last sync: 2025-Mar-14 18:30:15 UTC

App Service apps should have remote debugging turned off

Azure BuiltIn Policy definition

Source Azure Portal
Display name App Service apps should have remote debugging turned off
Id cb510bfd-1cba-4d9f-a230-cb0976f4bb71
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]
Category App Service
Microsoft Learn
Description Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Web/sites/config/web.remoteDebuggingEnabled Microsoft.Web sites/config properties.remoteDebuggingEnabled True False
Rule resource types IF (1)
Microsoft.Web/sites
Compliance
The following 87 compliance controls are associated with this Policy definition 'App Service apps should have remote debugging turned off' (cb510bfd-1cba-4d9f-a230-cb0976f4bb71)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1386 AU_ISM_1386 AU ISM 1386 Guidelines for System Management - System administration Restriction of management traffic flows - 1386 n/a Management traffic is only allowed to originate from network zones that are used to administer systems and applications. link 3
Azure_Security_Benchmark_v1.0 1.3 Azure_Security_Benchmark_v1.0_1.3 Azure Security Benchmark 1.3 Network Security Protect critical web applications Customer Deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. Enable Diagnostic Setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics Workspace. How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/ag/create-waf-policy-ag n/a link 5
Azure_Security_Benchmark_v2.0 PV-2 Azure_Security_Benchmark_v2.0_PV-2 Azure Security Benchmark PV-2 Posture and Vulnerability Management Sustain secure configurations for Azure services Customer Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others. Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage n/a link 19
Azure_Security_Benchmark_v3.0 PV-2 Azure_Security_Benchmark_v3.0_PV-2 Microsoft cloud security benchmark PV-2 Posture and Vulnerability Management Audit and enforce secure configurations Shared **Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration. **Azure Guidance:** Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement. **Implementation and additional context:** Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Get compliance data of Azure resources: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data n/a link 27
C.04.7 - Evaluated C.04.7 - Evaluated 404 not found n/a n/a 39
CCCS AC-17(1) CCCS_AC-17(1) CCCS AC-17(1) Access Control Remote Access | Automated Monitoring / Control n/a The information system monitors and controls remote access methods. link 7
CMMC_2.0_L2 AC.L1-3.1.1 CMMC_2.0_L2_AC.L1-3.1.1 404 not found n/a n/a 54
CMMC_2.0_L2 AC.L1-3.1.2 CMMC_2.0_L2_AC.L1-3.1.2 404 not found n/a n/a 16
CMMC_2.0_L2 AC.L2-3.1.12 CMMC_2.0_L2_AC.L2-3.1.12 404 not found n/a n/a 35
CMMC_2.0_L2 CM.L2-3.4.1 CMMC_2.0_L2_CM.L2-3.4.1 404 not found n/a n/a 25
CMMC_2.0_L2 CM.L2-3.4.2 CMMC_2.0_L2_CM.L2-3.4.2 404 not found n/a n/a 27
CMMC_L2_v1.9.0 CM.L2_3.4.1 CMMC_L2_v1.9.0_CM.L2_3.4.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 Configuration Management System Baselining Shared Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. To ensure consistency, security, and compliance with organizational standards and requirements. 17
CMMC_L2_v1.9.0 CM.L2_3.4.2 CMMC_L2_v1.9.0_CM.L2_3.4.2 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 Configuration Management Security Configuration Enforcement Shared Establish and enforce security configuration settings for information technology products employed in organizational systems. To mitigate vulnerabilities and enhance overall security posture. 11
CMMC_L2_v1.9.0 CM.L2_3.4.6 CMMC_L2_v1.9.0_CM.L2_3.4.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 Configuration Management Least Functionality Shared Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. To reduce the risk of unauthorized access or exploitation of system vulnerabilities. 11
CMMC_L3 AC.1.001 CMMC_L3_AC.1.001 CMMC L3 AC.1.001 Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002. link 31
CMMC_L3 AC.2.013 CMMC_L3_AC.2.013 CMMC L3 AC.2.013 Access Control Monitor and control remote access sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). link 10
CMMC_L3 CM.3.068 CMMC_L3_CM.3.068 CMMC L3 CM.3.068 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Shared Microsoft and the customer share responsibilities for implementing this requirement. Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. link 21
CSA_v4.0.12 AIS_02 CSA_v4.0.12_AIS_02 CSA Cloud Controls Matrix v4.0.12 AIS 02 Application & Interface Security Application Security Baseline Requirements Shared n/a Establish, document and maintain baseline requirements for securing different applications. 11
CSA_v4.0.12 CCC_02 CSA_v4.0.12_CCC_02 CSA Cloud Controls Matrix v4.0.12 CCC 02 Change Control and Configuration Management Quality Testing Shared n/a Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards. 12
CSA_v4.0.12 CCC_03 CSA_v4.0.12_CCC_03 CSA Cloud Controls Matrix v4.0.12 CCC 03 Change Control and Configuration Management Change Management Technology Shared n/a Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). 31
CSA_v4.0.12 CCC_09 CSA_v4.0.12_CCC_09 CSA Cloud Controls Matrix v4.0.12 CCC 09 Change Control and Configuration Management Change Restoration Shared n/a Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns. 11
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 CEK_08 CSA_v4.0.12_CEK_08 CSA Cloud Controls Matrix v4.0.12 CEK 08 Cryptography, Encryption & Key Management CSC Key Management Capability Shared n/a CSPs must provide the capability for CSCs to manage their own data encryption keys. 6
CSA_v4.0.12 CEK_10 CSA_v4.0.12_CEK_10 CSA Cloud Controls Matrix v4.0.12 CEK 10 Cryptography, Encryption & Key Management Key Generation Shared n/a Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used. 24
CSA_v4.0.12 CEK_11 CSA_v4.0.12_CEK_11 CSA Cloud Controls Matrix v4.0.12 CEK 11 Cryptography, Encryption & Key Management Key Purpose Shared n/a Manage cryptographic secret and private keys that are provisioned for a unique purpose. 24
CSA_v4.0.12 CEK_16 CSA_v4.0.12_CEK_16 CSA Cloud Controls Matrix v4.0.12 CEK 16 Cryptography, Encryption & Key Management Key Suspension Shared n/a Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. 23
CSA_v4.0.12 CEK_19 CSA_v4.0.12_CEK_19 CSA Cloud Controls Matrix v4.0.12 CEK 19 Cryptography, Encryption & Key Management Key Compromise Shared n/a Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_21 CSA_v4.0.12_CEK_21 CSA Cloud Controls Matrix v4.0.12 CEK 21 Cryptography, Encryption & Key Management Key Inventory Management Shared n/a Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 IAM_09 CSA_v4.0.12_IAM_09 CSA Cloud Controls Matrix v4.0.12 IAM 09 Identity & Access Management Segregation of Privileged Access Roles Shared n/a Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated. 1
CSA_v4.0.12 UEM_03 CSA_v4.0.12_UEM_03 CSA Cloud Controls Matrix v4.0.12 UEM 03 Universal Endpoint Management Compatibility Shared n/a Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications. 11
CSA_v4.0.12 UEM_05 CSA_v4.0.12_UEM_05 CSA Cloud Controls Matrix v4.0.12 UEM 05 Universal Endpoint Management Endpoint Management Shared n/a Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data. 11
CSA_v4.0.12 UEM_08 CSA_v4.0.12_UEM_08 CSA Cloud Controls Matrix v4.0.12 UEM 08 Universal Endpoint Management Storage Encryption Shared n/a Protect information from unauthorized disclosure on managed endpoint devices with storage encryption. 14
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
FedRAMP_High_R4 AC-17 FedRAMP_High_R4_AC-17 FedRAMP High AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_High_R4 AC-17(1) FedRAMP_High_R4_AC-17(1) FedRAMP High AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
FedRAMP_High_R4 CM-6 FedRAMP_High_R4_CM-6 FedRAMP High CM-6 Configuration Management Configuration Settings Shared n/a The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov. link 23
FedRAMP_Moderate_R4 AC-17 FedRAMP_Moderate_R4_AC-17 FedRAMP Moderate AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_Moderate_R4 AC-17(1) FedRAMP_Moderate_R4_AC-17(1) FedRAMP Moderate AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
FedRAMP_Moderate_R4 CM-6 FedRAMP_Moderate_R4_CM-6 FedRAMP Moderate CM-6 Configuration Management Configuration Settings Shared n/a The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov. link 23
hipaa 0912.09s1Organizational.4-09.s hipaa-0912.09s1Organizational.4-09.s 0912.09s1Organizational.4-09.s 09 Transmission Protection 0912.09s1Organizational.4-09.s 09.08 Exchange of Information Shared n/a Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. 9
