| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1144 |
AU_ISM_1144 |
AU ISM 1144 |
Guidelines for System Management - System patching |
When to patch security vulnerabilities - 1144 |
|
n/a |
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. |
link |
7 |
| AU_ISM |
1472 |
AU_ISM_1472 |
AU ISM 1472 |
Guidelines for System Management - System patching |
When to patch security vulnerabilities - 1472 |
|
n/a |
Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. |
link |
7 |
| AU_ISM |
1494 |
AU_ISM_1494 |
AU ISM 1494 |
Guidelines for System Management - System patching |
When to patch security vulnerabilities - 1494 |
|
n/a |
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. |
link |
7 |
| AU_ISM |
1495 |
AU_ISM_1495 |
AU ISM 1495 |
Guidelines for System Management - System patching |
When to patch security vulnerabilities - 1495 |
|
n/a |
Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. |
link |
7 |
| AU_ISM |
1496 |
AU_ISM_1496 |
AU ISM 1496 |
Guidelines for System Management - System patching |
When to patch security vulnerabilities - 1496 |
|
n/a |
Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. |
link |
7 |
| AU_ISM |
940 |
AU_ISM_940 |
AU ISM 940 |
Guidelines for System Management - System patching |
When to patch security vulnerabilities - 940 |
|
n/a |
Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. |
link |
7 |
| Azure_Security_Benchmark_v1.0 |
5.5 |
Azure_Security_Benchmark_v1.0_5.5 |
Azure Security Benchmark 5.5 |
Vulnerability Management |
Use a risk-rating process to prioritize the remediation of discovered vulnerabilities |
Customer |
Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool. |
n/a |
link |
4 |
| Azure_Security_Benchmark_v1.0 |
7.10 |
Azure_Security_Benchmark_v1.0_7.10 |
Azure Security Benchmark 7.10 |
Secure Configuration |
Implement automated configuration monitoring for operating systems |
Customer |
Use Azure Security Center to perform baseline scans for OS and Docker Settings for containers.
Understand Azure Security Center container recommendations:
https://docs.microsoft.com/azure/security-center/security-center-container-recommendations |
n/a |
link |
3 |
| Azure_Security_Benchmark_v1.0 |
7.4 |
Azure_Security_Benchmark_v1.0_7.4 |
Azure Security Benchmark 7.4 |
Secure Configuration |
Maintain secure operating system configurations |
Shared |
Base operating system images are managed and maintained by Microsoft.
However, you can apply security settings required by your organization using AzureResources Manager templates and/or Desired State Configuration.
How to create an Azure Virtual Machine from an AzureResources Manager template:
https://docs.microsoft.com/azure/virtual-machines/windows/ps-template
Understand Desired State Configuration for Azure Virtual Machines:
https://docs.microsoft.com/azure/virtual-machines/extensions/dsc-overview |
n/a |
link |
3 |
| Azure_Security_Benchmark_v2.0 |
PV-4 |
Azure_Security_Benchmark_v2.0_PV-4 |
Azure Security Benchmark PV-4 |
Posture and Vulnerability Management |
Sustain secure configurations for compute resources |
Shared |
Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.
Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues.
How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template
Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview
Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Information on how to download template for a VM: https://docs.microsoft.com/azure/virtual-machines/windows/download-template
Sample script to upload a VHD to Azure and create a new VM: https://docs.microsoft.com/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-generalized-script
Container security in Azure Security Center: https://docs.microsoft.com/azure/security-center/container-security |
n/a |
link |
3 |
| Azure_Security_Benchmark_v3.0 |
DS-6 |
Azure_Security_Benchmark_v3.0_DS-6 |
Azure Security Benchmark DS-6 |
DevOps Security |
Enforce security of workload throughout DevOps lifecycle |
Shared |
**Security Principle:**
Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process:
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface.
- Ensure VMs, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow
- Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time.
**Azure Guidance:**
Guidance for Azure VMs:
- Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images.
- Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Through custom images, Azure Resource Manager template, and/or Azure Policy guest configuration to deploy and enforce these the configuration baseline.
Guidance for Azure container services:
- Use Azure Container Registry (ACR) to create your private container registry where a granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry.
- Use Defender for Azure Container Registry for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to ingrate container images scan as part of your CI/CD workflows.
For Azure serverless services, adopt the similar controls to ensure security controls are shift left to the stage prior to the deployment.
