last sync: 2025-Mar-23 22:31:17 UTC

Event Hub should use a virtual network service endpoint

Azure BuiltIn Policy definition

Source Azure Portal
Display name Event Hub should use a virtual network service endpoint
Id d63edb4a-c612-454d-b47d-191a724fcbf0
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Network
Microsoft Learn
Description This policy audits any Event Hub not configured to use a virtual network service endpoint.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId Microsoft.EventHub namespaces/virtualNetworkRules properties.virtualNetworkSubnetId True False
Rule resource types IF (1)
Microsoft.EventHub/namespaces
Compliance
The following 68 compliance controls are associated with this Policy definition 'Event Hub should use a virtual network service endpoint' (d63edb4a-c612-454d-b47d-191a724fcbf0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 1.1 Azure_Security_Benchmark_v1.0_1.1 Azure Security Benchmark 1.1 Network Security Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Customer Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service. Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall. General Information on Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview How to create a Virtual Network: https://docs.microsoft.com/azure/virtual-network/quick-create-portal How to create an NSG with a security configuration: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal n/a link 20
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 53
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 100
CIS_Controls_v8.1 12.2 CIS_Controls_v8.1_12.2 CIS Controls v8.1 12.2 Network Infrastructure Management Establish and maintain a secure network architecture Shared 1. Establish and maintain a secure network architecture. 2. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. To ensure appropriate restrictions are placed on network architecture. 16
CIS_Controls_v8.1 12.3 CIS_Controls_v8.1_12.3 CIS Controls v8.1 12.3 Network Infrastructure Management Securely manage network infrastructure Shared 1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS. To ensure proper management of network infrastructure. 39
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 102
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 100
CIS_Controls_v8.1 13.4 CIS_Controls_v8.1_13.4 CIS Controls v8.1 13.4 Network Monitoring and Defense Perform traffic filtering between network segments Shared Perform traffic filtering between network segments, where appropriate. To improve network security and reduce the risk of security breaches and unauthorized access. 16
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 94
CIS_Controls_v8.1 3.12 CIS_Controls_v8.1_3.12 CIS Controls v8.1 3.12 Data Protection Segment data processing and storage based on sensitivity Shared 1. Segment data processing and storage based on the sensitivity of the data. 2. Do not process sensitive data on enterprise assets intended for lower sensitivity data. To minimise the risk of unauthorized access or exposure to sensitive information and enhance data security measures. 16
CIS_Controls_v8.1 8.11 CIS_Controls_v8.1_8.11 CIS Controls v8.1 8.11 Audit Log Management Conduct audit log reviews Shared 1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis. To ensure the integrity of the data in audit logs. 62
CMMC_L2_v1.9.0 AC.L1_3.1.20 CMMC_L2_v1.9.0_AC.L1_3.1.20 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20 Access Control External Connections Shared Verify and control/limit connections to and use of external information systems. To enhance security and minimise potential risks associated with external access. 27
CMMC_L2_v1.9.0 AC.L2_3.1.3 CMMC_L2_v1.9.0_AC.L2_3.1.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 Access Control Control CUI Flow Shared Control the flow of CUI in accordance with approved authorizations. To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations 46
CSA_v4.0.12 DCS_02 CSA_v4.0.12_DCS_02 CSA Cloud Controls Matrix v4.0.12 DCS 02 Datacenter Security Off-Site Transfer Authorization Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually. 45
CSA_v4.0.12 DSP_05 CSA_v4.0.12_DSP_05 CSA Cloud Controls Matrix v4.0.12 DSP 05 Data Security and Privacy Lifecycle Management Data Flow Documentation Shared n/a Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change. 57
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
hipaa 0805.01m1Organizational.12-01.m hipaa-0805.01m1Organizational.12-01.m 0805.01m1Organizational.12-01.m 08 Network Protection 0805.01m1Organizational.12-01.m 01.04 Network Access Control Shared n/a The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. 12
hipaa 0806.01m2Organizational.12356-01.m hipaa-0806.01m2Organizational.12356-01.m 0806.01m2Organizational.12356-01.m 08 Network Protection 0806.01m2Organizational.12356-01.m 01.04 Network Access Control Shared n/a The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. 13
hipaa 0863.09m2Organizational.910-09.m hipaa-0863.09m2Organizational.910-09.m 0863.09m2Organizational.910-09.m 08 Network Protection 0863.09m2Organizational.910-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. 25
hipaa 0894.01m2Organizational.7-01.m hipaa-0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 08 Network Protection 0894.01m2Organizational.7-01.m 01.04 Network Access Control Shared n/a Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. 19
HITRUST_CSF_v11.3 01.m HITRUST_CSF_v11.3_01.m HITRUST CSF v11.3 01.m Network Access Control To ensure segregation in networks. Shared Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. Groups of information services, users, and information systems should be segregated on networks. 48
HITRUST_CSF_v11.3 01.n HITRUST_CSF_v11.3_01.n HITRUST CSF v11.3 01.n Network Access Control To prevent unauthorised access to shared networks. Shared Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. 55
HITRUST_CSF_v11.3 01.o HITRUST_CSF_v11.3_01.o HITRUST CSF v11.3 01.o Network Access Control To implement network routing controls to prevent breach of the access control policy of business applications. Shared Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured. Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. 33
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 114
HITRUST_CSF_v11.3 09.w HITRUST_CSF_v11.3_09.w HITRUST CSF v11.3 09.w Exchange of Information To develop and implement policies and procedures, to protect information associated with the interconnection of business information systems. Shared 1. A security baseline is to be documented and implemented for interconnected systems. 2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements. Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. 45
ISO_IEC_27002_2022 5.14 ISO_IEC_27002_2022_5.14 ISO IEC 27002 2022 5.14 Protection, Preventive Control Information transfer Shared To maintain the security of information transferred within an organization and with any external interested party. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. 46
NIST_SP_800-171_R3_3 .1.18 NIST_SP_800-171_R3_3.1.18 NIST 800-171 R3 3.1.18 Access Control Access Control for Mobile Devices Shared A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields). a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. b. Authorize the connection of mobile devices to the system. c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices. 28
NIST_SP_800-171_R3_3 .1.3 NIST_SP_800-171_R3_3.1.3 NIST 800-171 R3 3.1.3 Access Control Information Flow Enforcement Shared Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. 46
NIST_SP_800-171_R3_3 .13.9 NIST_SP_800-171_R3_3.13.9 NIST 800-171 R3 3.13.9 System and Communications Protection Control Network Disconnect Shared This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses. Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity. 27
NIST_SP_800-53_R5.1.1 AC.4 NIST_SP_800-53_R5.1.1_AC.4 NIST SP 800-53 R5.1.1 AC.4 Access Control Information Flow Enforcement Shared Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). 44
NIST_SP_800-53_R5.1.1 AC.4.4 NIST_SP_800-53_R5.1.1_AC.4.4 NIST SP 800-53 R5.1.1 AC.4.4 Access Control Information Flow Enforcement | Flow Control of Encrypted Information Shared Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ]. Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms. 16
NIST_SP_800-53_R5.1.1 AC.4.6 NIST_SP_800-53_R5.1.1_AC.4.6 NIST SP 800-53 R5.1.1 AC.4.6 Access Control Information Flow Enforcement | Metadata Shared Enforce information flow control based on [Assignment: organization-defined metadata]. Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance). 16
NIST_SP_800-53_R5.1.1 SC.7.3 NIST_SP_800-53_R5.1.1_SC.7.3 NIST SP 800-53 R5.1.1 SC.7.3 System and Communications Protection Boundary Protection | Access Points Shared Limit the number of external network connections to the system. Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system. 25
NZISM_v3.7 14.3.12.C.01. NZISM_v3.7_14.3.12.C.01. NZISM v3.7 14.3.12.C.01. Web Applications 14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. Shared n/a Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. 81
NZISM_v3.7 19.1.10.C.01. NZISM_v3.7_19.1.10.C.01. NZISM v3.7 19.1.10.C.01. Gateways 19.1.10.C.01. - To ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. Shared n/a When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. 50
NZISM_v3.7 19.1.11.C.01. NZISM_v3.7_19.1.11.C.01. NZISM v3.7 19.1.11.C.01. Gateways 19.1.11.C.01. - To ensure network protection through gateway mechanisms. Shared n/a Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. 49
NZISM_v3.7 19.1.11.C.02. NZISM_v3.7_19.1.11.C.02. NZISM v3.7 19.1.11.C.02. Gateways 19.1.11.C.02. - To maintain security and integrity across domains. Shared n/a For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. 48
NZISM_v3.7 19.1.12.C.01. NZISM_v3.7_19.1.12.C.01. NZISM v3.7 19.1.12.C.01. Gateways 19.1.12.C.01. - To minimize security risks and ensure effective control over network communications Shared n/a Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts. 47
NZISM_v3.7 19.1.14.C.01. NZISM_v3.7_19.1.14.C.01. NZISM v3.7 19.1.14.C.01. Gateways 19.1.14.C.01. - To enhance security by segregating resources from the internal network. Shared n/a Agencies MUST use demilitarised zones to house systems and information directly accessed externally. 40
NZISM_v3.7 19.1.14.C.02. NZISM_v3.7_19.1.14.C.02. NZISM v3.7 19.1.14.C.02. Gateways 19.1.14.C.02. - To enhance security by segregating resources from the internal network. Shared n/a Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. 39
NZISM_v3.7 19.1.19.C.01. NZISM_v3.7_19.1.19.C.01. NZISM v3.7 19.1.19.C.01. Gateways 19.1.19.C.01. - To enhance security posture. Shared n/a Agencies MUST limit access to gateway administration functions. 34
