last sync: 2025-Feb-14 18:36:58 UTC

[Preview]: Azure Recovery Services vaults should use private link for backup

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Azure Recovery Services vaults should use private link for backup
Id deeddb44-9f94-4903-9fa0-081d524406e3
Version 2.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0-preview
Built-in Versioning [Preview]
Category Backup
Microsoft Learn
Description Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled
RBAC role(s) none
Rule aliases IF (4)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.RecoveryServices/vaults/privateEndpointConnections[*] Microsoft.RecoveryServices vaults properties.privateEndpointConnections[*] True False
Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id Microsoft.RecoveryServices vaults properties.privateEndpointConnections[*].id True False
Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status Microsoft.RecoveryServices vaults properties.privateEndpointConnections[*].properties.privateLinkServiceConnectionState.status True False
Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState Microsoft.RecoveryServices vaults properties.privateEndpointConnections[*].properties.provisioningState True False
Rule resource types IF (1)
Microsoft.RecoveryServices/vaults
Compliance
The following 118 compliance controls are associated with this Policy definition '[Preview]: Azure Recovery Services vaults should use private link for backup' (deeddb44-9f94-4903-9fa0-081d524406e3)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 53
Canada_Federal_PBMM_3-1-2020 CA_3 Canada_Federal_PBMM_3-1-2020_CA_3 Canada Federal PBMM 3-1-2020 CA 3 Information System Connections System Interconnections Shared 1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually. To establish and maintain secure connections between information systems. 77
Canada_Federal_PBMM_3-1-2020 CA_3(3) Canada_Federal_PBMM_3-1-2020_CA_3(3) Canada Federal PBMM 3-1-2020 CA 3(3) Information System Connections System Interconnections | Classified Non-National Security System Connections Shared The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. To ensure the integrity and security of internal systems against external threats. 77
Canada_Federal_PBMM_3-1-2020 CA_3(5) Canada_Federal_PBMM_3-1-2020_CA_3(5) Canada Federal PBMM 3-1-2020 CA 3(5) Information System Connections System Interconnections | Restrictions on External Network Connections Shared The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. To enhance security posture against unauthorized access. 77
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 SI_3 Canada_Federal_PBMM_3-1-2020_SI_3 Canada Federal PBMM 3-1-2020 SI 3 Malicious Code Protection Malicious Code Protection Shared 1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. 2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. 3. The organization configures malicious code protection mechanisms to: a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. 4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. To mitigate potential impacts on system availability. 52
Canada_Federal_PBMM_3-1-2020 SI_3(1) Canada_Federal_PBMM_3-1-2020_SI_3(1) Canada Federal PBMM 3-1-2020 SI 3(1) Malicious Code Protection Malicious Code Protection | Central Management Shared The organization centrally manages malicious code protection mechanisms. To centrally manage malicious code protection mechanisms. 51
Canada_Federal_PBMM_3-1-2020 SI_3(2) Canada_Federal_PBMM_3-1-2020_SI_3(2) Canada Federal PBMM 3-1-2020 SI 3(2) Malicious Code Protection Malicious Code Protection | Automatic Updates Shared The information system automatically updates malicious code protection mechanisms. To ensure automatic updates in malicious code protection mechanisms. 51
Canada_Federal_PBMM_3-1-2020 SI_3(7) Canada_Federal_PBMM_3-1-2020_SI_3(7) Canada Federal PBMM 3-1-2020 SI 3(7) Malicious Code Protection Malicious Code Protection | Non Signature-Based Detection Shared The information system implements non-signature-based malicious code detection mechanisms. To enhance overall security posture. 51
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 94
Canada_Federal_PBMM_3-1-2020 SI_8(1) Canada_Federal_PBMM_3-1-2020_SI_8(1) Canada Federal PBMM 3-1-2020 SI 8(1) Spam Protection Spam Protection | Central Management of Protection Mechanisms Shared The organization centrally manages spam protection mechanisms. To enhance overall security posture. 88
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 100