hipaa 1194.01l2Organizational.2-01.l hipaa-1194.01l2Organizational.2-01.l 1194.01l2Organizational.2-01.l 11 Access Control 1194.01l2Organizational.2-01.l 01.04 Network Access Control Shared n/a Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. 1
HITRUST_CSF_v11.3 10.k HITRUST_CSF_v11.3_10.k HITRUST CSF v11.3 10.k Security In Development and Support Processes To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. Shared 1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. 34
IRS_1075_9.3 .1.12 IRS_1075_9.3.1.12 IRS 1075 9.3.1.12 Access Control Remote Access (AC-17) n/a The agency must: a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed b. Authorize remote access to the information system prior to allowing such connections c. Authorize and document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only (CE4) The information system must: a. Monitor and control remote access methods (CE1) b. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection and (CE2) c. Route all remote accesses through a limited number of managed network access control points (CE3) Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet. Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication. FTI cannot be accessed remotely by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore. link 7
ISO_IEC_27002_2022 8.9 ISO_IEC_27002_2022_8.9 ISO IEC 27002 2022 8.9 Protection, Preventive Control Configuration management Shared Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. 21
New_Zealand_ISM 14.1.8.C.01 New_Zealand_ISM_14.1.8.C.01 New_Zealand_ISM_14.1.8.C.01 14. Software security 14.1.8.C.01 Developing hardened SOEs n/a Agencies SHOULD develop a hardened SOE for workstations and servers, covering several requirements detailed here https://www.nzism.gcsb.govt.nz/ism-document#SubSection-15020 3
NIST_SP_800-171_R2_3 .1.1 NIST_SP_800-171_R2_3.1.1 NIST SP 800-171 R2 3.1.1 Access Control Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. link 52
NIST_SP_800-171_R2_3 .1.12 NIST_SP_800-171_R2_3.1.12 NIST SP 800-171 R2 3.1.12 Access Control Monitor and control remote access sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks. link 36
NIST_SP_800-171_R2_3 .1.2 NIST_SP_800-171_R2_3.1.2 NIST SP 800-171 R2 3.1.2 Access Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 28
NIST_SP_800-171_R2_3 .4.1 NIST_SP_800-171_R2_3.4.1 NIST SP 800-171 R2 3.4.1 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. link 31
NIST_SP_800-171_R2_3 .4.2 NIST_SP_800-171_R2_3.4.2 NIST SP 800-171 R2 3.4.2 Configuration Management Establish and enforce security configuration settings for information technology products employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings. link 25
NIST_SP_800-171_R3_3 .15.2 NIST_SP_800-171_R3_3.15.2 NIST 800-171 R3 3.15.2 Planning Control System Security Plan Shared System security plans provide key characteristics of the system that is processing, storing, and transmitting CUI and how the system and information are protected. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and the subsequent determinations of risk if the plan is implemented as intended. System security plans can be a collection of documents, including documents that already exist. Effective system security plans make use of references to policies, procedures, and additional documents (e.g., design specifications) where detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security information in other established management or operational areas related to enterprise architecture, the system development life cycle, systems engineering, and acquisition. a. Develop a system security plan that: 1. Defines the constituent system components; 2. Describes the system operating environment; 3. Describes specific threats to the system that are of concern to the organization 4. Provides an overview of the security requirements for the system; 5. Identifies connections to other systems; 6. Identifies individuals that fulfill system roles and responsibilities; and 7. Includes other relevant information necessary for the protection of CUI. b. Review and update the system security plan periodically. c. Protect the system security plan from unauthorized disclosure. 3
