.7 |
9.1.5.C.01. |
NZISM_v3.7_9.1.5.C.01. |
NZISM v3.7 9.1.5.C.01. |
Information Security Awareness and Training |
9.1.5.C.01. - enhance the understanding and adherence to information security policies and procedures, thereby mitigating risks and ensuring compliance with regulations. |
Shared |
n/a |
Agencies MUST provide ongoing information security awareness and a training programme for personnel on topics such as responsibilities, legislation and regulation, consequences of non-compliance with information security policies and procedures, and potential security risks and counter-measures. |
|
1 |
| NZISM_v3.7 |
9.1.5.C.02. |
NZISM_v3.7_9.1.5.C.02. |
NZISM v3.7 9.1.5.C.02. |
Information Security Awareness and Training |
9.1.5.C.02. - foster a culture of security awareness and compliance. |
Shared |
n/a |
Agencies MUST provide information security awareness training as part of their employee induction programmes. |
|
1 |
| NZISM_v3.7 |
9.1.6.C.01. |
NZISM_v3.7_9.1.6.C.01. |
NZISM v3.7 9.1.6.C.01. |
Information Security Awareness and Training |
9.1.6.C.01. - enhance the ability to effectively safeguard information assets and mitigate security risks. |
Shared |
n/a |
Agencies SHOULD align the detail, content and coverage of information security awareness and training programmes to system user responsibilities. |
|
1 |
| NZISM_v3.7 |
9.1.6.C.02. |
NZISM_v3.7_9.1.6.C.02. |
NZISM v3.7 9.1.6.C.02. |
Information Security Awareness and Training |
9.1.6.C.02. - ensure that information security awareness and training programs encompass comprehensive coverage of key topics. |
Shared |
n/a |
Agencies SHOULD ensure that information security awareness and training includes information on:
1. the purpose of the training or awareness program;
2. any legislative or regulatory mandates and requirements;
3. any national or agency policy mandates and requirements;
4. agency security appointments and contacts;
5. the legitimate use of system accounts, software and classified information;
6. the security of accounts, including shared passwords;
7. authorisation requirements for applications, databases and data;
8. the security risks associated with non-agency systems, particularly the Internet;
9. reporting any suspected compromises or anomalies;
10. reporting requirements for information security incidents, suspected compromises or anomalies;
11. classifying, marking, controlling, storing and sanitising media;
12. protecting workstations from unauthorised access;
13. informing the support section when access to a system is no longer needed;
14. observing rules and regulations governing the secure operation and authorised use of systems; and
15. supporting documentation such as SOPs and user guides. |
|
1 |
| NZISM_v3.7 |
9.1.6.C.03. |
NZISM_v3.7_9.1.6.C.03. |
NZISM v3.7 9.1.6.C.03. |
Information Security Awareness and Training |
9.1.6.C.03. - promote adherence to security protocols and minimise the risk of security breaches or compromises. |
Shared |
n/a |
Agencies SHOULD ensure that information security awareness and training includes advice to system users not to attempt to:
1. tamper with the system;
2. bypass, strain or test information security mechanisms;
3. introduce or use unauthorised IT equipment or software on a system;
4. replace items such as keyboards, pointing devices and other peripherals with personal equipment;
5. assume the roles and privileges of others;
6. attempt to gain access to classified information for which they have no authorisation; or
7. relocate equipment without proper authorisation. |
|
1 |
| NZISM_v3.7 |
9.1.7.C.01. |
NZISM_v3.7_9.1.7.C.01. |
NZISM v3.7 9.1.7.C.01. |
Information Security Awareness and Training |
9.1.7.C.01. - maintain a secure operating environment. |
Shared |
n/a |
Agencies MUST provide all system users with familiarisation training on the information security policies and procedures and the secure operation of the system before being granted unsupervised access to the system. |
|
1 |
| NZISM_v3.7 |
9.1.8.C.01. |
NZISM_v3.7_9.1.8.C.01. |
NZISM v3.7 9.1.8.C.01. |
Information Security Awareness and Training |
9.1.8.C.01. - maintain confidentiality and integrity of agency assets. |
Shared |
n/a |
Agencies SHOULD advise personnel attending courses along with non-government personnel not to disclose any details that could be used to compromise agency security. |
|
1 |
| NZISM_v3.7 |
9.3.4.C.01. |
NZISM_v3.7_9.3.4.C.01. |
NZISM v3.7 9.3.4.C.01. |
Using The Internet |
9.3.4.C.01. - safeguard agency systems and data from unauthorized access or compromise. |
Shared |
n/a |
Agencies MUST ensure personnel are instructed to report any suspicious activity, questioning or contact when using the Internet, to an ITSM. |
|
1 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |