Az Policy Advertizer

1144

AU_ISM_1144

AU ISM 1144

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1144

n/a

Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

1472

AU_ISM_1472

AU ISM 1472

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1472

n/a

Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

1494

AU_ISM_1494

AU ISM 1494

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1494

n/a

Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

1495

AU_ISM_1495

AU ISM 1495

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1495

n/a

Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.

1496

AU_ISM_1496

AU ISM 1496

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1496

n/a

Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

940

AU_ISM_940

AU ISM 940

Guidelines for System Management - System patching

When to patch security vulnerabilities - 940

n/a

Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Azure_Security_Benchmark_v1.0

5.5

Azure_Security_Benchmark_v1.0_5.5

Azure Security Benchmark 5.5

Vulnerability Management

Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

Customer

Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

n/a

Azure_Security_Benchmark_v1.0

7.10

Azure_Security_Benchmark_v1.0_7.10

Azure Security Benchmark 7.10

Secure Configuration

Implement automated configuration monitoring for operating systems

Customer

Use Azure Security Center to perform baseline scans for OS and Docker Settings for containers. Understand Azure Security Center container recommendations: https://docs.microsoft.com/azure/security-center/security-center-container-recommendations

n/a

Azure_Security_Benchmark_v1.0

7.4

Azure_Security_Benchmark_v1.0_7.4

Azure Security Benchmark 7.4

Secure Configuration

Maintain secure operating system configurations

Shared

Base operating system images are managed and maintained by Microsoft. However, you can apply security settings required by your organization using AzureResources Manager templates and/or Desired State Configuration. How to create an Azure Virtual Machine from an AzureResources Manager template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Understand Desired State Configuration for Azure Virtual Machines: https://docs.microsoft.com/azure/virtual-machines/extensions/dsc-overview

n/a

Azure_Security_Benchmark_v2.0

PV-4

Azure_Security_Benchmark_v2.0_PV-4

Azure Security Benchmark PV-4

Posture and Vulnerability Management

Sustain secure configurations for compute resources

Shared

Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Information on how to download template for a VM: https://docs.microsoft.com/azure/virtual-machines/windows/download-template Sample script to upload a VHD to Azure and create a new VM: https://docs.microsoft.com/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-generalized-script Container security in Azure Security Center: https://docs.microsoft.com/azure/security-center/container-security

n/a

Azure_Security_Benchmark_v3.0

PV-6

Azure_Security_Benchmark_v3.0_PV-6

Microsoft cloud security benchmark PV-6

Posture and Vulnerability Management

Rapidly and automatically remediate vulnerabilities

Shared

**Security Principle:** Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. **Azure Guidance:** Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. **Implementation and additional context:** How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/update-management/overview Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm

n/a

C.04.3 - Timelines

404 not found

n/a

C.04.6 - Timelines

404 not found

n/a

C.04.7 - Evaluated

404 not found

n/a

C.04.8 - Evaluated

404 not found

n/a

Canada_Federal_PBMM_3-1-2020_AC_2

AC_2

Canada Federal PBMM 3-1-2020 AC 2

Account Management

Shared

1. The organization identifies and selects which types of information system accounts support organizational missions/business functions. 2. The organization assigns account managers for information system accounts. 3. The organization establishes conditions for group and role membership. 4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. 5. The organization requires approvals by responsible managers for requests to create information system accounts. 6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. 7. The organization monitors the use of information system accounts. 8. The organization notifies account managers: a. When accounts are no longer required; b. When users are terminated or transferred; and c. When individual information system usage or need-to-know changes. 9. The organization authorizes access to the information system based on: a. A valid access authorization; b. Intended system usage; and c. Other attributes as required by the organization or associated missions/business functions. 10. The organization reviews accounts for compliance with account management requirements at least annually. 11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

To ensure the security, integrity, and efficiency of the information systems.

Canada_Federal_PBMM_3-1-2020_AC_2(1)

AC_2(1)

Canada Federal PBMM 3-1-2020 AC 2(1)

Account Management

Account Management | Automated System Account Management

Shared

The organization employs automated mechanisms to support the management of information system accounts.

To streamline and enhance information system account management processes.

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_CA_2

CA_2

Canada Federal PBMM 3-1-2020 CA 2

Security Assessments

Shared

1. The organization develops a security assessment plan that describes the scope of the assessment including: a. Security controls and control enhancements under assessment; b. Assessment procedures to be used to determine security control effectiveness; and c. Assessment environment, assessment team, and assessment roles and responsibilities. 2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. 3. The organization produces a security assessment report that documents the results of the assessment. 4. The organization provides the results of the security control assessment to organization-defined individuals or roles.

To enhance the overall security posture of the organization.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

125

Canada_Federal_PBMM_3-1-2020_CM_2

CM_2

Canada Federal PBMM 3-1-2020 CM 2

Baseline Configuration

Shared

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

To support effective management and security practices.

Canada_Federal_PBMM_3-1-2020_CM_2(1)

CM_2(1)

Canada Federal PBMM 3-1-2020 CM 2(1)

Baseline Configuration

Baseline Configuration | Reviews and Updates

Shared

The organization reviews and updates the baseline configuration of the information system: 1. at least annually; or 2. When required due to significant changes as defined in NIST SP 800-37 rev1; and 3. As an integral part of information system component installations and upgrades.

To ensure alignment with current security standards and operational requirements.

Canada_Federal_PBMM_3-1-2020_CM_2(2)

CM_2(2)

Canada Federal PBMM 3-1-2020 CM 2(2)

Baseline Configuration

Baseline Configuration | Automation Support for Accuracy / Currency

Shared

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration

Canada_Federal_PBMM_3-1-2020_CM_8

CM_8

Canada Federal PBMM 3-1-2020 CM 8

Information System Component Inventory

Shared

1. The organization develops and documents an inventory of information system components that accurately reflects the current information system. 2. The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. 3. The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. 4. The organization develops and documents an inventory of information system components that includes unique asset identifier, NetBIOS name, baseline configuration name, OS Name, OS Version, system owner information. 5. The organization reviews and updates the information system component inventory at least monthly.

To enable efficient decision-making and risk mitigation strategies.

Canada_Federal_PBMM_3-1-2020_CM_8(1)

CM_8(1)

Canada Federal PBMM 3-1-2020 CM 8(1)

Information System Component Inventory

Information System Component Inventory | Updates During Installations / Removals

Shared

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

To facilitate accurate asset management and effective security control implementation.

Canada_Federal_PBMM_3-1-2020_CM_8(2)

CM_8(2)

Canada Federal PBMM 3-1-2020 CM 8(2)

Information System Component Inventory

Information System Component Inventory | Automated Maintenance

Shared

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

To facilitate accurate asset management and effective security control implementation.

Canada_Federal_PBMM_3-1-2020_RA_5(1)

RA_5(1)

Canada Federal PBMM 3-1-2020 RA 5(1)

Vulnerability Scanning

Vulnerability Scanning | Update Tool Capability

Shared

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

To employ vulnerability scanning tools.

Canada_Federal_PBMM_3-1-2020_SI_8(1)

SI_8(1)

Canada Federal PBMM 3-1-2020 SI 8(1)

Spam Protection

Spam Protection | Central Management of Protection Mechanisms

Shared

The organization centrally manages spam protection mechanisms.

To enhance overall security posture.

CCCS

RA-5

CCCS_RA-5

CCCS RA-5

Risk Assessment

Vulnerability Scanning

n/a

(A) The organization scans for vulnerabilities in the information system and hosted applications monthly for operating systems/infrastructure, web applications, and database management systems and when new vulnerabilities potentially affecting the system/applications are identified and reported. (B) The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) Enumerating platforms, software flaws, and improper configurations; (b) Formatting checklists and test procedures; and (c) Measuring vulnerability impact. (C) The organization analyzes vulnerability scan reports and results from security control assessments. (D) The organization remediates legitimate vulnerabilities within 30 days for high-risk vulnerabilities and 90 days for moderate-risk vulnerabilities from the date of discovery in accordance with an organizational assessment of risk. (E) The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

CCCS

SI-2

CCCS_SI-2

CCCS SI-2

System and Information Integrity

Flaw Remediation

n/a

(A) The organization identifies, reports, and corrects information system flaws. (B) The organization tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation. (C) The organization installs security-relevant software and firmware updates within 30 days of release of the release of the updates. (D) The organization incorporates flaw remediation into the organizational configuration management process.

CIS_Azure_1.1.0

2.4

CIS_Azure_1.1.0_2.4

CIS Microsoft Azure Foundations Benchmark recommendation 2.4

2 Security Center

Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled"

Shared

The customer is responsible for implementing this recommendation.

Enable Monitor OS vulnerability recommendations for virtual machines.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

100

12.1

CIS_Controls_v8.1_12.1

CIS Controls v8.1 12.1

Network Infrastructure Management

Ensure network infrastructure is up to date

Shared

1. Ensure network infrastructure is kept up-to-date. 2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. 3. Review software versions monthly, or more frequently, to verify software support.

To prevent any unauthorized or malicious activity on network systems.

12.3

CIS_Controls_v8.1_12.3

CIS Controls v8.1 12.3

Network Infrastructure Management

Securely manage network infrastructure

Shared

1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS.

To ensure proper management of network infrastructure.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

102

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

100

16.12

CIS_Controls_v8.1_16.12

CIS Controls v8.1 16.12

Application Software Security

Implement code-level security checks

Shared

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application.

16.13

CIS_Controls_v8.1_16.13

CIS Controls v8.1 16.13

Application Software Security

Conduct application penetration testing

Shared

1. Conduct application penetration testing. 2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. 3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

To identify potential security weaknesses and assess the overall security posture of the application.

16.2

CIS_Controls_v8.1_16.2

CIS Controls v8.1 16.2

Application Software Security

Establish and maintain a process to accept and address software vulnerabilities

Shared

1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. 2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. 3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. 4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. 5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.

To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures.

16.5

CIS_Controls_v8.1_16.5

CIS Controls v8.1 16.5

Application Software Security

Use up-to-date and trusted third-party software components

Shared

1. Use up-to-date and trusted third-party software components. 2. When possible, choose established and proven frameworks and libraries that provide adequate security. 3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.

To utilize up-to-date and trusted third-party software components in application development.

16.6

CIS_Controls_v8.1_16.6

CIS Controls v8.1 16.6

Application Software Security

Establish and maintain a severity rating system and process for application vulnerabilities

Shared

1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. 2. This process includes setting a minimum level of security acceptability for releasing code or applications. 3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. 4. Review and update the system and process annually.

To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks.

16.7

CIS_Controls_v8.1_16.7

CIS Controls v8.1 16.7

Application Software Security

Use standard hardening configuration templates for application infrastructure

Shared

1. Use standard, industry-recommended hardening configuration templates for application infrastructure components. 2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. 3. Do not allow in-house developed software to weaken configuration hardening.

To ensure that in-house developed software does not compromise the established configuration hardening standards.

18.1

CIS_Controls_v8.1_18.1

CIS Controls v8.1 18.1

Penetration Testing

Establish and maintain a penetration testing program

Shared

1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. 2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise.

18.2

CIS_Controls_v8.1_18.2

CIS Controls v8.1 18.2

Penetration Testing

Perform periodic external penetration tests

Shared

1. Perform periodic external penetration tests based on program requirements, no less than annually. 2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. 3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. 4. The testing may be clear box or opaque box.

To ensure thorough assessment and mitigation of potential vulnerabilities.

18.3

CIS_Controls_v8.1_18.3

CIS Controls v8.1 18.3

Penetration Testing

Remediate penetration test findings

Shared

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

To mitigate security risks effectively.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

18.5

CIS_Controls_v8.1_18.5

404 not found

n/a

CMMC_2.0_L2

RA.L2-3.11.2

CMMC_2.0_L2_RA.L2-3.11.2

404 not found

n/a

CMMC_2.0_L2

RA.L2-3.11.3

CMMC_2.0_L2_RA.L2-3.11.3

404 not found

n/a

CMMC_2.0_L2

SI.L1-3.14.1

CMMC_2.0_L2_SI.L1-3.14.1

404 not found

n/a

CMMC_L2_v1.9.0_CM.L2_3.4.1

CM.L2_3.4.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1

Configuration Management

System Baselining

Shared

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

To ensure consistency, security, and compliance with organizational standards and requirements.