NIST_SP_800-171_R3_3 .17.1 NIST_SP_800-171_R3_3.17.1 NIST 800-171 R3 3.17.1 Supply Chain Risk Control Supply Chain Risk Management Plan Shared Dependence on the products, systems, and services from external providers and the nature of the relationships with those providers present an increasing level of risk to an organization. Threat actions that may increase security risks include unauthorized production; the insertion or use of counterfeits; tampering; theft; the insertion of malicious software, firmware, and hardware; and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system, component, or service. Managing supply chain risks is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against the plans. The system-level SCRM plan is implementation-specific and provides policy implementation, requirements, constraints, and implications. It can either be stand-alone or incorporated into system security plans. The SCRM plan addresses the management, implementation, and monitoring of SCRM controls and the development or sustainment of systems across the system development life cycle to support mission and business functions. Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to individual program, organizational, and operational contexts. a. Develop a plan for managing supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services. b. Review and update the supply chain risk management plan periodically. c. Protect the supply chain risk management plan from unauthorized disclosure. 3
NIST_SP_800-171_R3_3 .4.1 NIST_SP_800-171_R3_3.4.1 404 not found n/a n/a 9
NIST_SP_800-171_R3_3 .4.2 NIST_SP_800-171_R3_3.4.2 404 not found n/a n/a 13
NIST_SP_800-171_R3_3 .6.5 NIST_SP_800-171_R3_3.6.5 404 not found n/a n/a 3
NIST_SP_800-53_R4 AC-17 NIST_SP_800-53_R4_AC-17 NIST SP 800-53 Rev. 4 AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
NIST_SP_800-53_R4 AC-17(1) NIST_SP_800-53_R4_AC-17(1) NIST SP 800-53 Rev. 4 AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
NIST_SP_800-53_R4 CM-6 NIST_SP_800-53_R4_CM-6 NIST SP 800-53 Rev. 4 CM-6 Configuration Management Configuration Settings Shared n/a The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov. link 23
NIST_SP_800-53_R5.1.1 CM.2 NIST_SP_800-53_R5.1.1_CM.2 NIST SP 800-53 R5.1.1 CM.2 Configuration Management Control Baseline Configuration Shared a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: Assignment organization-defined circumstances]; and 3. When system components are installed or upgraded. Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture. 9
NIST_SP_800-53_R5.1.1 CM.9 NIST_SP_800-53_R5.1.1_CM.9 NIST SP 800-53 R5.1.1 CM.9 Configuration Management Control Configuration Management Plan Shared Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents. Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control. 1
NIST_SP_800-53_R5 AC-17 NIST_SP_800-53_R5_AC-17 NIST SP 800-53 Rev. 5 AC-17 Access Control Remote Access Shared n/a a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. link 41
NIST_SP_800-53_R5 AC-17(1) NIST_SP_800-53_R5_AC-17(1) NIST SP 800-53 Rev. 5 AC-17 (1) Access Control Monitoring and Control Shared n/a Employ automated mechanisms to monitor and control remote access methods. link 37
NIST_SP_800-53_R5 CM-6 NIST_SP_800-53_R5_CM-6 NIST SP 800-53 Rev. 5 CM-6 Configuration Management Configuration Settings Shared n/a a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. link 23
NL_BIO_Cloud_Theme C.04.7(2) NL_BIO_Cloud_Theme_C.04.7(2) NL_BIO_Cloud_Theme_C.04.7(2) C.04 Technical Vulnerability Management Evaluated n/a Evaluations of technical vulnerabilities are recorded and reported. 41
NZ_ISM_v3.5 SS-2 NZ_ISM_v3.5_SS-2 NZISM Security Benchmark SS-2 Software security 14.1.8 Developing hardened SOEs Customer n/a Antivirus and anti-malware software, while an important defensive measure, can be defeated by malicious code that has yet to be identified by antivirus vendors. This can include targeted attacks, where a new virus is engineered or an existing one modified to defeat the signature-based detection schemes. The use of antivirus and anti-malware software, while adding value to the defence of workstations, cannot be relied solely upon to protect the workstation. As such agencies still need to deploy appropriately hardened SOEs to assist with the protection of workstations against a broader range of security risks. link 3
NZISM_Security_Benchmark_v1.1 SS-2 NZISM_Security_Benchmark_v1.1_SS-2 NZISM Security Benchmark SS-2 Software security 14.1.8 Developing hardened SOEs Customer Agencies SHOULD develop a hardened SOE for workstations and servers, covering: removal of unneeded software and operating system components; removal or disabling of unneeded services, ports and BIOS settings; disabling of unused or undesired functionality in software and operating systems; implementation of access controls on relevant objects to limit system users and programs to the minimum access required; installation of antivirus and anti-malware software; installation of software-based firewalls limiting inbound and outbound network connections; configuration of either remote logging or the transfer of local event logs to a central server; and protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. Antivirus and anti-malware software, while an important defensive measure, can be defeated by malicious code that has yet to be identified by antivirus vendors. This can include targeted attacks, where a new virus is engineered or an existing one modified to defeat the signature-based detection schemes. The use of antivirus and anti-malware software, while adding value to the defence of workstations, cannot be relied solely upon to protect the workstation. As such agencies still need to deploy appropriately hardened SOEs to assist with the protection of workstations against a broader range of security risks. 7 3
PCI_DSS_v4.0.1 2.2.1 PCI_DSS_v4.0.1_2.2.1 PCI DSS v4.0.1 2.2.1 Apply Secure Configurations to All System Components Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment Shared n/a Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment 14
RBI_CSF_Banks_v2016 13.1 RBI_CSF_Banks_v2016_13.1 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 n/a Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. 21
RBI_CSF_Banks_v2016 4.3 RBI_CSF_Banks_v2016_4.3 Network Management And Security Network Device Configuration Management-4.3 n/a Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security. 14
RBI_ITF_NBFC_v2017 3.1.b RBI_ITF_NBFC_v2017_3.1.b RBI IT Framework 3.1.b Information and Cyber Security Segregation of Functions-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be a clear segregation of responsibilities relating to system administration, database administration and transaction processing. link 6
RMiT_v1.0 Appendix_5.7 RMiT_v1.0_Appendix_5.7 RMiT Appendix 5.7 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.7 Customer n/a Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls; (d) endpoint protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. link 21
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 47
SOC_2 CC8.1 SOC_2_CC8.1 SOC 2 Type 2 CC8.1 Change Management Changes to infrastructure, data, and software Shared The customer is responsible for implementing this recommendation. Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. 52
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 28
SWIFT_CSCF_v2021 1.2 SWIFT_CSCF_v2021_1.2 SWIFT CSCF v2021 1.2 SWIFT Environment Protection Operating System Privileged Account Control n/a Restrict and control the allocation and usage of administrator-level operating system accounts. link 12
SWIFT_CSCF_v2021 6.2 SWIFT_CSCF_v2021_6.2 SWIFT CSCF v2021 6.2 Detect Anomalous Activity to Systems or Transaction Records Software Integrity n/a Ensure the software integrity of the SWIFT-related applications. link 3
SWIFT_CSCF_v2021 6.5A SWIFT_CSCF_v2021_6.5A SWIFT CSCF v2021 6.5A Detect Anomalous Activity to Systems or Transaction Records Intrusion Detection n/a Detect and prevent anomalous network activity into and within the local or remote SWIFT environment. link 15
UK_NCSC_CSP 11 UK_NCSC_CSP_11 UK NCSC CSP 11 External interface protection External interface protection Shared n/a All external or less trusted interfaces of the service should be identified and appropriately defended. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Control the use of App Service in a Virtual Enclave 528d78c5-246c-4f26-ade6-d30798705411 VirtualEnclaves Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn true
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-07-01 16:32:34 change Major (1.0.0 > 2.0.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC