Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_CP_10(2)

CP_10(2)

Canada Federal PBMM 3-1-2020 CP 10(2)

Information System Recovery and Reconstitution

Information System Recovery and Reconstitution | Transaction Recovery

Shared

The information system implements transaction recovery for systems that are transaction-based.

To minimise the impact on business operations and preventing data loss or corruption.

Canada_Federal_PBMM_3-1-2020_CP_10(4)

CP_10(4)

Canada Federal PBMM 3-1-2020 CP 10(4)

Information System Recovery and Reconstitution

Information System Recovery and Reconstitution | Restore within Time Period

Shared

The organization provides the capability to restore information system components within organization-defined restoration time-periods from configuration-controlled and integrity-protected information representing a known, operational state for the components.

To minimise downtime and ensuring business continuity.

Canada_Federal_PBMM_3-1-2020_CP_2(3)

CP_2(3)

Canada Federal PBMM 3-1-2020 CP 2(3)

Contingency Plan

Contingency Plan | Resume Essential Missions / Business Functions

Shared

The organization plans for the resumption of essential missions and business functions within 24 hours of contingency plan activation.

To ensure that the organization plans for the resumption of essential missions and business functions within 24 hours of activating the contingency plan.

Canada_Federal_PBMM_3-1-2020_CP_2(4)

CP_2(4)

Canada Federal PBMM 3-1-2020 CP 2(4)

Contingency Plan

Contingency Plan | Resume All Missions / Business Functions

Shared

The organization plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation.

To ensure that the organization plans for the resumption of all missions and business functions within an organization-defined time period of contingency plan activation.

Canada_Federal_PBMM_3-1-2020_CP_2(5)

CP_2(5)

Canada Federal PBMM 3-1-2020 CP 2(5)

Contingency Plan

Contingency Plan | Continue Essential Missions / Business Functions

Shared

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

To minimise downtime, mitigate potential financial losses, maintain customer trust, and uphold critical services or functions.

Canada_Federal_PBMM_3-1-2020_CP_2(6)

CP_2(6)

Canada Federal PBMM 3-1-2020 CP 2(6)

Contingency Plan

Contingency Plan | Alternate Processing / Storage Site

Shared

The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.

To minimise downtime and ensure that critical services can continue uninterrupted until full restoration is achieved.

Canada_Federal_PBMM_3-1-2020_IA_5(3)

IA_5(3)

Canada Federal PBMM 3-1-2020 IA 5(3)

Authenticator Management

Authenticator Management | In-Person or Trusted Third-Party Registration

Shared

The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles.

To enhance security and accountability within the organization's registration procedures.

12.8

CIS_Controls_v8.1_12.8

CIS Controls v8.1 12.8

Network Infrastructure Management

Establish and maintain dedicated computing resources for all administrative work

Shared

1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. 2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.

To ensure administrative work is on a different system on which access to data and internet is restricted.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

101

5.4

CIS_Controls_v8.1_5.4

CIS Controls v8.1 5.4

Account Management

Restrict administrator privileges to dedicated administrator accounts.

Shared

1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. 2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

To restrict access to privileged accounts.

9.3

CIS_Controls_v8.1_9.3

CIS Controls v8.1 9.3

Email and Web Browser Protections

Maintain and enforce network-based URL filters

Shared

1. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. 2. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. 3. Enforce filters for all enterprise assets.

To prevent users from connecting to unsafe websites.

CMMC_L2_v1.9.0_AC.L2_3.1.6

AC.L2_3.1.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.6

Access Control

Non Privileged Account Use

Shared

Use non privileged accounts or roles when accessing nonsecurity functions.

To restrict information system access.

CMMC_L2_v1.9.0_AC.L2_3.1.7

AC.L2_3.1.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.7

Access Control

Privileged Functions

Shared

Prevent non privileged users from executing privileged functions and capture the execution of such functions in audit logs.

To restrict information system access.

CMMC_L2_v1.9.0_CM.L2_3.4.1

CM.L2_3.4.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1

Configuration Management

System Baselining

Shared

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

To ensure consistency, security, and compliance with organizational standards and requirements.

CMMC_L2_v1.9.0_CM.L2_3.4.2

CM.L2_3.4.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2

Configuration Management

Security Configuration Enforcement

Shared

Establish and enforce security configuration settings for information technology products employed in organizational systems.

To mitigate vulnerabilities and enhance overall security posture.

CMMC_L2_v1.9.0_CM.L2_3.4.6

CM.L2_3.4.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6

Configuration Management

Least Functionality

Shared

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

To reduce the risk of unauthorized access or exploitation of system vulnerabilities.

CMMC_L2_v1.9.0_CM.L2_3.4.8

CM.L2_3.4.8

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.8

Configuration Management

Application Execution Policy

Shared

Apply deny by exception (blacklisting) policy to prevent the use of unauthorized software or deny all, permit by exception (whitelisting) policy to allow the execution of authorized software.

To reduce the risk of malware infections or unauthorized access.

CMMC_L3

AC.2.008

CMMC_L3_AC.2.008

CMMC L3 AC.2.008

Access Control

Use non-privileged accounts or roles when accessing nonsecurity functions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

link

CMMC_L3

AC.3.021

CMMC_L3_AC.3.021

CMMC L3 AC.3.021

Access Control

Authorize remote execution of privileged commands and remote access to security-relevant information.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Securityrelevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself.

link

AIS_02

CSA_v4.0.12_AIS_02

CSA Cloud Controls Matrix v4.0.12 AIS 02

Application & Interface Security

Application Security Baseline Requirements

Shared

n/a

Establish, document and maintain baseline requirements for securing different applications.

CCC_02

CSA_v4.0.12_CCC_02

CSA Cloud Controls Matrix v4.0.12 CCC 02

Change Control and Configuration Management

Quality Testing

Shared

n/a

Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.

CCC_03

CSA_v4.0.12_CCC_03

CSA Cloud Controls Matrix v4.0.12 CCC 03

Change Control and Configuration Management

Change Management Technology

Shared

n/a

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

CCC_09

CSA_v4.0.12_CCC_09

CSA Cloud Controls Matrix v4.0.12 CCC 09

Change Control and Configuration Management

Change Restoration

Shared

n/a

Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.

IAM_01

CSA_v4.0.12_IAM_01

CSA Cloud Controls Matrix v4.0.12 IAM 01

Identity & Access Management

Identity and Access Management Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.

IAM_02

CSA_v4.0.12_IAM_02

CSA Cloud Controls Matrix v4.0.12 IAM 02

Identity & Access Management

Strong Password Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

IAM_04

CSA_v4.0.12_IAM_04

CSA Cloud Controls Matrix v4.0.12 IAM 04

Identity & Access Management

Separation of Duties

Shared

n/a

Employ the separation of duties principle when implementing information system access.

IAM_06

CSA_v4.0.12_IAM_06

CSA Cloud Controls Matrix v4.0.12 IAM 06

Identity & Access Management

User Access Provisioning

Shared

n/a

Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets.

IAM_07

CSA_v4.0.12_IAM_07

CSA Cloud Controls Matrix v4.0.12 IAM 07

Identity & Access Management

User Access Changes and Revocation

Shared

n/a

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

IAM_10

CSA_v4.0.12_IAM_10

CSA Cloud Controls Matrix v4.0.12 IAM 10

Identity & Access Management

Management of Privileged Access Roles

Shared

n/a

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

IAM_12

CSA_v4.0.12_IAM_12

CSA Cloud Controls Matrix v4.0.12 IAM 12

Identity & Access Management

Safeguard Logs Integrity

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

IAM_13

CSA_v4.0.12_IAM_13

CSA Cloud Controls Matrix v4.0.12 IAM 13

Identity & Access Management

Uniquely Identifiable Users

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.

IAM_14

CSA_v4.0.12_IAM_14

CSA Cloud Controls Matrix v4.0.12 IAM 14

Identity & Access Management

Strong Authentication

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

IAM_15

CSA_v4.0.12_IAM_15

CSA Cloud Controls Matrix v4.0.12 IAM 15

Identity & Access Management

Passwords Management

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.

IAM_16

CSA_v4.0.12_IAM_16

CSA Cloud Controls Matrix v4.0.12 IAM 16

Identity & Access Management

Authorization Mechanisms

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

UEM_03

CSA_v4.0.12_UEM_03

CSA Cloud Controls Matrix v4.0.12 UEM 03

Universal Endpoint Management

Compatibility

Shared

n/a

Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_2

Cyber Essentials v3.1 2

Cyber Essentials

Secure Configuration

Shared

n/a

Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_5

Cyber Essentials v3.1 5

Cyber Essentials

Malware protection

Shared

n/a

Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

3.1.2

FFIEC_CAT_2017_3.1.2

FFIEC CAT 2017 3.1.2

Cybersecurity Controls

Access and Data Management

Shared

n/a

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames.

hipaa

1232.09c3Organizational.12-09.c

hipaa-1232.09c3Organizational.12-09.c

1232.09c3Organizational.12-09.c

12 Audit Logging & Monitoring

1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures

Shared

n/a

Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls.

HITRUST_CSF_v11.3

01.c

HITRUST_CSF_v11.3_01.c

HITRUST CSF v11.3 01.c

Authorized Access to Information Systems

Control privileged access to information systems and services.

Shared

1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization.

The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.

HITRUST_CSF_v11.3

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

HITRUST_CSF_v11.3

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

ISO_IEC_27002_2022

8.9

ISO_IEC_27002_2022_8.9

ISO IEC 27002 2022 8.9

Protection, Preventive Control

Configuration management

Shared

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

ISO_IEC_27017_2015

Annex_A:_CLD.6.3.1

ISO_IEC_27017_2015_Annex_A:_CLD.6.3.1

404 not found

n/a

NIST_CSF_v2.0

PR.AA

NIST_CSF_v2.0_PR.AA

404 not found

n/a

NIST_SP_800-53_R5.1.1_AC.2.1

AC.2.1

NIST SP 800-53 R5.1.1 AC.2.1

Access Control

Account Management | Automated System Account Management

Shared

Support the management of system accounts using [Assignment: organization-defined automated mechanisms].

Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.

NIST_SP_800-53_R5.1.1_AC.6.2

AC.6.2

NIST SP 800-53 R5.1.1 AC.6.2

Access Control

Least Privilege | Non-privileged Access for Nonsecurity Functions

Shared

Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

NIST_SP_800-53_R5.1.1_CM.2

CM.2

NIST SP 800-53 R5.1.1 CM.2

Configuration Management Control

Baseline Configuration

Shared

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: Assignment organization-defined circumstances]; and 3. When system components are installed or upgraded.

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

NIST_SP_800-53_R5.1.1_CM.7.5

CM.7.5

NIST SP 800-53 R5.1.1 CM.7.5

Configuration Management Control

Least Functionality | Authorized Software

Shared

(a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency].

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

PCI_DSS_v4.0.1

12.2.1

PCI_DSS_v4.0.1_12.2.1

PCI DSS v4.0.1 12.2.1

Support Information Security with Organizational Policies and Programs

Documented Acceptable Use Policies

Shared

n/a

Acceptable use policies for end-user technologies are documented and implemented, including: • Explicit approval by authorized parties. • Acceptable uses of the technology. • List of products approved by the company for employee use, including hardware and software.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC6.2

SOC_2023_CC6.2

SOC 2023 CC6.2

Logical and Physical Access Controls

Ensure effective access control and ensuring the security of the organization's systems and data.

Shared

n/a

1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3

SOC_2023_CC6.3

404 not found

n/a

CC6.7

SOC_2023_CC6.7

404 not found

n/a

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213