NZISM_v3.7 19.2.16.C.02. NZISM_v3.7_19.2.16.C.02. NZISM v3.7 19.2.16.C.02. Cross Domain Solutions (CDS) 19.2.16.C.02. - To maintain security and prevent unauthorized access or disclosure of sensitive information. Shared n/a Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network. 34
NZISM_v3.7 19.2.18.C.01. NZISM_v3.7_19.2.18.C.01. NZISM v3.7 19.2.18.C.01. Cross Domain Solutions (CDS) 19.2.18.C.01. - To enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. Shared n/a Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. 34
NZISM_v3.7 19.2.19.C.01. NZISM_v3.7_19.2.19.C.01. NZISM v3.7 19.2.19.C.01. Cross Domain Solutions (CDS) 19.2.19.C.01. - To ensure the integrity and reliability of information accessed or received. Shared n/a Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority. 34
NZISM_v3.7 19.2.19.C.02. NZISM_v3.7_19.2.19.C.02. NZISM v3.7 19.2.19.C.02. Cross Domain Solutions (CDS) 19.2.19.C.02. - To reduce the risk of unauthorized data transfers and potential breaches. Shared n/a Trusted sources MUST authorise all data to be exported from a security domain. 29
NZISM_v3.7 19.3.8.C.01. NZISM_v3.7_19.3.8.C.01. NZISM v3.7 19.3.8.C.01. Firewalls 19.3.8.C.01. - To enhance network security. Shared n/a All gateways MUST contain a firewall in both physical and virtual environments. 12
NZISM_v3.7 19.3.8.C.03. NZISM_v3.7_19.3.8.C.03. NZISM v3.7 19.3.8.C.03. Firewalls 19.3.8.C.03. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains. Your network: Restricted and below Their network: Unclassified You require: EAL4 firewall They require: N/A Your network: Restricted and below Their network: Restricted You require: EAL2 or PP firewall They require:EAL2 or PP firewall Your network: Restricted and below Their network: Confidential You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Secret You require: EAL2 or PP firewall They require:EAL4 firewall Your network: Restricted and below Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Confidential Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Confidential Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Confidential Their network: Confidential You require: EAL2 or PP firewal They require: EAL2 or PP firewall Your network: Confidential Their network: Secret You require: EAL2 or PP firewal They require: EAL4 firewall Your network: Confidential Their network: Top Secret You require: EAL2 or PP firewall They require: Consultation with GCSB Your network: Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Secret Their network: Restricted You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Confidential You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Secret Their network: Secret You require: EAL2 or PP firewall They require: EAL2 or PP firewall Your network: Secret Their network: Top Secret You require: EAL2 or PP firewall They require: EAL4 firewall Your network: Top Secret Their network: Unclassified You require: Consultation with GCSB They require: N/A Your network: Top Secret Their network: Restricted You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Confidential You require: Consultation with GCSB They require: EAL2 or PP firewall Your network: Top Secret Their network: Secret You require: EAL4 firewall They require: EAL2 or PP firewall Your network: Top Secret Their network: Top Secret You require: EAL4 firewall They require: EAL4 firewall 19
NZISM_v3.7 19.3.8.C.04. NZISM_v3.7_19.3.8.C.04. NZISM v3.7 19.3.8.C.04. Firewalls 19.3.8.C.04. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a 1. The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments. 2. Shared equipment DOES NOT satisfy the requirements of this control. 15
NZISM_v3.7 19.3.9.C.01. NZISM_v3.7_19.3.9.C.01. NZISM v3.7 19.3.9.C.01. Firewalls 19.3.9.C.01. - To minimise the risk of unauthorized access or data leakage between networks Shared n/a Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains. 15
RMiT_v1.0 10.33 RMiT_v1.0_10.33 RMiT 10.33 Network Resilience Network Resilience - 10.33 Shared n/a A financial institution must design a reliable, scalable and secure enterprise network that is able to support its business activities, including future growth plans. link 27
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 111
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SOC_2023 PI1.3 SOC_2023_PI1.3 SOC 2023 PI1.3 Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) To enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. Shared n/a The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. 50
SWIFT_CSCF_2024 1.1 SWIFT_CSCF_2024_1.1 SWIFT Customer Security Controls Framework 2024 1.1 Physical and Environmental Security Swift Environment Protection Shared 1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. 69
SWIFT_CSCF_2024 1.5 SWIFT_CSCF_2024_1.5 SWIFT Customer Security Controls Framework 2024 1.5 Physical and Environmental Security Customer Environment Protection Shared 1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. 57
SWIFT_CSCF_2024 9.1 SWIFT_CSCF_2024_9.1 404 not found n/a n/a 57
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 28
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2019-10-11 00:02:54 add d63edb4a-c612-454d-b47d-191a724fcbf0
JSON compare n/a
JSON
api-version=2021-06-01
EPAC