CMMC_L2_v1.9.0_CM.L2_3.4.2

CM.L2_3.4.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2

Configuration Management

Security Configuration Enforcement

Shared

Establish and enforce security configuration settings for information technology products employed in organizational systems.

To mitigate vulnerabilities and enhance overall security posture.

CMMC_L2_v1.9.0_CM.L2_3.4.6

CM.L2_3.4.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6

Configuration Management

Least Functionality

Shared

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

To reduce the risk of unauthorized access or exploitation of system vulnerabilities.

CMMC_L2_v1.9.0_RA.L2_3.11.2

RA.L2_3.11.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.2

Risk Assessment

Vulnerability Scan

Shared

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

To enhance the overall security posture of the organization.

CMMC_L2_v1.9.0_RA.L2_3.11.3

RA.L2_3.11.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.3

Risk Assessment

Vulnerability Remediation

Shared

Remediate vulnerabilities in accordance with risk assessments.

To reduce the likelihood of security breaches and minimize potential impacts on operations and assets.

CMMC_L2_v1.9.0_SI.L1_3.14.1

SI.L1_3.14.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1

System and Information Integrity

Flaw Remediation

Shared

Identify, report, and correct information and information system flaws in a timely manner.

To safeguard assets and maintain operational continuity.

CMMC_L2_v1.9.0_SI.L2_3.14.3

SI.L2_3.14.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3

System and Information Integrity

Security Alerts & Advisories

Shared

Monitor system security alerts and advisories and take action in response.

To proactively defend against emerging threats and minimize the risk of security incidents or breaches.

CMMC_L2_v1.9.0_SI.L2_3.14.6

SI.L2_3.14.6

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6

System and Information Integrity

Monitor Communications for Attacks

Shared

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

To protect systems and data from unauthorized access or compromise.

CMMC_L2_v1.9.0_SI.L2_3.14.7

SI.L2_3.14.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7

System and Information Integrity

Identify Unauthorized Use

Shared

Identify unauthorized use of organizational systems.

To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access.

CMMC_L3

RM.2.143

CMMC_L3_RM.2.143

CMMC L3 RM.2.143

Risk Assessment

Remediate vulnerabilities in accordance with risk assessments.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

CMMC_L3

SI.1.210

CMMC_L3_SI.1.210

CMMC L3 SI.1.210

System and Information Integrity

Identify, report, and correct information and information system flaws in a timely manner.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

AIS_02

CSA_v4.0.12_AIS_02

CSA Cloud Controls Matrix v4.0.12 AIS 02

Application & Interface Security

Application Security Baseline Requirements

Shared

n/a

Establish, document and maintain baseline requirements for securing different applications.

CCC_02

CSA_v4.0.12_CCC_02

CSA Cloud Controls Matrix v4.0.12 CCC 02

Change Control and Configuration Management

Quality Testing

Shared

n/a

Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.

CCC_03

CSA_v4.0.12_CCC_03

CSA Cloud Controls Matrix v4.0.12 CCC 03

Change Control and Configuration Management

Change Management Technology

Shared

n/a

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

CCC_06

CSA_v4.0.12_CCC_06

CSA Cloud Controls Matrix v4.0.12 CCC 06

Change Control and Configuration Management

Change Management Baseline

Shared

n/a

Establish change management baselines for all relevant authorized changes on organization assets.

CCC_09

CSA_v4.0.12_CCC_09

CSA Cloud Controls Matrix v4.0.12 CCC 09

Change Control and Configuration Management

Change Restoration

Shared

n/a

Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.

CEK_05

CSA_v4.0.12_CEK_05

CSA Cloud Controls Matrix v4.0.12 CEK 05

Cryptography, Encryption & Key Management

Encryption Change Management

Shared

n/a

Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.

CEK_06

CSA_v4.0.12_CEK_06

CSA Cloud Controls Matrix v4.0.12 CEK 06

Cryptography, Encryption & Key Management

Encryption Change Cost Benefit Analysis

Shared

n/a

Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis.

CEK_07

CSA_v4.0.12_CEK_07

CSA Cloud Controls Matrix v4.0.12 CEK 07

Cryptography, Encryption & Key Management

Encryption Risk Management

Shared

n/a

Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.

CEK_20

CSA_v4.0.12_CEK_20

CSA Cloud Controls Matrix v4.0.12 CEK 20

Cryptography, Encryption & Key Management

Key Recovery

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements.

DCS_05

CSA_v4.0.12_DCS_05

CSA Cloud Controls Matrix v4.0.12 DCS 05

Datacenter Security

Assets Classification

Shared

n/a

Classify and document the physical, and logical assets (e.g., applications) based on the organizational business risk.

DCS_06

CSA_v4.0.12_DCS_06

CSA Cloud Controls Matrix v4.0.12 DCS 06

Datacenter Security

Assets Cataloguing and Tracking

Shared

n/a

Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system.

UEM_03

CSA_v4.0.12_UEM_03

CSA Cloud Controls Matrix v4.0.12 UEM 03

Universal Endpoint Management

Compatibility

Shared

n/a

Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications.

UEM_04

CSA_v4.0.12_UEM_04

CSA Cloud Controls Matrix v4.0.12 UEM 04

Universal Endpoint Management

Endpoint Inventory

Shared

n/a

Maintain an inventory of all endpoints used to store and access company data.

UEM_05

CSA_v4.0.12_UEM_05

CSA Cloud Controls Matrix v4.0.12 UEM 05

Universal Endpoint Management

Endpoint Management

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data.

UEM_07

CSA_v4.0.12_UEM_07

CSA Cloud Controls Matrix v4.0.12 UEM 07

Universal Endpoint Management

Operating Systems

Shared

n/a

Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes.

