compliance controls are associated with this Policy definition 'Enforce SSL connection should be enabled for PostgreSQL database servers' (d158790f-bfb0-486c-8631-2dc6b4e8e6af)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v1.0 |
4.4 |
Azure_Security_Benchmark_v1.0_4.4 |
Azure Security Benchmark 4.4 |
Data Protection |
Encrypt all sensitive information in transit |
Shared |
Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit |
n/a |
link |
10 |
Azure_Security_Benchmark_v2.0 |
DP-4 |
Azure_Security_Benchmark_v2.0_DP-4 |
Azure Security Benchmark DP-4 |
Data Protection |
Encrypt sensitive information in transit |
Shared |
To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem
Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit |
n/a |
link |
12 |
Azure_Security_Benchmark_v3.0 |
DP-3 |
Azure_Security_Benchmark_v3.0_DP-3 |
Microsoft cloud security benchmark DP-3 |
Data Protection |
Encrypt sensitive data in transit |
Shared |
**Security Principle:**
Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks.
**Azure Guidance:**
Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default.
**Implementation and additional context:**
Double encryption for Azure data in transit:
https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security:
https://docs.microsoft.com/security/engineering/solving-tls1-problem
Enforce secure transfer in Azure storage:
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account |
n/a |
link |
15 |
CIS_Azure_1.1.0 |
4.13 |
CIS_Azure_1.1.0_4.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.13 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.3.0 |
4.3.1 |
CIS_Azure_1.3.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_1.4.0 |
4.3.1 |
CIS_Azure_1.4.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
CIS_Azure_2.0.0 |
4.3.1 |
CIS_Azure_2.0.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4.3 |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
n/a |
Enable `SSL connection` on `PostgreSQL` Servers.
`SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. |
link |
4 |
CMMC_2.0_L2 |
SC.L2-3.13.8 |
CMMC_2.0_L2_SC.L2-3.13.8 |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
CMMC_L3 |
AC.1.002 |
CMMC_L3_AC.1.002 |
CMMC L3 AC.1.002 |
Access Control |
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). |
link |
27 |
CMMC_L3 |
SC.3.185 |
CMMC_L3_SC.3.185 |
CMMC L3 SC.3.185 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. |
link |
10 |
CMMC_L3 |
SC.3.190 |
CMMC_L3_SC.3.190 |
CMMC L3 SC.3.190 |
System and Communications Protection |
Protect the authenticity of communications sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. |
link |
11 |
FedRAMP_High_R4 |
SC-8 |
FedRAMP_High_R4_SC-8 |
FedRAMP High SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
FedRAMP_High_R4 |
SC-8(1) |
FedRAMP_High_R4_SC-8(1) |
FedRAMP High SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
FedRAMP_Moderate_R4 |
SC-8 |
FedRAMP_Moderate_R4_SC-8 |
FedRAMP Moderate SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
FedRAMP_Moderate_R4 |
SC-8(1) |
FedRAMP_Moderate_R4_SC-8(1) |
FedRAMP Moderate SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
hipaa |
0812.01n2Organizational.8-01.n |
hipaa-0812.01n2Organizational.8-01.n |
0812.01n2Organizational.8-01.n |
08 Network Protection |
0812.01n2Organizational.8-01.n 01.04 Network Access Control |
Shared |
n/a |
Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
|
12 |
hipaa |
0814.01n1Organizational.12-01.n |
hipaa-0814.01n1Organizational.12-01.n |
0814.01n1Organizational.12-01.n |
08 Network Protection |
0814.01n1Organizational.12-01.n 01.04 Network Access Control |
Shared |
n/a |
The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. |
|
11 |
hipaa |
0947.09y2Organizational.2-09.y |
hipaa-0947.09y2Organizational.2-09.y |
0947.09y2Organizational.2-09.y |
09 Transmission Protection |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. |
|
11 |
hipaa |
1450.05i2Organizational.2-05.i |
hipaa-1450.05i2Organizational.2-05.i |
1450.05i2Organizational.2-05.i |
14 Third Party Assurance |
1450.05i2Organizational.2-05.i 05.02 External Parties |
Shared |
n/a |
The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. |
|
10 |
New_Zealand_ISM |
18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
18. Network security |
Network Management - Limiting network access |
|
n/a |
If an attacker has limited opportunities to connect to a given network |
|
19 |
NIST_SP_800-171_R2_3 |
.13.8 |
NIST_SP_800-171_R2_3.13.8 |
NIST SP 800-171 R2 3.13.8 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. |
link |
16 |
NIST_SP_800-53_R4 |
SC-8 |
NIST_SP_800-53_R4_SC-8 |
NIST SP 800-53 Rev. 4 SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
NIST_SP_800-53_R4 |
SC-8(1) |
NIST_SP_800-53_R4_SC-8(1) |
NIST SP 800-53 Rev. 4 SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
NIST_SP_800-53_R5 |
SC-8 |
NIST_SP_800-53_R5_SC-8 |
NIST SP 800-53 Rev. 5 SC-8 |
System and Communications Protection |
Transmission Confidentiality and Integrity |
Shared |
n/a |
Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. |
link |
15 |
NIST_SP_800-53_R5 |
SC-8(1) |
NIST_SP_800-53_R5_SC-8(1) |
NIST SP 800-53 Rev. 5 SC-8 (1) |
System and Communications Protection |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. |
link |
14 |
NZ_ISM_v3.5 |
ISM-4 |
NZ_ISM_v3.5_ISM-4 |
NZISM Security Benchmark ISM-4 |
Information security monitoring |
6.2.6 Resolving vulnerabilities |
Customer |
n/a |
Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue. |
link |
8 |
RBI_CSF_Banks_v2016 |
10.1 |
RBI_CSF_Banks_v2016_10.1 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.1 |
|
n/a |
Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc |
|
15 |
RBI_CSF_Banks_v2016 |
10.2 |
RBI_CSF_Banks_v2016_10.2 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.2 |
|
n/a |
Document and implement emailserver specific controls |
|
15 |
RBI_CSF_Banks_v2016 |
13.4 |
RBI_CSF_Banks_v2016_13.4 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.4 |
|
n/a |
Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway |
|
41 |
RBI_ITF_NBFC_v2017 |
3.1.h |
RBI_ITF_NBFC_v2017_3.1.h |
RBI IT Framework 3.1.h |
Information and Cyber Security |
Public Key Infrastructure (PKI)-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. |
link |
31 |
RMiT_v1.0 |
10.16 |
RMiT_v1.0_10.16 |
RMiT 10.16 |
Cryptography |
Cryptography - 10.16 |
Shared |
n/a |
A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for:
(a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation;
(b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction;
(c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and
(d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. |
link |
10 |
RMiT_v1.0 |
11.15 |
RMiT_v1.0_11.15 |
RMiT 11.15 |
Data Loss Prevention (DLP) |
Data Loss Prevention (DLP) - 11.15 |
Shared |
n/a |
A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following:
(a) data in-use - data being processed by IT resources;
(b) data in-motion - data being transmitted on the network; and
(c) data at-rest - data stored in storage mediums such as servers, backup media and databases. |
link |
14 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
40 |
SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
29 |
SWIFT_CSCF_v2021 |
2.6 |
SWIFT_CSCF_v2021_2.6 |
SWIFT CSCF v2021 2.6 |
Reduce Attack Surface and Vulnerabilities |
Operator Session Confidentiality and Integrity |
|
n/a |
Protect the confidentiality and integrity of interactive operator sessions connecting to the local or the remote (operated by a service provider) SWIFT-related infrastructure or applications. |
link |
8 |
|
U.05.1 - Cryptographic measures |
U.05.1 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
|
U.11.1 - Policy |
U.11.1 - Policy |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
U.11.2 - Cryptographic measures |
U.11.2 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
18 |