CIS_Controls_v8.1 12.2 CIS_Controls_v8.1_12.2 CIS Controls v8.1 12.2 Network Infrastructure Management Establish and maintain a secure network architecture Shared 1. Establish and maintain a secure network architecture. 2. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. To ensure appropriate restrictions are placed on network architecture. 16
CIS_Controls_v8.1 12.3 CIS_Controls_v8.1_12.3 CIS Controls v8.1 12.3 Network Infrastructure Management Securely manage network infrastructure Shared 1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS. To ensure proper management of network infrastructure. 39
CIS_Controls_v8.1 12.7 CIS_Controls_v8.1_12.7 CIS Controls v8.1 12.7 Network Infrastructure Management Ensure remote devices utilize a VPN and are connecting to an enterprise's AAA infrastructure. Shared Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. To create a layer of security to ensure protection of data. 7
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 102
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 100
CIS_Controls_v8.1 13.4 CIS_Controls_v8.1_13.4 CIS Controls v8.1 13.4 Network Monitoring and Defense Perform traffic filtering between network segments Shared Perform traffic filtering between network segments, where appropriate. To improve network security and reduce the risk of security breaches and unauthorized access. 16
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 94
CIS_Controls_v8.1 3.12 CIS_Controls_v8.1_3.12 CIS Controls v8.1 3.12 Data Protection Segment data processing and storage based on sensitivity Shared 1. Segment data processing and storage based on the sensitivity of the data. 2. Do not process sensitive data on enterprise assets intended for lower sensitivity data. To minimise the risk of unauthorized access or exposure to sensitive information and enhance data security measures. 16
CIS_Controls_v8.1 6.3 CIS_Controls_v8.1_6.3 CIS Controls v8.1 6.3 Access Control Management Require MFA for externally-exposed applications Shared 1. Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. 2. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard. To ensure unauthorised persons are unable to access approved applications. 7
CIS_Controls_v8.1 6.4 CIS_Controls_v8.1_6.4 CIS Controls v8.1 6.4 Access Control Management Require MFA for remote network access Shared Require MFA for remote network access. To authenticate users accessing network remotely and ensure safety of enterprise data. 7
CIS_Controls_v8.1 8.11 CIS_Controls_v8.1_8.11 CIS Controls v8.1 8.11 Audit Log Management Conduct audit log reviews Shared 1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis. To ensure the integrity of the data in audit logs. 62
CMMC_L2_v1.9.0 AC.L1_3.1.20 CMMC_L2_v1.9.0_AC.L1_3.1.20 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20 Access Control External Connections Shared Verify and control/limit connections to and use of external information systems. To enhance security and minimise potential risks associated with external access. 27
CMMC_L2_v1.9.0 AC.L2_3.1.14 CMMC_L2_v1.9.0_AC.L2_3.1.14 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.14 Access Control Remote Access Routing Shared Route remote access via managed access control points. To enhance network security. 6
CMMC_L2_v1.9.0 AC.L2_3.1.15 CMMC_L2_v1.9.0_AC.L2_3.1.15 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.15 Access Control Privileged Remote Access Shared Authorize remote execution of privileged commands and remote access to security relevant information. To ensure secure and controlled management of systems and data, even from remote locations. 6
CMMC_L2_v1.9.0 AC.L2_3.1.3 CMMC_L2_v1.9.0_AC.L2_3.1.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 Access Control Control CUI Flow Shared Control the flow of CUI in accordance with approved authorizations. To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations 46
CMMC_L2_v1.9.0 PE.L2_3.10.6 CMMC_L2_v1.9.0_PE.L2_3.10.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6 Physical Protection Alternative Work Sites Shared Enforce safeguarding measures for CUI at alternate work sites. To ensure that sensitive information is protected even when employees are working remotely or at off site locations. 11
CMMC_L2_v1.9.0 SC.L1_3.13.1 CMMC_L2_v1.9.0_SC.L1_3.13.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1 System and Communications Protection Boundary Protection Shared Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. To protect information assets from external attacks and insider threats. 43
CMMC_L2_v1.9.0 SC.L1_3.13.5 CMMC_L2_v1.9.0_SC.L1_3.13.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5 System and Communications Protection Public Access System Separation Shared Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources. 43
CSA_v4.0.12 DCS_02 CSA_v4.0.12_DCS_02 CSA Cloud Controls Matrix v4.0.12 DCS 02 Datacenter Security Off-Site Transfer Authorization Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually. 45
CSA_v4.0.12 DSP_05 CSA_v4.0.12_DSP_05 CSA Cloud Controls Matrix v4.0.12 DSP 05 Data Security and Privacy Lifecycle Management Data Flow Documentation Shared n/a Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change. 57
CSA_v4.0.12 DSP_10 CSA_v4.0.12_DSP_10 CSA Cloud Controls Matrix v4.0.12 DSP 10 Data Security and Privacy Lifecycle Management Sensitive Data Transfer Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations. 45
CSA_v4.0.12 HRS_04 CSA_v4.0.12_HRS_04 CSA Cloud Controls Matrix v4.0.12 HRS 04 Human Resources Remote and Home Working Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually. 7
Cyber_Essentials_v3.1 1 Cyber_Essentials_v3.1_1 Cyber Essentials v3.1 1 Cyber Essentials Firewalls Shared n/a Aim: to make sure that only secure and necessary network services can be accessed from the internet. 37
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
FFIEC_CAT_2017 3.1.1 FFIEC_CAT_2017_3.1.1 FFIEC CAT 2017 3.1.1 Cybersecurity Controls Infrastructure Management Shared n/a - Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) 72
FFIEC_CAT_2017 4.1.1 FFIEC_CAT_2017_4.1.1 FFIEC CAT 2017 4.1.1 External Dependency Management Connections Shared n/a - The critical business processes that are dependent on external connectivity have been identified. - The institution ensures that third-party connections are authorized. - A network diagram is in place and identifies all external connections. - Data flow diagrams are in place and document information flow to external parties. 43
HITRUST_CSF_v11.3 01.i HITRUST_CSF_v11.3_01.i HITRUST CSF v11.3 01.i Network Access Control To implement role based access to internal and external network services. Shared 1. It is to be determined who is allowed access to which network and what networked services. 2. The networks and network services to which users have authorized access is to be specified. Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment. 11
HITRUST_CSF_v11.3 01.j HITRUST_CSF_v11.3_01.j HITRUST CSF v11.3 01.j Network Access Control To prevent unauthorized access to networked services. Shared 1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted. Appropriate authentication methods shall be used to control access by remote users. 16
HITRUST_CSF_v11.3 01.m HITRUST_CSF_v11.3_01.m HITRUST CSF v11.3 01.m Network Access Control To ensure segregation in networks. Shared Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security. Groups of information services, users, and information systems should be segregated on networks. 48
HITRUST_CSF_v11.3 01.n HITRUST_CSF_v11.3_01.n HITRUST CSF v11.3 01.n Network Access Control To prevent unauthorised access to shared networks. Shared Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security. For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. 55
HITRUST_CSF_v11.3 01.o HITRUST_CSF_v11.3_01.o HITRUST CSF v11.3 01.o Network Access Control To implement network routing controls to prevent breach of the access control policy of business applications. Shared Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured. Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. 33
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 114
HITRUST_CSF_v11.3 09.w HITRUST_CSF_v11.3_09.w HITRUST CSF v11.3 09.w Exchange of Information To develop and implement policies and procedures, to protect information associated with the interconnection of business information systems. Shared 1. A security baseline is to be documented and implemented for interconnected systems. 2. Other requirements and controls linked to interconnected business systems are to include the separation of operational systems from interconnected system, retention and back-up of information held on the system, and fallback requirements and arrangements. Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems. 45
ISO_IEC_27002_2022 5.14 ISO_IEC_27002_2022_5.14 ISO IEC 27002 2022 5.14 Protection, Preventive Control Information transfer Shared To maintain the security of information transferred within an organization and with any external interested party. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. 46
ISO_IEC_27002_2022 6.7 ISO_IEC_27002_2022_6.7 ISO IEC 27002 2022 6.7 Protection, Preventive, Control Remote working Shared Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. To ensure the security of information when personnel are working remotely. 11
ISO_IEC_27002_2022 8.9 ISO_IEC_27002_2022_8.9 ISO IEC 27002 2022 8.9 Protection, Preventive Control Configuration management Shared Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. 21