UEM_12

CSA_v4.0.12_UEM_12

CSA Cloud Controls Matrix v4.0.12 UEM 12

Universal Endpoint Management

Remote Locate

Shared

n/a

Enable remote geo-location capabilities for all managed mobile endpoints.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

194

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_2555_(NIS2)_2022_7

EU 2022/2555 (NIS2) 2022 7

National cybersecurity strategy

Shared

n/a

Requires Member States to adopt a national cybersecurity strategy.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

311

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

311

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

311

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

311

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

111

FBI_Criminal_Justice_Information_Services_v5.9.5_5

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FedRAMP_High_R4

RA-5

FedRAMP_High_R4_RA-5

FedRAMP High RA-5

Risk Assessment

Vulnerability Scanning

Shared

n/a

The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov.

FedRAMP_High_R4

SI-2

FedRAMP_High_R4_SI-2

FedRAMP High SI-2

System And Information Integrity

Flaw Remediation

Shared

n/a

The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within [Assignment: organization- defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process. Supplemental Guidance: Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11.

FedRAMP_Moderate_R4

RA-5

FedRAMP_Moderate_R4_RA-5

FedRAMP Moderate RA-5

Risk Assessment

Vulnerability Scanning

Shared

n/a

FedRAMP_Moderate_R4

SI-2

FedRAMP_Moderate_R4_SI-2

FedRAMP Moderate SI-2

System And Information Integrity

Flaw Remediation

Shared

n/a

FFIEC_CAT_2017

2.2.1

FFIEC_CAT_2017_2.2.1

FFIEC CAT 2017 2.2.1

Threat Intelligence and Collaboration

Monitoring and Analyzing

Shared

n/a

- Audit log records and other security event logs are reviewed and retained in a secure manner. - Computer event logs are used for investigations once an event has occurred.

FFIEC_CAT_2017

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

FFIEC_CAT_2017

3.2.3

FFIEC_CAT_2017_3.2.3

FFIEC CAT 2017 3.2.3

Cybersecurity Controls

Event Detection

Shared

n/a

- A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access.

hipaa-0605.10h1System.12-10.h

0605.10h1System.12-10.h

0605.10h1System.12-10.h

06 Configuration Management

0605.10h1System.12-10.h 10.04 Security of System Files

Shared

n/a

Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release.

hipaa-0709.10m1Organizational.1-10.m

0709.10m1Organizational.1-10.m

0709.10m1Organizational.1-10.m

07 Vulnerability Management

0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management

Shared

n/a

Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner.

hipaa-0713.10m2Organizational.5-10.m

0713.10m2Organizational.5-10.m

0713.10m2Organizational.5-10.m

07 Vulnerability Management

0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management

Shared

n/a

Patches are tested and evaluated before they are installed.

hipaa-0718.10m3Organizational.34-10.m

0718.10m3Organizational.34-10.m

0718.10m3Organizational.34-10.m

07 Vulnerability Management

0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management

Shared

n/a

The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically), and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported.

06.h

HITRUST_CSF_v11.3_06.h

HITRUST CSF v11.3 06.h

Compliance with Security Policies and Standards

To ensure compliance with security implementation standards by regular checking of information systems.

Shared

1. Annual checks on the technical security configuration of systems is to be performed either manually by an individual with experience with the systems and/or with the assistance of automated software tools. 2. Technical compliance checking is to be implemented to show compliance in support of technical interoperability.

Information systems shall be regularly checked for compliance with security implementation standards.

09.ab

HITRUST_CSF_v11.3_09.ab

HITRUST CSF v11.3 09.ab

Monitoring

To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls.

Shared

1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with.

Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly.

114

10.c

HITRUST_CSF_v11.3_10.c

HITRUST CSF v11.3 10.c

Correct Processing in Applications

To incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Shared

Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented.

Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

IRS_1075_9.3

.14.3

IRS_1075_9.3.14.3

IRS 1075 9.3.14.3

Risk Assessment

Vulnerability Scanning (RA-5)

n/a

The agency must: a. Scan for vulnerabilities in the information system and hosted applications at a minimum of monthly for all systems and when new vulnerabilities potentially affecting the system/applications are identified and reported b. Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations 2. Formatting checklists and test procedures 3. Measuring vulnerability impact c. Analyze vulnerability scan reports and results from security control assessments d. Remediate legitimate vulnerabilities in accordance with an assessment of risk e. Share information obtained from the vulnerability scanning process and security control assessments with designated agency officials to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies) f. Employ vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned (CE1)

IRS_1075_9.3

.17.2

IRS_1075_9.3.17.2

IRS 1075 9.3.17.2

System and Information Integrity

Flaw Remediation (SI-2)

n/a

The agency must: a. Identify, report, and correct information system flaws b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation c. Install security-relevant software and firmware updates based on severity and associated risk to the confidentiality of FTI d. Incorporate flaw remediation into the agency configuration management process e. Centrally manage the flaw remediation process (CE1) Security-relevant software updates include, for example, patches, service packs, hot fixes, and antivirus signatures.

5.5

ISO_IEC_27002_2022_5.5

ISO IEC 27002 2022 5.5

Identifying, Protection, Response, Recovery, Preventive, Corrective Control

Contact with authorities

Shared

The organization should establish and maintain contact with relevant authorities.

To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.

5.9

ISO_IEC_27002_2022_5.9

ISO IEC 27002 2022 5.9

Preventive, Identifying Control

Inventory of information and other associated assets

Shared

An inventory of information and other associated assets, including owners, should be developed and maintained.

To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership.

8.16

ISO_IEC_27002_2022_8.16

ISO IEC 27002 2022 8.16

Response, Detection, Corrective Control

Monitoring activities

Shared

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

To detect anomalous behaviour and potential information security incidents.

8.8

ISO_IEC_27002_2022_8.8

ISO IEC 27002 2022 8.8

Identifying, Protection, Preventive Control

Management of technical vulnerabilities

Shared

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

To prevent exploitation of technical vulnerabilities.

8.9

ISO_IEC_27002_2022_8.9

ISO IEC 27002 2022 8.9

Protection, Preventive Control

Configuration management

Shared

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

ISO_IEC_27017_2015

8.1.1

ISO_IEC_27017_2015_8.1.1

ISO IEC 27017 2015 8.1.1

Asset Management

Inventory of Assets

Shared

For Cloud Service Customer: The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service. For Cloud Service Provider: The inventory of assets of the cloud service provider should explicitly identify: (i) cloud service customer data; (ii) cloud service derived data.

To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership.

ISO27001-2013

A.12.6.1

ISO27001-2013_A.12.6.1

ISO 27001:2013 A.12.6.1

Operations Security

Management of technical vulnerabilities

Shared

n/a

Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

New_Zealand_ISM_06.2.6.C.01

New_Zealand_ISM

06.2.6.C.01

06. Information security monitoring

06.2.6.C.01 Resolving vulnerabilities

n/a

Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment.

NIST_CSF_v2.0

DE.CM

NIST_CSF_v2.0_DE.CM

404 not found

n/a

NIST_CSF_v2.0

DE.CM_09

NIST_CSF_v2.0_DE.CM_09

NIST CSF v2.0 DE.CM 09

DETECT- Continuous Monitoring

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_SP_800-171_R2_3

.11.2

NIST_SP_800-171_R2_3.11.2

NIST SP 800-171 R2 3.11.2

Risk Assessment

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. [SP 800-40] provides guidance on vulnerability management.

NIST_SP_800-171_R2_3.11.3

NIST_SP_800-171_R2_3

.11.3

NIST SP 800-171 R2 3.11.3

Risk Assessment

Remediate vulnerabilities in accordance with risk assessments.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

NIST_SP_800-171_R2_3.14.1

NIST_SP_800-171_R2_3

.14.1

NIST SP 800-171 R2 3.14.1

System and Information Integrity

Identify, report, and correct system flaws in a timely manner.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R3_3.11.2

.11.2

NIST 800-171 R3 3.11.2

Risk Assessment Control

Vulnerability Monitoring and Scanning

Shared

Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated and that employ the Extensible Configuration Checklist Description Format (XCCDF). Organizations also consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL). Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).

a. Monitor and scan for vulnerabilities in the system periodically and when new vulnerabilities affecting the system are identified. b. Remediate system vulnerabilities within [Assignment: organization-defined response times]. c. Update system vulnerabilities to be scanned periodically and when new vulnerabilities are identified and reported.

NIST_SP_800-171_R3_3.14.1

.14.1

NIST 800-171 R3 3.14.1

System and Information Integrity Control

Flaw Remediation

Shared

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

a. Identify, report, and correct system flaws. b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

NIST_SP_800-171_R3_3.14.6

.14.6

NIST 800-171 R3 3.14.6

System and Information Integrity Control

System Monitoring

Shared

System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives. Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements.

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks; and 2. Unauthorized connections. b. Identify unauthorized use of the system. c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions.

.4.1

NIST_SP_800-171_R3_3.4.1

404 not found

n/a

NIST_SP_800-171_R3_3.4.10

.4.10

NIST 800-171 R3 3.4.10

Configuration Management Control

System Component Inventory

Shared

System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information.

a. Develop and document an inventory of system components. b. Review and update the system component inventory periodically. c. Update the system component inventory as part of installations, removals, and system updates.

.4.2

NIST_SP_800-171_R3_3.4.2

404 not found

n/a

NIST_SP_800-53_R4

RA-5

NIST_SP_800-53_R4_RA-5

NIST SP 800-53 Rev. 4 RA-5

Risk Assessment

Vulnerability Scanning

Shared

n/a

NIST_SP_800-53_R4

SI-2

NIST_SP_800-53_R4_SI-2

NIST SP 800-53 Rev. 4 SI-2

System And Information Integrity

Flaw Remediation

Shared

n/a

NIST_SP_800-53_R5.1.1_CM.2

CM.2

NIST SP 800-53 R5.1.1 CM.2

Configuration Management Control

Baseline Configuration

Shared

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: Assignment organization-defined circumstances]; and 3. When system components are installed or upgraded.

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

NIST_SP_800-53_R5.1.1_CM.6

CM.6

NIST SP 800-53 R5.1.1 CM.6

Configuration Management Control

Configuration Settings

Shared

a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

NIST_SP_800-53_R5.1.1_CM.8

CM.8

NIST SP 800-53 R5.1.1 CM.8

Configuration Management Control

System Component Inventory

Shared

a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency].

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

NIST_SP_800-53_R5.1.1_CM.8.2

CM.8.2

NIST SP 800-53 R5.1.1 CM.8.2

Configuration Management Control

System Component Inventory | Automated Maintenance

Shared

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].

Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.

NIST_SP_800-53_R5.1.1_RA.5

RA.5

NIST SP 800-53 R5.1.1 RA.5

Risk Assessment Control

Vulnerability Monitoring and Scanning

Shared

a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

NIST_SP_800-53_R5.1.1_SI.2

SI.2

NIST SP 800-53 R5.1.1 SI.2

System and Information Integrity Control

Flaw Remediation

Shared

a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process.

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

NIST_SP_800-53_R5.1.1_SI.4

SI.4

NIST SP 800-53 R5.1.1 SI.4

System and Information Integrity Control

System Monitoring

Shared

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency] ].

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

NIST_SP_800-53_R5

RA-5

NIST_SP_800-53_R5_RA-5

NIST SP 800-53 Rev. 5 RA-5

Risk Assessment

Vulnerability Monitoring and Scanning

Shared

n/a

NIST_SP_800-53_R5

SI-2

NIST_SP_800-53_R5_SI-2

NIST SP 800-53 Rev. 5 SI-2

System and Information Integrity

Flaw Remediation

Shared

n/a

NZ_ISM_v3.5

ISM-4

NZ_ISM_v3.5_ISM-4

NZISM Security Benchmark ISM-4

Information security monitoring

6.2.6 Resolving vulnerabilities

Customer

n/a

Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue.

NZISM_Security_Benchmark_v1.1

ISM-4

NZISM_Security_Benchmark_v1.1_ISM-4

NZISM Security Benchmark ISM-4

Information security monitoring

6.2.6 Resolving vulnerabilities

Customer

Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment.

Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue.

12.4.4.C.01.

NZISM_v3.7_12.4.4.C.01.

NZISM v3.7 12.4.4.C.01.

Product Patching and Updating

12.4.4.C.01. - To mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update.

12.4.4.C.02.

NZISM_v3.7_12.4.4.C.02.

NZISM v3.7 12.4.4.C.02.

Product Patching and Updating

12.4.4.C.02. - To minimise the risk of disruptions or vulnerabilities introduced by the patches.

Shared

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

12.4.4.C.04.

NZISM_v3.7_12.4.4.C.04.

NZISM v3.7 12.4.4.C.04.

Product Patching and Updating

12.4.4.C.04. - To mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update.

12.4.4.C.05.

NZISM_v3.7_12.4.4.C.05.

NZISM v3.7 12.4.4.C.05.

Product Patching and Updating

12.4.4.C.05. - To reduce the potential attack surface for malicious actors.

Shared

n/a

Agencies SHOULD apply all non-critical security patches as soon as possible.

12.4.4.C.06.

NZISM_v3.7_12.4.4.C.06.

NZISM v3.7 12.4.4.C.06.

Product Patching and Updating

12.4.4.C.06. - To maintain the integrity and effectiveness of the patching process.

Shared

n/a

Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process.

14.1.9.C.01.

NZISM_v3.7_14.1.9.C.01.

NZISM v3.7 14.1.9.C.01.

Standard Operating Environments

14.1.9.C.01. - To maintain system reliability, protect sensitive information, and fulfill security requirements.

Shared

n/a

Agencies MUST ensure that for all servers and workstations: 1. a technical specification is agreed for each platform with specified controls; 2. a standard configuration created and updated for each operating system type and version; 3. system users do not have the ability to install or disable software without approval; and 4. installed software and operating system patching is up to date.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - To strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

16.1.31.C.01.

NZISM_v3.7_16.1.31.C.01.

NZISM v3.7 16.1.31.C.01.

Identification, Authentication and Passwords

16.1.31.C.01. - To promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST: 1. develop, implement and maintain a set of policies and procedures covering all system users: a. identification; b. authentication; c. authorisation; d. privileged access identification and management; and 2. make their system users aware of the agency's policies and procedures.

16.1.32.C.01.

NZISM_v3.7_16.1.32.C.01.

NZISM v3.7 16.1.32.C.01.

Identification, Authentication and Passwords

16.1.32.C.01. - To promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST ensure that all system users are: 1. uniquely identifiable; and 2. authenticated on each occasion that access is granted to a system.

17.1.58.C.02.

NZISM_v3.7_17.1.58.C.02.

NZISM v3.7 17.1.58.C.02.

Cryptographic Fundamentals

17.1.58.C.02. - To enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods.

17.5.7.C.02.

NZISM_v3.7_17.5.7.C.02.

NZISM v3.7 17.5.7.C.02.

Secure Shell

17.5.7.C.02. - To enhance overall cybersecurity posture.

Shared

n/a

Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password.

22.1.24.C.02.

NZISM_v3.7_22.1.24.C.02.

NZISM v3.7 22.1.24.C.02.

Cloud Computing

22.1.24.C.02. - To enhance security posture.

Shared

n/a

Agencies intending to adopt cloud technologies or services SHOULD apply separation and access controls to protect data and systems where support is provided by offshore technical staff.

22.1.26.C.01.

NZISM_v3.7_22.1.26.C.01.

NZISM v3.7 22.1.26.C.01.

Cloud Computing

22.1.26.C.01. - To ensure safety of data.

Shared

n/a

Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures.

23.1.56.C.01.

NZISM_v3.7_23.1.56.C.01.

NZISM v3.7 23.1.56.C.01.

Public Cloud Security Concepts

23.1.56.C.01. - To reduce manual errors and ensure adherence to security standards.

Shared

n/a

Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available.

23.2.20.C.01.

NZISM_v3.7_23.2.20.C.01.

NZISM v3.7 23.2.20.C.01.

Governance, Risk Assessment & Assurance

23.2.20.C.01. - To enhance confidence in the security and reliability of cloud services and mitigate risks associated with potential vulnerabilities or non-compliance with security standards.

Shared

n/a

Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants.

6.4.6.C.01.

NZISM_v3.7_6.4.6.C.01.

NZISM v3.7 6.4.6.C.01.

Business Continuity and Disaster Recovery

6.4.6.C.01. - To enhance operational resilience.

Shared

n/a

Agencies SHOULD: 1.Identify vital records; 2. backup all vital records; 3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4. 4. classification of the information; and 5. test backup and restoration processes regularly to confirm their effectiveness.

11.2.1

PCI_DSS_v3.2.1_11.2.1

PCI DSS v3.2.1 11.2.1

Requirement 11

PCI DSS requirement 11.2.1

shared

n/a

5.1

PCI_DSS_v3.2.1_5.1

PCI DSS v3.2.1 5.1

Requirement 5

PCI DSS requirement 5.1

shared

n/a

6.2

PCI_DSS_v3.2.1_6.2

PCI DSS v3.2.1 6.2

Requirement 6

PCI DSS requirement 6.2

shared

n/a

6.6

PCI_DSS_v3.2.1_6.6

PCI DSS v3.2.1 6.6

Requirement 6

PCI DSS requirement 6.6

shared

n/a

10.3.4

PCI_DSS_v4.0.1_10.3.4

PCI DSS v4.0.1 10.3.4

Log and Monitor All Access to System Components and Cardholder Data

Log Integrity Monitoring

Shared

n/a

File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.

11.3.1

PCI_DSS_v4.0.1_11.3.1

PCI DSS v4.0.1 11.3.1

Test Security of Systems and Networks Regularly

Internal Vulnerability Scans

Shared

n/a

Internal vulnerability scans are performed as follows: • At least once every three months. • Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved. • Rescans are performed that confirm all high-risk and all critical vulnerabilities (as noted above) have been resolved. • Scan tool is kept up to date with latest vulnerability information. • Scans are performed by qualified personnel and organizational independence of the tester exists.

11.3.1.1

PCI_DSS_v4.0.1_11.3.1.1

PCI DSS v4.0.1 11.3.1.1

Test Security of Systems and Networks Regularly

Management of Other Vulnerabilities

Shared

n/a

All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: • Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. • Rescans are conducted as needed.

11.4.4

PCI_DSS_v4.0.1_11.4.4

PCI DSS v4.0.1 11.4.4

Test Security of Systems and Networks Regularly

Addressing Penetration Testing Findings

Shared

n/a

Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: • In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1. • Penetration testing is repeated to verify the corrections.

11.5.1

PCI_DSS_v4.0.1_11.5.1

PCI DSS v4.0.1 11.5.1

Test Security of Systems and Networks Regularly

Intrusion Detection/Prevention

Shared

n/a

Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date

11.5.1.1

PCI_DSS_v4.0.1_11.5.1.1

PCI DSS v4.0.1 11.5.1.1

Test Security of Systems and Networks Regularly

Covert Malware Detection

Shared

n/a

Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.

11.5.2

PCI_DSS_v4.0.1_11.5.2

PCI DSS v4.0.1 11.5.2

Test Security of Systems and Networks Regularly

Change-Detection Mechanism Deployment

Shared

n/a

A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly.

2.2.1

PCI_DSS_v4.0.1_2.2.1

PCI DSS v4.0.1 2.2.1

Apply Secure Configurations to All System Components

Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment

Shared

n/a

Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment

6.3.3

PCI_DSS_v4.0.1_6.3.3

PCI DSS v4.0.1 6.3.3

Develop and Maintain Secure Systems and Software

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1

Shared

n/a

Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement

6.4.1

PCI_DSS_v4.0.1_6.4.1

PCI DSS v4.0.1 6.4.1

Develop and Maintain Secure Systems and Software

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes. By an entity that specializes in application security. Including, at a minimum, all common software attacks in Requirement 6.2.4. All vulnerabilities are ranked in accordance with requirement 6.3.1. All vulnerabilities are corrected. The application is re-evaluated after the corrections. OR Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: Installed in front of public-facing web applications to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated

Shared

n/a

For public-facing web applications, ensure that either one of the required methods is in place as follows: If manual or automated vulnerability security assessment tools or methods are in use, examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed in accordance with all elements of this requirement specific to the tool/method. OR If an automated technical solution(s) is installed that continually detects and prevents web-based attacks, examine the system configuration settings and audit logs, and interview responsible personnel to verify that the automated technical solution(s) is installed in accordance with all elements of this requirement specific to the solution(s)

9.5.1

PCI_DSS_v4.0.1_9.5.1

PCI DSS v4.0.1 9.5.1

Restrict Physical Access to Cardholder Data

Protection Measures for POI Devices Against Tampering and Unauthorized Substitution

Shared

n/a

POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: • Maintaining a list of POI devices. • Periodically inspecting POI devices to look for tampering or unauthorized substitution. • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.

9.5.1.1

PCI_DSS_v4.0.1_9.5.1.1

PCI DSS v4.0.1 9.5.1.1

Restrict Physical Access to Cardholder Data

Maintenance of an Up-to-Date List of POI Devices

Shared

n/a

An up-to-date list of POI devices is maintained, including: • Make and model of the device. • Location of device. • Device serial number or other methods of unique identification.

11.3.1

PCI_DSS_v4.0_11.3.1

PCI DSS v4.0 11.3.1

Requirement 11: Test Security of Systems and Networks Regularly

External and internal vulnerabilities are regularly identified, prioritized, and addressed

Shared

n/a

Internal vulnerability scans are performed as follows: • At least once every three months. • High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved. • Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been resolved. • Scan tool is kept up to date with latest vulnerability information. • Scans are performed by qualified personnel and organizational independence of the tester exists.

5.2.1

PCI_DSS_v4.0_5.2.1

PCI DSS v4.0 5.2.1

Requirement 05: Protect All Systems and Networks from Malicious Software

Malicious software (malware) is prevented, or detected and addressed

Shared

n/a

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

5.2.2

PCI_DSS_v4.0_5.2.2

PCI DSS v4.0 5.2.2

Requirement 05: Protect All Systems and Networks from Malicious Software

Malicious software (malware) is prevented, or detected and addressed

Shared

n/a

The deployed anti-malware solution(s): • Detects all known types of malware. • Removes, blocks, or contains all known types of malware.

5.2.3

PCI_DSS_v4.0_5.2.3

PCI DSS v4.0 5.2.3

Requirement 05: Protect All Systems and Networks from Malicious Software

Malicious software (malware) is prevented, or detected and addressed

Shared

n/a

Any system components that are not at risk for malware are evaluated periodically to include the following: • A documented list of all system components not at risk for malware. • Identification and evaluation of evolving malware threats for those system components. • Confirmation whether such system components continue to not require anti-malware protection.

6.3.3

PCI_DSS_v4.0_6.3.3

PCI DSS v4.0 6.3.3

Requirement 06: Develop and Maintain Secure Systems and Software

Security vulnerabilities are identified and addressed

Shared

n/a

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: • Critical or high-security patches/updates are identified according to the risk ranking process at Requirement 6.3.1. • Critical or high-security patches/updates are installed within one month of release. • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).

6.4.1

PCI_DSS_v4.0_6.4.1

PCI DSS v4.0 6.4.1

Requirement 06: Develop and Maintain Secure Systems and Software

Public-facing web applications are protected against attacks

Shared

n/a

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: – At least once every 12 months and after significant changes. – By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.3.6. – All vulnerabilities are ranked in accordance with requirement 6.2.1. – All vulnerabilities are corrected. – The application is re-evaluated after the corrections OR • Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: – Installed in front of public-facing web applications to detect and prevent webbased attacks. – Actively running and up to date as applicable. – Generating audit logs. – Configured to either block web-based attacks or generate an alert that is immediately investigated.

18.4

RBI_CSF_Banks_v2016_18.4

Vulnerability Assessment And Penetration Test And Red Team Exercises

Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4

n/a

Findings of VA/PT and the follow up actions necessitated are to be monitored closely by the Information Security/Information Technology Audit team as well as Senior/Top Management.

