compliance controls are associated with this Policy definition '[Deprecated]: Vulnerabilities in security configuration on your machines should be remediated' (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Canada_Federal_PBMM_3-1-2020 |
AC_2 |
Canada_Federal_PBMM_3-1-2020_AC_2 |
Canada Federal PBMM 3-1-2020 AC 2 |
Account Management |
Account Management |
Shared |
1. The organization identifies and selects which types of information system accounts support organizational missions/business functions.
2. The organization assigns account managers for information system accounts.
3. The organization establishes conditions for group and role membership.
4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account.
5. The organization requires approvals by responsible managers for requests to create information system accounts.
6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures.
7. The organization monitors the use of information system accounts.
8. The organization notifies account managers:
a. When accounts are no longer required;
b. When users are terminated or transferred; and
c. When individual information system usage or need-to-know changes.
9. The organization authorizes access to the information system based on:
a. A valid access authorization;
b. Intended system usage; and
c. Other attributes as required by the organization or associated missions/business functions.
10. The organization reviews accounts for compliance with account management requirements at least annually.
11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
To ensure the security, integrity, and efficiency of the information systems.
|
|
24 |
Canada_Federal_PBMM_3-1-2020 |
AC_2(1) |
Canada_Federal_PBMM_3-1-2020_AC_2(1) |
Canada Federal PBMM 3-1-2020 AC 2(1) |
Account Management |
Account Management | Automated System Account Management |
Shared |
The organization employs automated mechanisms to support the management of information system accounts. |
To streamline and enhance information system account management processes. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
AC_2(4) |
Canada_Federal_PBMM_3-1-2020_AC_2(4) |
Canada Federal PBMM 3-1-2020 AC 2(4) |
Account Management |
Account Management | Automated Audit Actions |
Shared |
1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers.
2. Related controls: AU-2, AU-12. |
To ensure accountability and transparency within the information system. |
|
53 |
Canada_Federal_PBMM_3-1-2020 |
CA_2 |
Canada_Federal_PBMM_3-1-2020_CA_2 |
Canada Federal PBMM 3-1-2020 CA 2 |
Security Assessments |
Security Assessments |
Shared |
1. The organization develops a security assessment plan that describes the scope of the assessment including:
a. Security controls and control enhancements under assessment;
b. Assessment procedures to be used to determine security control effectiveness; and
c. Assessment environment, assessment team, and assessment roles and responsibilities.
2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements.
3. The organization produces a security assessment report that documents the results of the assessment.
4. The organization provides the results of the security control assessment to organization-defined individuals or roles. |
To enhance the overall security posture of the organization. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CA_3 |
Canada_Federal_PBMM_3-1-2020_CA_3 |
Canada Federal PBMM 3-1-2020 CA 3 |
Information System Connections |
System Interconnections |
Shared |
1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements.
2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.
3. The organization reviews and updates Interconnection Security Agreements annually. |
To establish and maintain secure connections between information systems. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(3) |
Canada_Federal_PBMM_3-1-2020_CA_3(3) |
Canada Federal PBMM 3-1-2020 CA 3(3) |
Information System Connections |
System Interconnections | Classified Non-National Security System Connections |
Shared |
The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. |
To ensure the integrity and security of internal systems against external threats. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_3(5) |
Canada_Federal_PBMM_3-1-2020_CA_3(5) |
Canada Federal PBMM 3-1-2020 CA 3(5) |
Information System Connections |
System Interconnections | Restrictions on External Network Connections |
Shared |
The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. |
To enhance security posture against unauthorized access. |
|
77 |
Canada_Federal_PBMM_3-1-2020 |
CA_7 |
Canada_Federal_PBMM_3-1-2020_CA_7 |
Canada Federal PBMM 3-1-2020 CA 7 |
Continuous Monitoring |
Continuous Monitoring |
Shared |
1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored.
2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan.
3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. |
To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. |
|
125 |
Canada_Federal_PBMM_3-1-2020 |
CM_2 |
Canada_Federal_PBMM_3-1-2020_CM_2 |
Canada Federal PBMM 3-1-2020 CM 2 |
Baseline Configuration |
Baseline Configuration |
Shared |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
To support effective management and security practices. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CM_2(1) |
Canada_Federal_PBMM_3-1-2020_CM_2(1) |
Canada Federal PBMM 3-1-2020 CM 2(1) |
Baseline Configuration |
Baseline Configuration | Reviews and Updates |
Shared |
The organization reviews and updates the baseline configuration of the information system:
1. at least annually; or
2. When required due to significant changes as defined in NIST SP 800-37 rev1; and
3. As an integral part of information system component installations and upgrades.
|
To ensure alignment with current security standards and operational requirements. |
|
24 |
Canada_Federal_PBMM_3-1-2020 |
CM_2(2) |
Canada_Federal_PBMM_3-1-2020_CM_2(2) |
Canada Federal PBMM 3-1-2020 CM 2(2) |
Baseline Configuration |
Baseline Configuration | Automation Support for Accuracy / Currency |
Shared |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration |
|
23 |
Canada_Federal_PBMM_3-1-2020 |
CM_8 |
Canada_Federal_PBMM_3-1-2020_CM_8 |
Canada Federal PBMM 3-1-2020 CM 8 |
Information System Component Inventory |
Information System Component Inventory |
Shared |
1. The organization develops and documents an inventory of information system components that accurately reflects the current information system.
2. The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system.
3. The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
4. The organization develops and documents an inventory of information system components that includes unique asset identifier, NetBIOS name, baseline configuration name, OS Name, OS Version, system owner information.
5. The organization reviews and updates the information system component inventory at least monthly. |
To enable efficient decision-making and risk mitigation strategies. |
|
12 |
Canada_Federal_PBMM_3-1-2020 |
CM_8(1) |
Canada_Federal_PBMM_3-1-2020_CM_8(1) |
Canada Federal PBMM 3-1-2020 CM 8(1) |
Information System Component Inventory |
Information System Component Inventory | Updates During Installations / Removals |
Shared |
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
To facilitate accurate asset management and effective security control implementation. |
|
9 |
Canada_Federal_PBMM_3-1-2020 |
CM_8(2) |
Canada_Federal_PBMM_3-1-2020_CM_8(2) |
Canada Federal PBMM 3-1-2020 CM 8(2) |
Information System Component Inventory |
Information System Component Inventory | Automated Maintenance |
Shared |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
To facilitate accurate asset management and effective security control implementation. |
|
9 |
Canada_Federal_PBMM_3-1-2020 |
RA_5(1) |
Canada_Federal_PBMM_3-1-2020_RA_5(1) |
Canada Federal PBMM 3-1-2020 RA 5(1) |
Vulnerability Scanning |
Vulnerability Scanning | Update Tool Capability |
Shared |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
To employ vulnerability scanning tools. |
|
21 |
Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
88 |
CIS_Controls_v8.1 |
10.7 |
CIS_Controls_v8.1_10.7 |
CIS Controls v8.1 10.7 |
Malware Defenses |
Use behaviour based anti-malware software |
Shared |
Use behaviour based anti-malware software |
To ensure that a generic anti-malware software is not used. |
|
100 |
CIS_Controls_v8.1 |
12.1 |
CIS_Controls_v8.1_12.1 |
CIS Controls v8.1 12.1 |
Network Infrastructure Management |
Ensure network infrastructure is up to date |
Shared |
1. Ensure network infrastructure is kept up-to-date.
2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings.
3. Review software versions monthly, or more frequently, to verify software support. |
To prevent any unauthorized or malicious activity on network systems. |
|
23 |
CIS_Controls_v8.1 |
12.3 |
CIS_Controls_v8.1_12.3 |
CIS Controls v8.1 12.3 |
Network Infrastructure Management |
Securely manage network infrastructure |
Shared |
1. Securely manage network infrastructure.
2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS. |
To ensure proper management of network infrastructure. |
|
39 |
CIS_Controls_v8.1 |
13.1 |
CIS_Controls_v8.1_13.1 |
CIS Controls v8.1 13.1 |
Network Monitoring and Defense |
Centralize security event alerting |
Shared |
1. Centralize security event alerting across enterprise assets for log correlation and analysis.
2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts.