NIST_SP_800-171_R3_3 .1.12 NIST_SP_800-171_R3_3.1.12 NIST 800-171 R3 3.1.12 Access Control Remote Access Shared Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. b. Authorize each type of remote system access prior to establishing such connections. c. Route remote access to the system through authorized and managed access control points. d. Authorize remote execution of privileged commands and remote access to security-relevant information. 15
NIST_SP_800-171_R3_3 .1.18 NIST_SP_800-171_R3_3.1.18 NIST 800-171 R3 3.1.18 Access Control Access Control for Mobile Devices Shared A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields). a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. b. Authorize the connection of mobile devices to the system. c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices. 28
NIST_SP_800-171_R3_3 .1.3 NIST_SP_800-171_R3_3.1.3 NIST 800-171 R3 3.1.3 Access Control Information Flow Enforcement Shared Information flow control regulates where CUI can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping CUI from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization, restricting requests to the internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems that represent different security domains with different security policies introduces the risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. 46
NIST_SP_800-171_R3_3 .13.1 NIST_SP_800-171_R3_3.13.1 NIST 800-171 R3 3.13.1 System and Communications Protection Control Boundary Protection Shared Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. 43
NIST_SP_800-171_R3_3 .13.9 NIST_SP_800-171_R3_3.13.9 NIST 800-171 R3 3.13.9 System and Communications Protection Control Network Disconnect Shared This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses. Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity. 27
NIST_SP_800-53_R5.1.1 AC.17 NIST_SP_800-53_R5.1.1_AC.17 NIST SP 800-53 R5.1.1 AC.17 Access Control Remote Access Shared a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3. 11
NIST_SP_800-53_R5.1.1 AC.17.1 NIST_SP_800-53_R5.1.1_AC.17.1 NIST SP 800-53 R5.1.1 AC.17.1 Access Control Remote Access | Monitoring and Control Shared Employ automated mechanisms to monitor and control remote access methods. Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a. 3
NIST_SP_800-53_R5.1.1 AC.17.3 NIST_SP_800-53_R5.1.1_AC.17.3 NIST SP 800-53 R5.1.1 AC.17.3 Access Control Remote Access | Managed Access Control Points Shared Route remote accesses through authorized and managed network access control points. Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces. 6
NIST_SP_800-53_R5.1.1 AC.4 NIST_SP_800-53_R5.1.1_AC.4 NIST SP 800-53 R5.1.1 AC.4 Access Control Information Flow Enforcement Shared Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS). 44
NIST_SP_800-53_R5.1.1 AC.4.4 NIST_SP_800-53_R5.1.1_AC.4.4 NIST SP 800-53 R5.1.1 AC.4.4 Access Control Information Flow Enforcement | Flow Control of Encrypted Information Shared Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ]. Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms. 16
NIST_SP_800-53_R5.1.1 AC.4.6 NIST_SP_800-53_R5.1.1_AC.4.6 NIST SP 800-53 R5.1.1 AC.4.6 Access Control Information Flow Enforcement | Metadata Shared Enforce information flow control based on [Assignment: organization-defined metadata]. Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance). 16
NIST_SP_800-53_R5.1.1 SC.7 NIST_SP_800-53_R5.1.1_SC.7 NIST SP 800-53 R5.1.1 SC.7 System and Communications Protection Boundary Protection Shared a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary). 43
NIST_SP_800-53_R5.1.1 SC.7.3 NIST_SP_800-53_R5.1.1_SC.7.3 NIST SP 800-53 R5.1.1 SC.7.3 System and Communications Protection Boundary Protection | Access Points Shared Limit the number of external network connections to the system. Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system. 25
NZISM_v3.7 14.3.12.C.01. NZISM_v3.7_14.3.12.C.01. NZISM v3.7 14.3.12.C.01. Web Applications 14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment. Shared n/a Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. 82
NZISM_v3.7 16.5.10.C.01. NZISM_v3.7_16.5.10.C.01. NZISM v3.7 16.5.10.C.01. Remote Access 16.5.10.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system. 11
NZISM_v3.7 16.5.10.C.02. NZISM_v3.7_16.5.10.C.02. NZISM v3.7 16.5.10.C.02. Remote Access 16.5.10.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD authenticate both the remote system user and device during the authentication process. 21
NZISM_v3.7 16.5.11.C.01. NZISM_v3.7_16.5.11.C.01. NZISM v3.7 16.5.11.C.01. Remote Access 16.5.11.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.11.C.02. NZISM_v3.7_16.5.11.C.02. NZISM v3.7 16.5.11.C.02. Remote Access 16.5.11.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.12.C.01. NZISM_v3.7_16.5.12.C.01. NZISM v3.7 16.5.12.C.01. Remote Access 16.5.12.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD establish VPN connections for all remote access connections. 11
NZISM_v3.7 19.1.10.C.01. NZISM_v3.7_19.1.10.C.01. NZISM v3.7 19.1.10.C.01. Gateways 19.1.10.C.01. - To ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. Shared n/a When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. 50
NZISM_v3.7 19.1.11.C.01. NZISM_v3.7_19.1.11.C.01. NZISM v3.7 19.1.11.C.01. Gateways 19.1.11.C.01. - To ensure network protection through gateway mechanisms. Shared n/a Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. 49
NZISM_v3.7 19.1.11.C.02. NZISM_v3.7_19.1.11.C.02. NZISM v3.7 19.1.11.C.02. Gateways 19.1.11.C.02. - To maintain security and integrity across domains. Shared n/a For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. 48
NZISM_v3.7 19.1.12.C.01. NZISM_v3.7_19.1.12.C.01. NZISM v3.7 19.1.12.C.01. Gateways 19.1.12.C.01. - To minimize security risks and ensure effective control over network communications Shared n/a Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts. 47
NZISM_v3.7 19.1.14.C.01. NZISM_v3.7_19.1.14.C.01. NZISM v3.7 19.1.14.C.01. Gateways 19.1.14.C.01. - To enhance security by segregating resources from the internal network. Shared n/a Agencies MUST use demilitarised zones to house systems and information directly accessed externally. 40
NZISM_v3.7 19.1.14.C.02. NZISM_v3.7_19.1.14.C.02. NZISM v3.7 19.1.14.C.02. Gateways 19.1.14.C.02. - To enhance security by segregating resources from the internal network. Shared n/a Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. 39
NZISM_v3.7 19.1.19.C.01. NZISM_v3.7_19.1.19.C.01. NZISM v3.7 19.1.19.C.01. Gateways 19.1.19.C.01. - To enhance security posture. Shared n/a Agencies MUST limit access to gateway administration functions. 34
NZISM_v3.7 19.2.16.C.02. NZISM_v3.7_19.2.16.C.02. NZISM v3.7 19.2.16.C.02. Cross Domain Solutions (CDS) 19.2.16.C.02. - To maintain security and prevent unauthorized access or disclosure of sensitive information. Shared n/a Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network. 34
NZISM_v3.7 19.2.18.C.01. NZISM_v3.7_19.2.18.C.01. NZISM v3.7 19.2.18.C.01. Cross Domain Solutions (CDS) 19.2.18.C.01. - To enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. Shared n/a Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. 34
NZISM_v3.7 19.2.19.C.01. NZISM_v3.7_19.2.19.C.01. NZISM v3.7 19.2.19.C.01. Cross Domain Solutions (CDS) 19.2.19.C.01. - To ensure the integrity and reliability of information accessed or received. Shared n/a Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority. 34
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
PCI_DSS_v4.0.1 1.2.1 PCI_DSS_v4.0.1_1.2.1 PCI DSS v4.0.1 1.2.1 Install and Maintain Network Security Controls Configuration standards for NSC rulesets are defined, implemented, and maintained Shared n/a Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards 11
PCI_DSS_v4.0.1 1.2.7 PCI_DSS_v4.0.1_1.2.7 PCI DSS v4.0.1 1.2.7 Install and Maintain Network Security Controls Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective Shared n/a Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated 11
PCI_DSS_v4.0.1 1.4.4 PCI_DSS_v4.0.1_1.4.4 PCI DSS v4.0.1 1.4.4 Install and Maintain Network Security Controls System components that store cardholder data are not directly accessible from untrusted networks Shared n/a Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks 43
RBI_CSF_Banks_v2016 14.1 RBI_CSF_Banks_v2016_14.1 Anti-Phishing Anti-Phishing-14.1 n/a Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. 28
RBI_ITF_NBFC_v2017 6 RBI_ITF_NBFC_v2017_6 RBI IT Framework 6 Business Continuity Planning Business Continuity Planning (BCP) and Disaster Recovery-6 n/a BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features link 9
RBI_ITF_NBFC_v2017 6.2 RBI_ITF_NBFC_v2017_6.2 RBI IT Framework 6.2 Business Continuity Planning Recovery strategy / Contingency Plan-6.2 n/a NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. link 8
RBI_ITF_NBFC_v2017 6.3 RBI_ITF_NBFC_v2017_6.3 RBI IT Framework 6.3 Business Continuity Planning Recovery strategy / Contingency Plan-6.3 n/a NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. link 7
RBI_ITF_NBFC_v2017 6.4 RBI_ITF_NBFC_v2017_6.4 RBI IT Framework 6.4 Business Continuity Planning Recovery strategy / Contingency Plan-6.4 n/a NBFCs shall test the BCP either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan. The test should be based on ???worst case scenarios???. The results along with the gap analysis may be placed before the CIO and the Board. The GAP Analysis along with Board???s insight should form the basis for construction of the updated BCP. link 4
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 112
SOC_2023 C1.1 SOC_2023_C1.1 SOC 2023 C1.1 Additional Criteria for Confidentiality To preserve trust, compliance, and competitive advantage. Shared n/a The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. 11
SOC_2023 CC1.3 SOC_2023_CC1.3 SOC 2023 CC1.3 Control Environment To enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. Shared n/a 1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. 13
SOC_2023 CC2.2 SOC_2023_CC2.2 SOC 2023 CC2.2 Information and Communication To facilitate effective internal communication, including objectives and responsibilities for internal control. Shared n/a Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information 28
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.2 SOC_2023_CC5.2 SOC 2023 CC5.2 Control Activities To mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations. Shared n/a Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities. 15
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 129
SOC_2023 CC7.1 SOC_2023_CC7.1 SOC 2023 CC7.1 Systems Operations To maintain a proactive approach to cybersecurity and mitigate risks effectively. Shared n/a To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. 11
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 168
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SOC_2023 CC7.5 SOC_2023_CC7.5 SOC 2023 CC7.5 Systems Operations To ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents. Shared n/a The entity identifies, develops, and implements activities to recover from identified security incidents. 12
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 148
SOC_2023 CC9.2 SOC_2023_CC9.2 SOC 2023 CC9.2 Risk Mitigation To ensure effective risk management throughout the supply chain and business ecosystem. Shared n/a Entity assesses and manages risks associated with vendors and business partners. 43
SOC_2023 PI1.3 SOC_2023_PI1.3 SOC 2023 PI1.3 Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) To enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. Shared n/a The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. 50
SWIFT_CSCF_2024 1.1 SWIFT_CSCF_2024_1.1 SWIFT Customer Security Controls Framework 2024 1.1 Physical and Environmental Security Swift Environment Protection Shared 1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment. 69
SWIFT_CSCF_2024 1.5 SWIFT_CSCF_2024_1.5 SWIFT Customer Security Controls Framework 2024 1.5 Physical and Environmental Security Customer Environment Protection Shared 1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions. To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. 57
SWIFT_CSCF_2024 2.1 SWIFT_CSCF_2024_2.1 SWIFT Customer Security Controls Framework 2024 2.1 Risk Management Internal Data Flow Security Shared The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. 48
SWIFT_CSCF_2024 2.6 SWIFT_CSCF_2024_2.6 SWIFT Customer Security Controls Framework 2024 2.6 Risk Management Operator Session Confidentiality and Integrity Shared 1. Operator sessions, through the jump server when accessing the on-premises or remote (that is hosted or operated by a third party, or both) Swift infrastructure, pose a unique threat because unusual or unexpected activity is more difficult to detect during interactive sessions than it is during application-to-application activity. 2. Therefore, it is important to protect the integrity and confidentiality of these operator sessions to reduce any opportunity for misuse or password theft. When used, access to the virtualisation layer (virtualisation or cloud management console) must be similarly protected. To protect the confidentiality and integrity of interactive operator sessions that connect to the on- premises or remote (operated by a service provider or outsourcing agent) Swift infrastructure or to a service provider or outsourcing agent Swift-related applications. 12
SWIFT_CSCF_2024 9.1 SWIFT_CSCF_2024_9.1 404 not found n/a n/a 57
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
Evaluate Private Link Usage Across All Supported Azure Resources 7379ef4c-89b0-48b6-a5cc-fd3a75eaef93 SDN GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-07-30 15:17:20 change Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
2021-03-09 14:37:41 add deeddb44-9f94-4903-9fa0-081d524406e3
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC