compliance controls are associated with this Policy definition 'Audit Windows machines that don't have the specified applications installed' (ebb67efd-3c46-49b0-adfe-5599eb944998)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Canada_Federal_PBMM_3-1-2020 |
CP_10(2) |
Canada_Federal_PBMM_3-1-2020_CP_10(2) |
Canada Federal PBMM 3-1-2020 CP 10(2) |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution | Transaction Recovery |
Shared |
The information system implements transaction recovery for systems that are transaction-based. |
To minimise the impact on business operations and preventing data loss or corruption. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_10(4) |
Canada_Federal_PBMM_3-1-2020_CP_10(4) |
Canada Federal PBMM 3-1-2020 CP 10(4) |
Information System Recovery and Reconstitution |
Information System Recovery and Reconstitution | Restore within Time Period |
Shared |
The organization provides the capability to restore information system components within organization-defined restoration time-periods from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
To minimise downtime and ensuring business continuity. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(3) |
Canada_Federal_PBMM_3-1-2020_CP_2(3) |
Canada Federal PBMM 3-1-2020 CP 2(3) |
Contingency Plan |
Contingency Plan | Resume Essential Missions / Business Functions |
Shared |
The organization plans for the resumption of essential missions and business functions within 24 hours of contingency plan activation. |
To ensure that the organization plans for the resumption of essential missions and business functions within 24 hours of activating the contingency plan. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(4) |
Canada_Federal_PBMM_3-1-2020_CP_2(4) |
Canada Federal PBMM 3-1-2020 CP 2(4) |
Contingency Plan |
Contingency Plan | Resume All Missions / Business Functions |
Shared |
The organization plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation. |
To ensure that the organization plans for the resumption of all missions and business functions within an organization-defined time period of contingency plan activation. |
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(5) |
Canada_Federal_PBMM_3-1-2020_CP_2(5) |
Canada Federal PBMM 3-1-2020 CP 2(5) |
Contingency Plan |
Contingency Plan | Continue Essential Missions / Business Functions |
Shared |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
To minimise downtime, mitigate potential financial losses, maintain customer trust, and uphold critical services or functions.
|
|
10 |
| Canada_Federal_PBMM_3-1-2020 |
CP_2(6) |
Canada_Federal_PBMM_3-1-2020_CP_2(6) |
Canada Federal PBMM 3-1-2020 CP 2(6) |
Contingency Plan |
Contingency Plan | Alternate Processing / Storage Site |
Shared |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
To minimise downtime and ensure that critical services can continue uninterrupted until full restoration is achieved. |
|
10 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
16 |
| CSA_v4.0.12 |
DCS_06 |
CSA_v4.0.12_DCS_06 |
CSA Cloud Controls Matrix v4.0.12 DCS 06 |
Datacenter Security |
Assets Cataloguing and Tracking |
Shared |
n/a |
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system. |
|
6 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
| ISO_IEC_27002_2022 |
5.9 |
ISO_IEC_27002_2022_5.9 |
ISO IEC 27002 2022 5.9 |
Preventive,
Identifying Control |
Inventory of information and other associated assets |
Shared |
An inventory of information and other associated assets, including owners, should be developed and maintained.
|
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
7 |
| ISO_IEC_27017_2015 |
8.1.1 |
ISO_IEC_27017_2015_8.1.1 |
ISO IEC 27017 2015 8.1.1 |
Asset Management |
Inventory of Assets |
Shared |
For Cloud Service Customer:
The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g., identification of the cloud service.
For Cloud Service Provider:
The inventory of assets of the cloud service provider should explicitly identify:
(i) cloud service customer data;
(ii) cloud service derived data. |
To identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. |
|
7 |
| NIST_SP_800-171_R3_3 |
.4.10 |
NIST_SP_800-171_R3_3.4.10 |
NIST 800-171 R3 3.4.10 |
Configuration Management Control |
System Component Inventory |
Shared |
System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information. |
a. Develop and document an inventory of system components.
b. Review and update the system component inventory periodically.
c. Update the system component inventory as part of installations, removals, and system updates. |
|
7 |
| NIST_SP_800-53_R5.1.1 |
CM.8.1 |
NIST_SP_800-53_R5.1.1_CM.8.1 |
NIST SP 800-53 R5.1.1 CM.8.1 |
Configuration Management Control |
System Component Inventory | Updates During Installation and Removal |
Shared |
Update the inventory of system components as part of component installations, removals, and system updates. |
Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components. |
|
1 |
| NZISM_v3.7 |
5.1.21.C.02. |
NZISM_v3.7_5.1.21.C.02. |
NZISM v3.7 5.1.21.C.02. |
Documentation Fundamentals |
5.1.21.C.02. - establish a systematic approach to reviewing information security documentation, |
Shared |
n/a |
Agencies SHOULD ensure that information security documentation is reviewed:
1. At least annually; or
2. In response to significant changes in the environment, business or system; and
3. With the date of the most recent review being recorded on each document. |
|
6 |
| NZISM_v3.7 |
6.4.6.C.01. |
NZISM_v3.7_6.4.6.C.01. |
NZISM v3.7 6.4.6.C.01. |
Business Continuity and Disaster Recovery |
6.4.6.C.01. - enhance operational resilience. |
Shared |
n/a |
Agencies SHOULD:
1.Identify vital records;
2. backup all vital records;
3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4.
4. classification of the information; and
5. test backup and restoration processes regularly to confirm their effectiveness. |
|
13 |
| NZISM_v3.7 |
7.3.11.C.01. |
NZISM_v3.7_7.3.11.C.01. |
NZISM v3.7 7.3.11.C.01. |
Managing Information Security Incidents |
7.3.11.C.01. - support comprehensive investigations and ensure accountability |
Shared |
n/a |
Agencies SHOULD:
1. transfer a copy of raw audit trails and other relevant data onto media for secure archiving, as well as securing manual log records for retention; and
2. ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation. |
|
8 |
| NZISM_v3.7 |
7.3.6.C.01. |
NZISM_v3.7_7.3.6.C.01. |
NZISM v3.7 7.3.6.C.01. |
Managing Information Security Incidents |
7.3.6.C.01. - enhance incident management and oversight. |
Shared |
n/a |
Agencies SHOULD ensure that all information security incidents are recorded in a register. |
|
8 |
| PCI_DSS_v4.0.1 |
9.5.1 |
PCI_DSS_v4.0.1_9.5.1 |
PCI DSS v4.0.1 9.5.1 |
Restrict Physical Access to Cardholder Data |
Protection Measures for POI Devices Against Tampering and Unauthorized Substitution |
Shared |
n/a |
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. |
|
9 |
| PCI_DSS_v4.0.1 |
9.5.1.1 |
PCI_DSS_v4.0.1_9.5.1.1 |
PCI DSS v4.0.1 9.5.1.1 |
Restrict Physical Access to Cardholder Data |
Maintenance of an Up-to-Date List of POI Devices |
Shared |
n/a |
An up-to-date list of POI devices is maintained, including:
• Make and model of the device.
• Location of device.
• Device serial number or other methods of unique identification. |
|
7 |