3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. |
To ensure that any security event is immediately alerted enterprise-wide. |
|
102 |
CIS_Controls_v8.1 |
13.3 |
CIS_Controls_v8.1_13.3 |
CIS Controls v8.1 13.3 |
Network Monitoring and Defense |
Deploy a network intrusion detection solution |
Shared |
1. Deploy a network intrusion detection solution on enterprise assets, where appropriate.
2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
To enhance the organization's cybersecurity. |
|
100 |
CIS_Controls_v8.1 |
16.12 |
CIS_Controls_v8.1_16.12 |
CIS Controls v8.1 16.12 |
Application Software Security |
Implement code-level security checks |
Shared |
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. |
To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application.
|
|
23 |
CIS_Controls_v8.1 |
16.13 |
CIS_Controls_v8.1_16.13 |
CIS Controls v8.1 16.13 |
Application Software Security |
Conduct application penetration testing |
Shared |
1. Conduct application penetration testing.
2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.
3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. |
To identify potential security weaknesses and assess the overall security posture of the application. |
|
23 |
CIS_Controls_v8.1 |
16.2 |
CIS_Controls_v8.1_16.2 |
CIS Controls v8.1 16.2 |
Application Software Security |
Establish and maintain a process to accept and address software vulnerabilities |
Shared |
1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report.
2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing.
3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities.
4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.
5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. |
To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures. |
|
23 |
CIS_Controls_v8.1 |
16.5 |
CIS_Controls_v8.1_16.5 |
CIS Controls v8.1 16.5 |
Application Software Security |
Use up-to-date and trusted third-party software components |
Shared |
1. Use up-to-date and trusted third-party software components.
2. When possible, choose established and proven frameworks and libraries that provide adequate security.
3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. |
To utilize up-to-date and trusted third-party software components in application development. |
|
18 |
CIS_Controls_v8.1 |
16.6 |
CIS_Controls_v8.1_16.6 |
CIS Controls v8.1 16.6 |
Application Software Security |
Establish and maintain a severity rating system and process for application vulnerabilities |
Shared |
1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed.
2. This process includes setting a minimum level of security acceptability for releasing code or applications.
3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first.
4. Review and update the system and process annually. |
To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks. |
|
18 |
CIS_Controls_v8.1 |
16.7 |
CIS_Controls_v8.1_16.7 |
CIS Controls v8.1 16.7 |
Application Software Security |
Use standard hardening configuration templates for application infrastructure |
Shared |
1. Use standard, industry-recommended hardening configuration templates for application infrastructure components.
2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
3. Do not allow in-house developed software to weaken configuration hardening. |
To ensure that in-house developed software does not compromise the established configuration hardening standards. |
|
18 |
CIS_Controls_v8.1 |
18.1 |
CIS_Controls_v8.1_18.1 |
CIS Controls v8.1 18.1 |
Penetration Testing |
Establish and maintain a penetration testing program |
Shared |
1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise.
2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. |
To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise. |
|
18 |
CIS_Controls_v8.1 |
18.2 |
CIS_Controls_v8.1_18.2 |
CIS Controls v8.1 18.2 |
Penetration Testing |
Perform periodic external penetration tests |
Shared |
1. Perform periodic external penetration tests based on program requirements, no less than annually.
2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information.
3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party.
4. The testing may be clear box or opaque box.
|
To ensure thorough assessment and mitigation of potential vulnerabilities. |
|
17 |
CIS_Controls_v8.1 |
18.3 |
CIS_Controls_v8.1_18.3 |
CIS Controls v8.1 18.3 |
Penetration Testing |
Remediate penetration test findings |
Shared |
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. |
To mitigate security risks effectively. |
|
17 |
CIS_Controls_v8.1 |
18.4 |
CIS_Controls_v8.1_18.4 |
CIS Controls v8.1 18.4 |
Penetration Testing |
Validate security measures |
Shared |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. |
|
94 |
CIS_Controls_v8.1 |
18.5 |
CIS_Controls_v8.1_18.5 |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
17 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.2 |
CMMC_L2_v1.9.0_CM.L2_3.4.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 |
Configuration Management |
Security Configuration Enforcement |
Shared |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
To mitigate vulnerabilities and enhance overall security posture. |
|
11 |
CMMC_L2_v1.9.0 |
CM.L2_3.4.6 |
CMMC_L2_v1.9.0_CM.L2_3.4.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 |
Configuration Management |
Least Functionality |
Shared |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
To reduce the risk of unauthorized access or exploitation of system vulnerabilities. |
|
11 |
CMMC_L2_v1.9.0 |
RA.L2_3.11.2 |
CMMC_L2_v1.9.0_RA.L2_3.11.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.2 |
Risk Assessment |
Vulnerability Scan |
Shared |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
To enhance the overall security posture of the organization. |
|
15 |
CMMC_L2_v1.9.0 |
RA.L2_3.11.3 |
CMMC_L2_v1.9.0_RA.L2_3.11.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.3 |
Risk Assessment |
Vulnerability Remediation |
Shared |
Remediate vulnerabilities in accordance with risk assessments. |
To reduce the likelihood of security breaches and minimize potential impacts on operations and assets. |
|
15 |
CMMC_L2_v1.9.0 |
SI.L1_3.14.1 |
CMMC_L2_v1.9.0_SI.L1_3.14.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1 |
System and Information Integrity |
Flaw Remediation |
Shared |
Identify, report, and correct information and information system flaws in a timely manner. |
To safeguard assets and maintain operational continuity. |
|
24 |
CMMC_L2_v1.9.0 |
SI.L2_3.14.3 |
CMMC_L2_v1.9.0_SI.L2_3.14.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3 |
System and Information Integrity |
Security Alerts & Advisories |
Shared |
Monitor system security alerts and advisories and take action in response. |
To proactively defend against emerging threats and minimize the risk of security incidents or breaches. |
|
20 |
CMMC_L2_v1.9.0 |
SI.L2_3.14.6 |
CMMC_L2_v1.9.0_SI.L2_3.14.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6 |
System and Information Integrity |
Monitor Communications for Attacks |
Shared |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
To protect systems and data from unauthorized access or compromise. |
|
20 |
CMMC_L2_v1.9.0 |
SI.L2_3.14.7 |
CMMC_L2_v1.9.0_SI.L2_3.14.7 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7 |
System and Information Integrity |
Identify Unauthorized Use |
Shared |
Identify unauthorized use of organizational systems. |
To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access. |
|
19 |
CSA_v4.0.12 |
AIS_02 |
CSA_v4.0.12_AIS_02 |
CSA Cloud Controls Matrix v4.0.12 AIS 02 |
Application & Interface Security |
Application Security Baseline Requirements |
Shared |
n/a |
Establish, document and maintain baseline requirements for securing
different applications. |
|
11 |
CSA_v4.0.12 |
CCC_02 |
CSA_v4.0.12_CCC_02 |
CSA Cloud Controls Matrix v4.0.12 CCC 02 |
Change Control and Configuration Management |
Quality Testing |
Shared |
n/a |
Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards. |
|
12 |
CSA_v4.0.12 |
CCC_03 |
CSA_v4.0.12_CCC_03 |
CSA Cloud Controls Matrix v4.0.12 CCC 03 |
Change Control and Configuration Management |
Change Management Technology |
Shared |
n/a |
Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced). |
|
31 |
CSA_v4.0.12 |
CCC_06 |
CSA_v4.0.12_CCC_06 |
CSA Cloud Controls Matrix v4.0.12 CCC 06 |
Change Control and Configuration Management |
Change Management Baseline |
Shared |
n/a |
Establish change management baselines for all relevant authorized
changes on organization assets. |
|
8 |
CSA_v4.0.12 |
CCC_09 |
CSA_v4.0.12_CCC_09 |
CSA Cloud Controls Matrix v4.0.12 CCC 09 |
Change Control and Configuration Management |
Change Restoration |
Shared |
n/a |
Define and implement a process to proactively roll back changes to