**Implementation and additional context:**
Shared Image Gallery overview:
https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries
How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
Security considerations for Azure Container:
https://docs.microsoft.com/azure/container-instances/container-instances-image-security
Azure Defender for container registries:
https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction |
n/a |
link |
3 |
| Azure_Security_Benchmark_v3.0 |
PV-6 |
Azure_Security_Benchmark_v3.0_PV-6 |
Azure Security Benchmark PV-6 |
Posture and Vulnerability Management |
Rapidly and automatically remediate vulnerabilities |
Shared |
**Security Principle:**
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
**Azure Guidance:**
Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.
Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime.
**Implementation and additional context:**
How to configure Update Management for virtual machines in Azure:
https://docs.microsoft.com/azure/automation/update-management/overview
Manage updates and patches for your Azure VMs:
https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm |
n/a |
link |
16 |
| CMMC_2.0_L2 |
RA.L2-3.11.2 |
CMMC_2.0_L2_RA.L2-3.11.2 |
404 not found |
|
|
|
n/a |
n/a |
|
21 |
| CMMC_2.0_L2 |
RA.L2-3.11.3 |
CMMC_2.0_L2_RA.L2-3.11.3 |
404 not found |
|
|
|
n/a |
n/a |
|
21 |
| CMMC_L3 |
RM.2.143 |
CMMC_L3_RM.2.143 |
CMMC L3 RM.2.143 |
Risk Assessment |
Remediate vulnerabilities in accordance with risk assessments. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. |
link |
19 |
| FedRAMP_High_R4 |
RA-5 |
FedRAMP_High_R4_RA-5 |
FedRAMP High RA-5 |
Risk Assessment |
Vulnerability Scanning |
Shared |
n/a |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the
Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. |
link |
23 |
| FedRAMP_Moderate_R4 |
RA-5 |
FedRAMP_Moderate_R4_RA-5 |
FedRAMP Moderate RA-5 |
Risk Assessment |
Vulnerability Scanning |
Shared |
n/a |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the
Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. |
link |
23 |
| hipaa |
0606.10h2System.1-10.h |
hipaa-0606.10h2System.1-10.h |
0606.10h2System.1 - 10.h |
Control of Operational Software |
Applications and operating systems are successfully tested for usability, security and impact prior to production. |
Customer |
n/a |
Sample of SDL change tickets, demonstrating impact analysis, security testing, formal approval, and deployment scheduling of proposed changes. |
|
1 |
| hipaa |
0709.10m1Organizational.1-10.m |
hipaa-0709.10m1Organizational.1-10.m |
0709.10m1Organizational.1-10.m |
07 Vulnerability Management |
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner. |
|
13 |
| hipaa |
0715.10m2Organizational.8-10.m |
hipaa-0715.10m2Organizational.8-10.m |
0715.10m2Organizational.8-10.m |
07 Vulnerability Management |
0715.10m2Organizational.8-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports, and protocols enabled). |
|
1 |
| NIST_SP_800-171_R2_3 |
.11.2 |
NIST_SP_800-171_R2_3.11.2 |
NIST SP 800-171 R2 3.11.2 |
Risk Assessment |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. [SP 800-40] provides guidance on vulnerability management. |
link |
24 |
| NIST_SP_800-171_R2_3 |
.11.3 |
NIST_SP_800-171_R2_3.11.3 |
NIST SP 800-171 R2 3.11.3 |
Risk Assessment |
Remediate vulnerabilities in accordance with risk assessments. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. |
link |
23 |
| NIST_SP_800-53_R4 |
RA-5 |
NIST_SP_800-53_R4_RA-5 |
NIST SP 800-53 Rev. 4 RA-5 |
Risk Assessment |
Vulnerability Scanning |
Shared |
n/a |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the
Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. |
link |
23 |
| NIST_SP_800-53_R5 |
RA-5 |
NIST_SP_800-53_R5_RA-5 |
NIST SP 800-53 Rev. 5 RA-5 |
Risk Assessment |
Vulnerability Monitoring and Scanning |
Shared |
n/a |
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;
d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
link |
23 |
| NZ_ISM_v3.5 |
ISM-4 |
NZ_ISM_v3.5_ISM-4 |
NZISM Security Benchmark ISM-4 |
Information security monitoring |
6.2.6 Resolving vulnerabilities |
Customer |
n/a |
Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue. |
link |
11 |
| NZISM_Security_Benchmark_v1.1 |
ISM-4 |
NZISM_Security_Benchmark_v1.1_ISM-4 |
NZISM Security Benchmark ISM-4 |
Information security monitoring |
6.2.6 Resolving vulnerabilities |
Customer |
Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment. |
Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue. |
link |
6 |
| RBI_CSF_Banks_v2016 |
18.4 |
RBI_CSF_Banks_v2016_18.4 |
|
Vulnerability Assessment And Penetration Test And Red Team Exercises |
Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4 |
|
n/a |
Findings of VA/PT and the follow up actions necessitated are to be monitored closely by the Information Security/Information Technology Audit team as well as Senior/Top Management. |
|
6 |
| RBI_CSF_Banks_v2016 |
2.3 |
RBI_CSF_Banks_v2016_2.3 |
|
Preventing Execution Of Unauthorised Software |
Security Update Management-2.3 |
|
n/a |
Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process. |
|
14 |
| RBI_CSF_Banks_v2016 |
6.1 |
RBI_CSF_Banks_v2016_6.1 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.1 |
|
n/a |
Incorporate/Ensure information security across all stages of application life cycle. |
|
3 |
| RBI_CSF_Banks_v2016 |
6.3 |
RBI_CSF_Banks_v2016_6.3 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.3 |
|
n/a |
Secure coding practices may also be implemented for internally /collaboratively
developed applications. |
|
3 |
| RBI_CSF_Banks_v2016 |
6.6 |
RBI_CSF_Banks_v2016_6.6 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.6 |
|
n/a |
Software/Application development approach should be based on threat
modelling, incorporate secure coding principles and security testing based on global
standards and secure rollout |
|
3 |
| RBI_CSF_Banks_v2016 |
6.7 |
RBI_CSF_Banks_v2016_6.7 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.7 |
|
n/a |
Ensure that software/application development practices addresses the
vulnerabilities based on best practices baselines such as Open Web Application
Security Project (OWASP) proactively and adopt principle of defence-in-depth to
provide layered security mechanism. |
|
6 |
| RBI_CSF_Banks_v2016 |
7.1 |
RBI_CSF_Banks_v2016_7.1 |
|
Patch/Vulnerability & Change Management |
Patch/Vulnerability & Change Management-7.1 |
|
n/a |
Follow a documented risk-based strategy for inventorying IT components that
need to be patched, identification of patches and applying patches so as to minimize
the number of vulnerable systems and the time window of vulnerability/exposure. |
|
17 |
| RBI_CSF_Banks_v2016 |
7.2 |
RBI_CSF_Banks_v2016_7.2 |
|
Patch/Vulnerability & Change Management |
Patch/Vulnerability & Change Management-7.2 |
|
n/a |
Put in place systems and processes to identify, track, manage and monitor the
status of patches to operating system and application software running at end-user
devices directly connected to the internet and in respect of Server operating
Systems/Databases/Applications/ Middleware, etc. |
|
17 |
| RBI_CSF_Banks_v2016 |
7.6 |
RBI_CSF_Banks_v2016_7.6 |
|
Patch/Vulnerability & Change Management |
Patch/Vulnerability & Change Management-7.6 |
|
n/a |
As a threat mitigation strategy, identify the root cause of incident and apply
necessary patches to plug the vulnerabilities. |
|
26 |
| RBI_ITF_NBFC_v2017 |
1 |
RBI_ITF_NBFC_v2017_1 |
RBI IT Framework 1 |
IT Governance |
IT Governance-1 |
|
n/a |
IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC???s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management.
Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees.
The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry. |
link |
20 |
| RBI_ITF_NBFC_v2017 |
3.3 |
RBI_ITF_NBFC_v2017_3.3 |
RBI IT Framework 3.3 |
Information and Cyber Security |
Vulnerability Management-3.3 |
|
n/a |
A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy |
link |
19 |
| RMiT_v1.0 |
Appendix_5.7 |
RMiT_v1.0_Appendix_5.7 |
RMiT Appendix 5.7 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.7 |
Customer |
n/a |
Ensure overall network security controls are implemented including the following:
(a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path;
(b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic;
(c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls;
(d) endpoint protection solution to detect and remove security threats including viruses and malicious software;
(e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and
(f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. |
link |
27 |
| SWIFT_CSCF_v2021 |
2.7 |
SWIFT_CSCF_v2021_2.7 |
SWIFT CSCF v2021 2.7 |
Reduce Attack Surface and Vulnerabilities |
Vulnerability Scanning |
|
n/a |
Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. |
link |
12 |
| SWIFT_CSCF_v2022 |
2.7 |
SWIFT_CSCF_v2022_2.7 |
SWIFT CSCF v2022 2.7 |
2. Reduce Attack Surface and Vulnerabilities |
Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. |
Shared |
n/a |
Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions. |
link |
16 |