2.3

RBI_CSF_Banks_v2016_2.3

Preventing Execution Of Unauthorised Software

Security Update Management-2.3

n/a

Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process.

7.1

RBI_CSF_Banks_v2016_7.1

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.1

n/a

Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure.

7.2

RBI_CSF_Banks_v2016_7.2

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.2

n/a

Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/ Middleware, etc.

7.6

RBI_CSF_Banks_v2016_7.6

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.6

n/a

As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities.

RBI_ITF_NBFC_v2017

RBI_ITF_NBFC_v2017_1

RBI IT Framework 1

IT Governance

IT Governance-1

n/a

IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC???s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry.

RBI_ITF_NBFC_v2017

3.3

RBI_ITF_NBFC_v2017_3.3

RBI IT Framework 3.3

Information and Cyber Security

Vulnerability Management-3.3

n/a

A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy

RMiT_v1.0

Appendix_5.2

RMiT_v1.0_Appendix_5.2

RMiT Appendix 5.2

Control Measures on Cybersecurity

Control Measures on Cybersecurity - Appendix 5.2

Customer

n/a

Update checklists on the latest security hardening of operating systems.

A1.1

SOC_2023_A1.1

SOC 2023 A1.1

Additional Criteria for Availability

To effectively manage capacity demand and facilitate the implementation of additional capacity as needed.

Shared

n/a

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

112

CC1.4

SOC_2023_CC1.4

SOC 2023 CC1.4

Control Environment

To ensure organizational resilience, innovation, and competitiveness in the long run.

Shared

n/a

Entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives by establishing policies and procedures, evaluating the competence required and address its shortcomings, attracts, develops and retains individuals through mentoring and training and plan and prepare for succession by developing contingency plans for assignments of responsibilities important for internal control.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

To facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

219

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

To maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

230

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

129

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

To maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

168

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

214

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

148

CM_8b

SOC_2023_CM_8b

404 not found

n/a

2.2

SWIFT_CSCF_2024_2.2

SWIFT Customer Security Controls Framework 2024 2.2

Risk Management

Security Updates

Shared

1. The closure of known security vulnerabilities is effective in reducing the various pathways that an attacker may use during an attack. 2. A security update process that is comprehensive, repeatable, and implemented in a timely manner is necessary to continuously close these known vulnerabilities when security updates are available.

To minimise the occurrence of known technical vulnerabilities on operator PCs and within the user’s Swift infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.

2.7

SWIFT_CSCF_2024_2.7

SWIFT Customer Security Controls Framework 2024 2.7

Risk Management

Vulnerability Scanning

Shared

1. The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack. 2. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action.

To identify known vulnerabilities within the user’s Swift environment by implementing a regular vulnerability scanning process and act upon results.

2.9

SWIFT_CSCF_2024_2.9

SWIFT Customer Security Controls Framework 2024 2.9

Transaction Controls

Transaction Business Controls

Shared

1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions. 2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity.

To ensure outbound transaction activity within the expected bounds of normal business.

6.4

SWIFT_CSCF_2024_6.4

SWIFT Customer Security Controls Framework 2024 6.4

Access Control

Logging and Monitoring

Shared

1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring.

To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment.

6.5

SWIFT_CSCF_2024_6.5

404 not found

n/a

9.2

SWIFT_CSCF_2024_9.2

404 not found

n/a

SWIFT_CSCF_v2021

2.7

SWIFT_CSCF_v2021_2.7

SWIFT CSCF v2021 2.7

Reduce Attack Surface and Vulnerabilities

Vulnerability Scanning

n/a

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.

SWIFT_CSCF_v2022

2.7

SWIFT_CSCF_v2022_2.7

SWIFT CSCF v2022 2.7

2. Reduce Attack Surface and Vulnerabilities

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.

Shared

n/a

Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions.

U.09.3 - Detection, prevention and recovery

404 not found

n/a

B4.b

UK_NCSC_CAF_v3.2_B4.b

NCSC Cyber Assurance Framework (CAF) v3.2 B4.b

System Security

Secure Configuration

Shared

1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function. 2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment. 3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented. 4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration. 5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation. 6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated.

Securely configure the network and information systems that support the operation of essential functions.

UK_NCSC_CAF_v3.2_C

404 not found

n/a

UK_NCSC_CAF_v3.2_C1

404 not found

n/a

C1.c

UK_NCSC_CAF_v3.2_C1.c

NCSC Cyber Assurance Framework (CAF) v3.2 C1.c

Security Monitoring

Generating Alerts

Shared

1. Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. 2. A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts. 3. Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time. 4. Security alerts relating to all essential functions are prioritised and this information is used to support incident management. 5. Logs are reviewed almost continuously, in real time. 6. Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.

Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

C1.d

UK_NCSC_CAF_v3.2_C1.d

NCSC Cyber Assurance Framework (CAF) v3.2 C1.d

Security Monitoring

Identifying Security Incidents

Shared

1. Select threat intelligence sources or services using risk-based and threat-informed decisions based on the business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based info share, special interest groups). 2. Apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them. 3. Receive signature updates for all the protective technologies (e.g. AV, IDS). 4. Track the effectiveness of the intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies).

Contextualise alerts with knowledge of the threat and the systems, to identify those security incidents that require some form of response.

UK_NCSC_CAF_v3.2_C2

404 not found

n/a

C2.b

UK_NCSC_CAF_v3.2_C2.b

NCSC Cyber Assurance Framework (CAF) v3.2 C2.b

Proactive Security Event Discovery

Proactive Attack Discovery

Shared

1. Routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches. 2. Have justified confidence in the effectiveness of the searches for system abnormalities indicative of malicious activity.

Use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

UK_NCSC_CSP

5.2

UK_NCSC_CSP_5.2

UK NCSC CSP 5.2

Operational security

Vulnerability management

Shared

n/a

Service providers should have a management processes in place to identify, triage and mitigate vulnerabilities. Services which don’t, will quickly become vulnerable to attack using publicly known methods and tools.