compliance controls are associated with this Policy definition 'Review user groups and applications with access to sensitive data' (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
1.12 |
CIS_Azure_1.1.0_1.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.12 |
1 Identity and Access Management |
Ensure that 'Guest user permissions are limited' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Limit guest user permissions. |
link |
8 |
| CIS_Azure_1.1.0 |
1.13 |
CIS_Azure_1.1.0_1.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.13 |
1 Identity and Access Management |
Ensure that 'Members can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict invitations to administrators only. |
link |
8 |
| CIS_Azure_1.1.0 |
1.14 |
CIS_Azure_1.1.0_1.14 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.14 |
1 Identity and Access Management |
Ensure that 'Guests can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict guest invitations. |
link |
8 |
| CIS_Azure_1.1.0 |
1.15 |
CIS_Azure_1.1.0_1.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.15 |
1 Identity and Access Management |
Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict access to the Azure AD administration portal to administrators only. |
link |
7 |
| CIS_Azure_1.1.0 |
3.6 |
CIS_Azure_1.1.0_3.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.6 |
3 Storage Accounts |
Ensure that 'Public access level' is set to Private for blob containers |
Shared |
The customer is responsible for implementing this recommendation. |
Disable anonymous access to blob containers. |
link |
7 |
| CIS_Azure_1.1.0 |
8.5 |
CIS_Azure_1.1.0_8.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.5 |
8 Other Security Considerations |
Enable role-based access control (RBAC) within Azure Kubernetes Services |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
link |
7 |
| CIS_Azure_1.3.0 |
1.12 |
CIS_Azure_1.3.0_1.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.12 |
1 Identity and Access Management |
Ensure that 'Guest user permissions are limited' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Limit guest user permissions. |
link |
8 |
| CIS_Azure_1.3.0 |
1.13 |
CIS_Azure_1.3.0_1.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.13 |
1 Identity and Access Management |
Ensure that 'Members can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict invitations to administrators only. |
link |
8 |
| CIS_Azure_1.3.0 |
1.14 |
CIS_Azure_1.3.0_1.14 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.14 |
1 Identity and Access Management |
Ensure that 'Guests can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict guest being able to invite other guests to collaborate with your organization. |
link |
8 |
| CIS_Azure_1.3.0 |
1.15 |
CIS_Azure_1.3.0_1.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.15 |
1 Identity and Access Management |
Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict access to the Azure AD administration portal to administrators only. |
link |
6 |
| CIS_Azure_1.3.0 |
3.5 |
CIS_Azure_1.3.0_3.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.5 |
3 Storage Accounts |
Ensure that 'Public access level' is set to Private for blob containers |
Shared |
The customer is responsible for implementing this recommendation. |
Disable anonymous access to blob containers and disallow blob public access on storage account. |
link |
7 |
| CIS_Azure_1.3.0 |
8.5 |
CIS_Azure_1.3.0_8.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.5 |
8 Other Security Considerations |
Enable role-based access control (RBAC) within Azure Kubernetes Services |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
link |
7 |
| CIS_Azure_1.4.0 |
1.12 |
CIS_Azure_1.4.0_1.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.12 |
1 Identity and Access Management |
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' |
Shared |
The customer is responsible for implementing this recommendation. |
Limit guest user permissions. |
link |
8 |
| CIS_Azure_1.4.0 |
1.13 |
CIS_Azure_1.4.0_1.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.13 |
1 Identity and Access Management |
Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict invitations to users with specific admin roles only. |
link |
8 |
| CIS_Azure_1.4.0 |
1.14 |
CIS_Azure_1.4.0_1.14 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.14 |
1 Identity and Access Management |
Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict access to the Azure AD administration portal to administrators only. |
link |
6 |
| CIS_Azure_1.4.0 |
3.5 |
CIS_Azure_1.4.0_3.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.5 |
3 Storage Accounts |
Ensure that 'Public access level' is set to Private for blob containers |
Shared |
The customer is responsible for implementing this recommendation. |
Disable anonymous access to blob containers and disallow blob public access on storage account. |
link |
7 |
| CIS_Azure_1.4.0 |
8.7 |
CIS_Azure_1.4.0_8.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.7 |
8 Other Security Considerations |
Enable role-based access control (RBAC) within Azure Kubernetes Services |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that RBAC is enabled on all Azure Kubernetes Services Instances |
link |
7 |
| CIS_Azure_2.0.0 |
1.15 |
CIS_Azure_2.0.0_1.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.15 |
1 |
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' |
Shared |
This may create additional requests for permissions to access resources that administrators will need to approve. |
Limit guest user permissions.
Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.
1. Guest users have the same access as members (most inclusive),
2. Guest users have limited access to properties and memberships of directory objects (default value),
3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
The recommended option is the 3rd, most restrictive: "Guest user access is restricted to their own directory object". |
link |
8 |
| CIS_Azure_2.0.0 |
1.16 |
CIS_Azure_2.0.0_1.16 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.16 |
1 |
Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" |
Shared |
With the option of `Only users assigned to specific admin roles can invite guest users` selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users. |
Restrict invitations to users with specific administrative roles only.
Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.
By default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk. |
link |
8 |
| CIS_Azure_2.0.0 |
1.17 |
CIS_Azure_2.0.0_1.17 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.17 |
1 |
Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' |
Shared |
All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources. |
Restrict access to the Azure AD administration portal to administrators only.
**NOTE**: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.
The Azure AD administrative portal has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure. |
link |
6 |
| CIS_Azure_2.0.0 |
3.7 |
CIS_Azure_2.0.0_3.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.7 |
3 |
Ensure that 'Public access level' is disabled for storage accounts with blob containers |
Shared |
Access will have to be managed using shared access signatures or via Azure AD RBAC. |
Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.
The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature.
It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.
If no anonymous access is needed on any container in the storage account, it’s recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future. |
link |
7 |
| FedRAMP_High_R4 |
AC-3 |
FedRAMP_High_R4_AC-3 |
FedRAMP High AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| FedRAMP_Moderate_R4 |
AC-3 |
FedRAMP_Moderate_R4_AC-3 |
FedRAMP Moderate AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| hipaa |
0227.09k2Organizational.12-09.k |
hipaa-0227.09k2Organizational.12-09.k |
0227.09k2Organizational.12-09.k |
02 Endpoint Protection |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization takes specific actions to protect against mobile code performing unauthorized actions. |
|
18 |
| hipaa |
0894.01m2Organizational.7-01.m |
hipaa-0894.01m2Organizational.7-01.m |
0894.01m2Organizational.7-01.m |
08 Network Protection |
0894.01m2Organizational.7-01.m 01.04 Network Access Control |
Shared |
n/a |
Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. |
|
19 |
| hipaa |
1230.09c2Organizational.1-09.c |
hipaa-1230.09c2Organizational.1-09.c |
1230.09c2Organizational.1-09.c |
12 Audit Logging & Monitoring |
1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
No single person is able to access, modify, or use information systems without authorization or detection. |
|
13 |
| hipaa |
1504.06e1Organizational.34-06.e |
hipaa-1504.06e1Organizational.34-06.e |
1504.06e1Organizational.34-06.e |
15 Incident Management |
1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. |
|
16 |
| hipaa |
19141.06c1Organizational.7-06.c |
hipaa-19141.06c1Organizational.7-06.c |
19141.06c1Organizational.7-06.c |
19 Data Protection & Privacy |
19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. |
|
10 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
A.18.1.3 |
ISO27001-2013_A.18.1.3 |
ISO 27001:2013 A.18.1.3 |
Compliance |
Protection of records |
Shared |
n/a |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. |
link |
15 |
| ISO27001-2013 |
A.6.2.2 |
ISO27001-2013_A.6.2.2 |
ISO 27001:2013 A.6.2.2 |
Organization of Information Security |
Teleworking |
Shared |
n/a |
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. |
link |
16 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| ISO27001-2013 |
A.9.4.1 |
ISO27001-2013_A.9.4.1 |
ISO 27001:2013 A.9.4.1 |
Access Control |
Information access restriction |
Shared |
n/a |
Access to information and application system functions shall be restricted in accordance with the access control policy. |
link |
11 |
| ISO27001-2013 |
A.9.4.4 |
ISO27001-2013_A.9.4.4 |
ISO 27001:2013 A.9.4.4 |
Access Control |
Use of privileged utility programs |
Shared |
n/a |
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. |
link |
9 |
| ISO27001-2013 |
A.9.4.5 |
ISO27001-2013_A.9.4.5 |
ISO 27001:2013 A.9.4.5 |
Access Control |
Access control to program source code |
Shared |
n/a |
Access to program source code shall be restricted. |
link |
10 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| NIST_SP_800-171_R2_3 |
.1.2 |
NIST_SP_800-171_R2_3.1.2 |
NIST SP 800-171 R2 3.1.2 |
Access Control |
Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). |
link |
28 |
| NIST_SP_800-53_R4 |
AC-3 |
NIST_SP_800-53_R4_AC-3 |
NIST SP 800-53 Rev. 4 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| NIST_SP_800-53_R5 |
AC-3 |
NIST_SP_800-53_R5_AC-3 |
NIST SP 800-53 Rev. 5 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
link |
18 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
75 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| PCI_DSS_v4.0 |
7.2.1 |
PCI_DSS_v4.0_7.2.1 |
PCI DSS v4.0 7.2.1 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
An access control model is defined and includes granting access as follows:
• Appropriate access depending on the entity’s business and access needs.
• Access to system components and data resources that is based on users’ job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function. |
link |
10 |
| PCI_DSS_v4.0 |
7.2.3 |
PCI_DSS_v4.0_7.2.3 |
PCI DSS v4.0 7.2.3 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
Required privileges are approved by authorized personnel. |
link |
8 |
| PCI_DSS_v4.0 |
7.2.6 |
PCI_DSS_v4.0_7.2.6 |
PCI DSS v4.0 7.2.6 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
All user access to query repositories of stored cardholder data is restricted as follows:
• Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
• Only the responsible administrator(s) can directly access or query repositories of stored CHD. |
link |
8 |
| PCI_DSS_v4.0 |
7.3.1 |
PCI_DSS_v4.0_7.3.1 |
PCI DSS v4.0 7.3.1 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is managed via an access control system(s) |
Shared |
n/a |
An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components. |
link |
15 |
| PCI_DSS_v4.0 |
7.3.2 |
PCI_DSS_v4.0_7.3.2 |
PCI DSS v4.0 7.3.2 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is managed via an access control system(s) |
Shared |
n/a |
The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. |
link |
10 |
| PCI_DSS_v4.0 |
7.3.3 |
PCI_DSS_v4.0_7.3.3 |
PCI DSS v4.0 7.3.3 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is managed via an access control system(s) |
Shared |
n/a |
The access control system(s) is set to “deny all” by default. |
link |
6 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
75 |
| SWIFT_CSCF_v2022 |
2.11A |
SWIFT_CSCF_v2022_2.11A |
SWIFT CSCF v2022 2.11A |
2. Reduce Attack Surface and Vulnerabilities |
Restrict transaction activity to validated and approved business counterparties. |
Shared |
n/a |
Implement RMA controls to restrict transaction activity with effective business counterparties. |
link |
10 |