| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
9.1 |
Azure_Security_Benchmark_v1.0_9.1 |
Azure Security Benchmark 9.1 |
Data Recovery |
Ensure regular automated back ups |
Customer |
Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.
How to enable Azure Backup:
https://docs.microsoft.com/azure/backup/ |
n/a |
link |
5 |
| Azure_Security_Benchmark_v1.0 |
9.2 |
Azure_Security_Benchmark_v1.0_9.2 |
Azure Security Benchmark 9.2 |
Data Recovery |
Perform complete system backups and backup any customer managed keys |
Customer |
Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault.
How to enable Azure Backup:
https://docs.microsoft.com/azure/backup/
How to backup key vault keys in Azure:
https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 |
n/a |
link |
5 |
| Azure_Security_Benchmark_v2.0 |
BR-1 |
Azure_Security_Benchmark_v2.0_BR-1 |
Azure Security Benchmark BR-1 |
Backup and Recovery |
Ensure regular automated backups |
Customer |
Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.
For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.
Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
How to enable Azure Backup: https://docs.microsoft.com/azure/backup/
How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore |
n/a |
link |
5 |
| Azure_Security_Benchmark_v2.0 |
BR-2 |
Azure_Security_Benchmark_v2.0_BR-2 |
Azure Security Benchmark BR-2 |
Backup and Recovery |
Encrypt backup data |
Customer |
Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.
For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.
Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.
Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview
Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk
How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0
Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks |
n/a |
link |
5 |
| CMMC_L3 |
RE.2.137 |
CMMC_L3_RE.2.137 |
CMMC L3 RE.2.137 |
Recovery |
Regularly perform and test data back-ups. |
Customer |
The customer is responsible for implementing this requirement. |
Backups are used to recover data in the event of a hardware or software failure. Backups should be performed and tested regularly based on an organizational defined frequency. |
link |
6 |
| CMMC_L3 |
RE.3.139 |
CMMC_L3_RE.3.139 |
CMMC L3 RE.3.139 |
Recovery |
Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. |
Customer |
The customer is responsible for implementing this requirement. |
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. |
link |
6 |
| FedRAMP_High_R4 |
CP-6 |
FedRAMP_High_R4_CP-6 |
FedRAMP High CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| FedRAMP_High_R4 |
CP-6(1) |
FedRAMP_High_R4_CP-6(1) |
FedRAMP High CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| FedRAMP_Moderate_R4 |
CP-6 |
FedRAMP_Moderate_R4_CP-6 |
FedRAMP Moderate CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| FedRAMP_Moderate_R4 |
CP-6(1) |
FedRAMP_Moderate_R4_CP-6(1) |
FedRAMP Moderate CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| hipaa |
1616.09l1Organizational.16-09.l |
hipaa-1616.09l1Organizational.16-09.l |
1616.09l1Organizational.16-09.l |
16 Business Continuity & Disaster Recovery |
1616.09l1Organizational.16-09.l 09.05 Information Back-Up |
Shared |
n/a |
Backup copies of information and software are made, and tests of the media and restoration procedures are regularly performed at appropriate intervals. |
|
2 |
| hipaa |
1621.09l2Organizational.1-09.l |
hipaa-1621.09l2Organizational.1-09.l |
1621.09l2Organizational.1-09.l |
16 Business Continuity & Disaster Recovery |
1621.09l2Organizational.1-09.l 09.05 Information Back-Up |
Shared |
n/a |
Automated tools are used to track all backups. |
|
3 |
| NIST_SP_800-53_R4 |
CP-6 |
NIST_SP_800-53_R4_CP-6 |
NIST SP 800-53 Rev. 4 CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup
media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4.
References: NIST Special Publication 800-34. |
link |
7 |
| NIST_SP_800-53_R4 |
CP-6(1) |
NIST_SP_800-53_R4_CP-6(1) |
NIST SP 800-53 Rev. 4 CP-6 (1) |
Contingency Planning |
Separation From Primary Site |
Shared |
n/a |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
Supplemental Guidance: Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
link |
6 |
| NIST_SP_800-53_R5 |
CP-6 |
NIST_SP_800-53_R5_CP-6 |
NIST SP 800-53 Rev. 5 CP-6 |
Contingency Planning |
Alternate Storage Site |
Shared |
n/a |
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. |
link |
7 |
| NIST_SP_800-53_R5 |
CP-6(1) |
NIST_SP_800-53_R5_CP-6(1) |
NIST SP 800-53 Rev. 5 CP-6 (1) |
Contingency Planning |
Separation from Primary Site |
Shared |
n/a |
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. |
link |
6 |
| RBI_ITF_NBFC_v2017 |
6 |
RBI_ITF_NBFC_v2017_6 |
RBI IT Framework 6 |
Business Continuity Planning |
Business Continuity Planning (BCP) and Disaster Recovery-6 |
|
n/a |
BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features |
link |
9 |
| RBI_ITF_NBFC_v2017 |
6.2 |
RBI_ITF_NBFC_v2017_6.2 |
RBI IT Framework 6.2 |
Business Continuity Planning |
Recovery strategy / Contingency Plan-6.2 |
|
n/a |
NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. |
link |
8 |
| RBI_ITF_NBFC_v2017 |
6.3 |
RBI_ITF_NBFC_v2017_6.3 |
RBI IT Framework 6.3 |
Business Continuity Planning |
Recovery strategy / Contingency Plan-6.3 |
|
n/a |
NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. |
link |
7 |
| RMiT_v1.0 |
10.51 |
RMiT_v1.0_10.51 |
RMiT 10.51 |
Cloud Services |
Cloud Services - 10.51 |
Shared |
n/a |
A financial institution is required to consult the Bank prior to the use of public cloud for critical systems. The financial institution is expected to demonstrate that specific risks associated with the use of cloud services for critical systems have been adequately considered and addressed. The risk assessment shall address the risks outlined in paragraph 10.49 as well as the following areas:
(a) the adequacy of the overarching cloud adoption strategy of the financial institution including:
(i) board oversight over cloud strategy and cloud operational management;
(ii) senior management roles and responsibilities on cloud management;
(iii) conduct of day-to-day operational management functions;
(iv) management and oversight by the financial institution of cloud service providers;
(v) quality of risk management and internal control functions; and
(vi) strength of in-house competency and experience;
(b) the availability of independent, internationally recognised certifications of the cloud service providers, at a minimum, in the following areas:
(i) information security management framework, including cryptographic modules such as used for encryption and decryption of user data; and
(ii) cloud-specific security controls for protection of customer and counterparty or proprietary information including payment transaction data in use, in storage and in transit; and
(c) the degree to which the selected cloud configuration adequately addresses the following attributes:
(i) geographical redundancy;
(ii) high availability;
(iii) scalability;
(iv) portability;
(v) interoperability; and
(vi) strong recovery and resumption capability including appropriate alternate Internet path to protect against potential Internet faults. |
link |
7 |
| SWIFT_CSCF_v2021 |
2.5A |
SWIFT_CSCF_v2021_2.5A |
SWIFT CSCF v2021 2.5A |
Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
|
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
12 |