a previous known good state in case of errors or security concerns. |
|
11 |
CSA_v4.0.12 |
CEK_05 |
CSA_v4.0.12_CEK_05 |
CSA Cloud Controls Matrix v4.0.12 CEK 05 |
Cryptography, Encryption & Key Management |
Encryption Change Management |
Shared |
n/a |
Establish a standard change management procedure, to accommodate
changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
changes. |
|
11 |
CSA_v4.0.12 |
CEK_06 |
CSA_v4.0.12_CEK_06 |
CSA Cloud Controls Matrix v4.0.12 CEK 06 |
Cryptography, Encryption & Key Management |
Encryption Change Cost Benefit Analysis |
Shared |
n/a |
Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis. |
|
8 |
CSA_v4.0.12 |
CEK_07 |
CSA_v4.0.12_CEK_07 |
CSA Cloud Controls Matrix v4.0.12 CEK 07 |
Cryptography, Encryption & Key Management |
Encryption Risk Management |
Shared |
n/a |
Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback. |
|
8 |
CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
25 |
CSA_v4.0.12 |
DCS_05 |
CSA_v4.0.12_DCS_05 |
CSA Cloud Controls Matrix v4.0.12 DCS 05 |
Datacenter Security |
Assets Classification |
Shared |
n/a |
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk. |
|
6 |
CSA_v4.0.12 |
DCS_06 |
CSA_v4.0.12_DCS_06 |
CSA Cloud Controls Matrix v4.0.12 DCS 06 |
Datacenter Security |
Assets Cataloguing and Tracking |
Shared |
n/a |
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system. |
|
7 |
CSA_v4.0.12 |
UEM_03 |
CSA_v4.0.12_UEM_03 |
CSA Cloud Controls Matrix v4.0.12 UEM 03 |
Universal Endpoint Management |
Compatibility |
Shared |
n/a |
Define and implement a process for the validation of the endpoint
device's compatibility with operating systems and applications. |
|
11 |
CSA_v4.0.12 |
UEM_04 |
CSA_v4.0.12_UEM_04 |
CSA Cloud Controls Matrix v4.0.12 UEM 04 |
Universal Endpoint Management |
Endpoint Inventory |
Shared |
n/a |
Maintain an inventory of all endpoints used to store and access company
data. |
|
6 |
CSA_v4.0.12 |
UEM_05 |
CSA_v4.0.12_UEM_05 |
CSA Cloud Controls Matrix v4.0.12 UEM 05 |
Universal Endpoint Management |
Endpoint Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data. |
|
11 |
CSA_v4.0.12 |
UEM_07 |
CSA_v4.0.12_UEM_07 |
CSA Cloud Controls Matrix v4.0.12 UEM 07 |
Universal Endpoint Management |
Operating Systems |
Shared |
n/a |
Manage changes to endpoint operating systems, patch levels, and/or
applications through the company's change management processes. |
|
6 |
CSA_v4.0.12 |
UEM_12 |
CSA_v4.0.12_UEM_12 |
CSA Cloud Controls Matrix v4.0.12 UEM 12 |
Universal Endpoint Management |
Remote Locate |
Shared |
n/a |
Enable remote geo-location capabilities for all managed mobile endpoints. |
|
6 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
69 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_7 |
EU_2555_(NIS2)_2022_7 |
EU 2022/2555 (NIS2) 2022 7 |
|
National cybersecurity strategy |
Shared |
n/a |
Requires Member States to adopt a national cybersecurity strategy. |
|
17 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
65 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
FFIEC_CAT_2017 |
2.2.1 |
FFIEC_CAT_2017_2.2.1 |
FFIEC CAT 2017 2.2.1 |
Threat Intelligence and Collaboration |
Monitoring and Analyzing |
Shared |
n/a |
- Audit log records and other security event logs are reviewed and retained in a secure manner.
- Computer event logs are used for investigations once an event has occurred. |
|
24 |
FFIEC_CAT_2017 |
3.1.1 |
FFIEC_CAT_2017_3.1.1 |
FFIEC CAT 2017 3.1.1 |
Cybersecurity Controls |
Infrastructure Management |
Shared |
n/a |
- Network perimeter defense tools (e.g., border router and firewall) are used.
- Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.
- All ports are monitored.
- Up to date antivirus and anti-malware tools are used.
- Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced.
- Ports, functions, protocols and services are prohibited if no longer needed for business purposes.
- Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.
- Programs that can override system, object, network, virtual machine, and application controls are restricted.
- System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met.
- Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) |
|
72 |
FFIEC_CAT_2017 |
3.2.3 |
FFIEC_CAT_2017_3.2.3 |
FFIEC CAT 2017 3.2.3 |
Cybersecurity Controls |
Event Detection |
Shared |
n/a |
- A normal network activity baseline is established.
- Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.
- Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.
- Responsibilities for monitoring and reporting suspicious systems activity have been assigned.
- The physical environment is monitored to detect potential unauthorized access. |
|
35 |
HITRUST_CSF_v11.3 |
06.h |
HITRUST_CSF_v11.3_06.h |
HITRUST CSF v11.3 06.h |
Compliance with Security Policies and Standards |
Ensure compliance with security implementation standards by regular checking of information systems. |
Shared |
1. Annual checks on the technical security configuration of systems is to be performed either manually by an individual with experience with the systems and/or with the assistance of automated software tools.
2. Technical compliance checking is to be implemented to show compliance in support of technical interoperability. |
Information systems shall be regularly checked for compliance with security implementation standards. |
|
7 |
HITRUST_CSF_v11.3 |
09.ab |
HITRUST_CSF_v11.3_09.ab |
HITRUST CSF v11.3 09.ab |
Monitoring |
Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. |
Shared |
1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required.
2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. |
Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. |
|
114 |
HITRUST_CSF_v11.3 |
10.c |
HITRUST_CSF_v11.3_10.c |
HITRUST CSF v11.3 10.c |
Correct Processing in Applications |
Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. |
Shared |
Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. |
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
|
36 |
HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
34 |
HITRUST_CSF_v11.3 |
10.m |
HITRUST_CSF_v11.3_10.m |
HITRUST CSF v11.3 10.m |
Technical Vulnerability Management |
Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. |
Shared |
1. The necessary secure services, protocols required for the function of the system are to be enabled.
2. Security features to be implemented for any required services that are considered to be insecure.
3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media.
4. Configuration standards to be consistent with industry-accepted system hardening standards.
5. An enterprise security posture review within every 365 days is to be conducted.
6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. |
Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. |
|
47 |
ISO_IEC_27002_2022 |
5.5 |
ISO_IEC_27002_2022_5.5 |
ISO IEC 27002 2022 5.5 |
Identifying,
Protection,
Response,
Recovery,
Preventive,
Corrective Control |
Contact with authorities |
Shared |
The organization should establish and maintain contact with relevant authorities.
|
To ensure appropriate flow of information takes place with respect to information security between
the organization and relevant legal, regulatory and supervisory authorities. |
|
14 |
ISO_IEC_27002_2022 |
5.9 |
ISO_IEC_27002_2022_5.9 |
ISO IEC 27002 2022 5.9 |
Preventive,
Identifying Control |
Inventory of information and other associated assets |
Shared |
An inventory of information and other associated assets, including owners, should be developed and maintained.
|
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
8 |
ISO_IEC_27002_2022 |
8.16 |
ISO_IEC_27002_2022_8.16 |
ISO IEC 27002 2022 8.16 |
Response,
Detection,
Corrective Control |
Monitoring activities |
Shared |
Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
|
To detect anomalous behaviour and potential information security incidents. |
|
20 |
ISO_IEC_27002_2022 |
8.8 |
ISO_IEC_27002_2022_8.8 |
ISO IEC 27002 2022 8.8 |
Identifying,
Protection,
Preventive Control |
Management of technical vulnerabilities |
Shared |
Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.
|
To prevent exploitation of technical vulnerabilities. |
|
15 |
ISO_IEC_27002_2022 |
8.9 |
ISO_IEC_27002_2022_8.9 |
ISO IEC 27002 2022 8.9 |
Protection,
Preventive Control |
Configuration management |
Shared |
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
|
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. |
|
21 |
ISO_IEC_27017_2015 |
8.1.1 |
ISO_IEC_27017_2015_8.1.1 |
ISO IEC 27017 2015 8.1.1 |
Asset Management |
Inventory of Assets |
Shared |
For Cloud Service Customer:
The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service.
For Cloud Service Provider:
The inventory of assets of the cloud service provider should explicitly identify:
(i) cloud service customer data;
(ii) cloud service derived data. |
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
8 |
NIST_CSF_v2.0 |
DE.CM |
NIST_CSF_v2.0_DE.CM |
404 not found |
|
|
|
n/a |
n/a |
|
20 |
NIST_CSF_v2.0 |
DE.CM_09 |
NIST_CSF_v2.0_DE.CM_09 |
NIST CSF v2.0 DE.CM 09 |
DETECT- Continuous Monitoring |
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. |
Shared |
n/a |
To identify and analyze the cybersecurity attacks and compromises. |
|
25 |