compliance controls are associated with this Policy definition 'Azure VPN gateways should not use 'basic' SKU' (e345b6c3-24bd-4c93-9bbb-7e5e49a17b78)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
CM_3 |
Canada_Federal_PBMM_3-1-2020_CM_3 |
Canada Federal PBMM 3-1-2020 CM 3 |
Configuration Change Control |
Configuration Change Control |
Shared |
1. The organization determines the types of changes to the information system that are configuration-controlled.
2. The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses.
3. The organization documents configuration change decisions associated with the information system.
4. The organization implements approved configuration-controlled changes to the information system.
5. The organization retains records of configuration-controlled changes to the information system for at least 90 days.
6. The organization audits and reviews activities associated with configuration-controlled changes to the information system.
7. The organization coordinates and provides oversight for configuration change control activities through a central communication process that includes organizational governance bodies that convenes at least annually. |
To ensure systematic control and oversight of configuration changes to the information system, mitigating risks and maintaining system integrity. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_6 |
Canada_Federal_PBMM_3-1-2020_CM_6 |
Canada Federal PBMM 3-1-2020 CM 6 |
Configuration Settings |
Configuration Settings |
Shared |
1. The organization establishes and documents configuration settings for information technology products employed within the information system using checklists from one or more of the following:
a. Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA) that reflect the most restrictive mode consistent with operational requirements.
2. The organization implements the configuration settings.
3. The organization identifies, documents, and approves any deviations from established configuration settings for any configurable information system components.
4. The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
To ensure systematic configuration management of information technology products. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_6(1) |
Canada_Federal_PBMM_3-1-2020_CM_6(1) |
Canada Federal PBMM 3-1-2020 CM 6(1) |
Configuration Settings |
Configuration Settings | Automated Central Management / Application / Verification |
Shared |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for organization-defined information system components. |
To enhance efficiency, consistency, and security in configuration management processes. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_6(2) |
Canada_Federal_PBMM_3-1-2020_CM_6(2) |
Canada Federal PBMM 3-1-2020 CM 6(2) |
Configuration Settings |
Configuration Settings | Respond to Unauthorized Changes |
Shared |
The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings. |
To ensure prompt detection, mitigation, and resolution of potential security risks. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_7 |
Canada_Federal_PBMM_3-1-2020_CM_7 |
Canada Federal PBMM 3-1-2020 CM 7 |
Least Functionality |
Least Functionality |
Shared |
1. The organization configures the information system to provide only essential capabilities.
2. The organization prohibits or restricts the use of identified functions, ports, protocols, and/or services following one or more standards from Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), or Defense Information Systems Agency (DISA). |
To minimise the attack surface of the information system. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_7(1) |
Canada_Federal_PBMM_3-1-2020_CM_7(1) |
Canada Federal PBMM 3-1-2020 CM 7(1) |
Least Functionality |
Least Functionality | Periodic Review |
Shared |
1. The organization reviews the information system at least annually to identify unnecessary and/or non-secure functions, ports, protocols, and services; and
2. The organization disables all functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
To strengthen overall cybersecurity posture.
|
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
CM_9 |
Canada_Federal_PBMM_3-1-2020_CM_9 |
Canada Federal PBMM 3-1-2020 CM 9 |
Configuration Management Plan |
Configuration Management Plan |
Shared |
1. The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
2. The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.
3. The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management; and
4. The organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
To protect configuration items throughout their lifecycle while safeguarding the integrity of the configuration management plan. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
SA_10 |
Canada_Federal_PBMM_3-1-2020_SA_10 |
Canada Federal PBMM 3-1-2020 SA 10 |
Developer Configuration Management |
Developer Configuration Management |
Shared |
1. The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service development, implementation, and operation.
2. The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to all items under configuration management;
3. The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;
4. The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes; and
5. The organization requires the developer of the information system, system component, or information system service to track security flaws and flaw resolution within the system, component, or service and report findings to the Chief Information Officer or delegate. |
To ensure systematic management of system integrity and security throughout the development lifecycle. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
SA_4(9) |
Canada_Federal_PBMM_3-1-2020_SA_4(9) |
Canada Federal PBMM 3-1-2020 SA 4(9) |
Acquisition Process |
Acquisition Process | Functions / Ports / Protocols / Services in Use |
Shared |
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. |
To facilitate early identification and assessment of potential security risks. |
|
5 |
| Canada_Federal_PBMM_3-1-2020 |
SA_9(2) |
Canada_Federal_PBMM_3-1-2020_SA_9(2) |
Canada Federal PBMM 3-1-2020 SA 9(2) |
External Information System Services |
External Information System Services | Identification of Functions / Ports / Protocols / Services |
Shared |
The organization requires providers of all external information systems and services to identify the functions, ports, protocols, and other services required for the use of such services. |
To manage security risks and ensure the secure and efficient operation of external systems and services. |
|
5 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
| HITRUST_CSF_v11.3 |
01.l |
HITRUST_CSF_v11.3_01.l |
HITRUST CSF v11.3 01.l |
Network Access Control |
Prevent unauthorized access to networked services. |
Shared |
Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed. |
Physical and logical access to diagnostic and configuration ports shall be controlled. |
|
26 |
| NIST_SP_800-171_R3_3 |
.4.6 |
NIST_SP_800-171_R3_3.4.6 |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| NIST_SP_800-53_R5.1.1 |
CM.7.1 |
NIST_SP_800-53_R5.1.1_CM.7.1 |
NIST SP 800-53 R5.1.1 CM.7.1 |
Configuration Management Control |
Least Functionality | Periodic Review |
Shared |
(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
(b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. |
Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking. |
|
5 |
| NZISM_v3.7 |
22.3.11.C.01. |
NZISM_v3.7_22.3.11.C.01. |
NZISM v3.7 22.3.11.C.01. |
Virtual Local Area Networks |
22.3.11.C.01. - ensure data security and integrity. |
Shared |
n/a |
Unused ports on the switches MUST be disabled. |
|
18 |
| NZISM_v3.7 |
22.3.11.C.02. |
NZISM_v3.7_22.3.11.C.02. |
NZISM v3.7 22.3.11.C.02. |
Virtual Local Area Networks |
22.3.11.C.02. - ensure data security and integrity. |
Shared |
n/a |
Unused ports on the switches SHOULD be disabled. |
|
18 |
| PCI_DSS_v4.0.1 |
2.2.4 |
PCI_DSS_v4.0.1_2.2.4 |
PCI DSS v4.0.1 2.2.4 |
Apply Secure Configurations to All System Components |
Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled |
Shared |
n/a |
Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled |
|
25 |
| RMiT_v1.0 |
10.33 |
RMiT_v1.0_10.33 |
RMiT 10.33 |
Network Resilience |
Network Resilience - 10.33 |
Shared |
n/a |
A financial institution must design a reliable, scalable and secure enterprise network that is able to support its business activities, including future growth plans. |
link |
27 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |