Az Policy Advertizer

1144

AU_ISM_1144

AU ISM 1144

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1144

n/a

Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

1472

AU_ISM_1472

AU ISM 1472

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1472

n/a

Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

1494

AU_ISM_1494

AU ISM 1494

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1494

n/a

Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

1495

AU_ISM_1495

AU ISM 1495

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1495

n/a

Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.

1496

AU_ISM_1496

AU ISM 1496

Guidelines for System Management - System patching

When to patch security vulnerabilities - 1496

n/a

Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users.

940

AU_ISM_940

AU ISM 940

Guidelines for System Management - System patching

When to patch security vulnerabilities - 940

n/a

Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.

Azure_Security_Benchmark_v1.0

5.1

Azure_Security_Benchmark_v1.0_5.1

Azure Security Benchmark 5.1

Vulnerability Management

Run automated vulnerability scanning tools

Customer

Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations

n/a

Azure_Security_Benchmark_v2.0

PV-6

Azure_Security_Benchmark_v2.0_PV-6

Azure Security Benchmark PV-6

Posture and Vulnerability Management

Perform software vulnerability assessments

Customer

Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Azure Security Center has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected scan solution's portal to view historical scan data. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment Exporting Azure Security Center vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results

n/a

Azure_Security_Benchmark_v3.0

PV-5

Azure_Security_Benchmark_v3.0_PV-5

Microsoft cloud security benchmark PV-5

Posture and Vulnerability Management

Perform vulnerability assessments

Shared

**Security Principle:** Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. **Azure Guidance:** Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Note: Azure Defender services (including Defender for server, container registry, App Service, SQL, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. Note: Ensure your setup email notifications in Microsoft Defender for Cloud. **Implementation and additional context:** How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment Exporting Microsoft Defender for Cloud vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results

n/a

Canada_Federal_PBMM_3-1-2020_AC_2

AC_2

Canada Federal PBMM 3-1-2020 AC 2

Account Management

Shared

1. The organization identifies and selects which types of information system accounts support organizational missions/business functions. 2. The organization assigns account managers for information system accounts. 3. The organization establishes conditions for group and role membership. 4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. 5. The organization requires approvals by responsible managers for requests to create information system accounts. 6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. 7. The organization monitors the use of information system accounts. 8. The organization notifies account managers: a. When accounts are no longer required; b. When users are terminated or transferred; and c. When individual information system usage or need-to-know changes. 9. The organization authorizes access to the information system based on: a. A valid access authorization; b. Intended system usage; and c. Other attributes as required by the organization or associated missions/business functions. 10. The organization reviews accounts for compliance with account management requirements at least annually. 11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

To ensure the security, integrity, and efficiency of the information systems.

Canada_Federal_PBMM_3-1-2020_AC_2(1)

AC_2(1)

Canada Federal PBMM 3-1-2020 AC 2(1)

Account Management

Account Management | Automated System Account Management

Shared

The organization employs automated mechanisms to support the management of information system accounts.

To streamline and enhance information system account management processes.

Canada_Federal_PBMM_3-1-2020_CA_2

CA_2

Canada Federal PBMM 3-1-2020 CA 2

Security Assessments

Shared

1. The organization develops a security assessment plan that describes the scope of the assessment including: a. Security controls and control enhancements under assessment; b. Assessment procedures to be used to determine security control effectiveness; and c. Assessment environment, assessment team, and assessment roles and responsibilities. 2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. 3. The organization produces a security assessment report that documents the results of the assessment. 4. The organization provides the results of the security control assessment to organization-defined individuals or roles.

To enhance the overall security posture of the organization.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

120

Canada_Federal_PBMM_3-1-2020_CM_2

CM_2

Canada Federal PBMM 3-1-2020 CM 2

Baseline Configuration

Shared

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

To support effective management and security practices.

Canada_Federal_PBMM_3-1-2020_CM_2(1)

CM_2(1)

Canada Federal PBMM 3-1-2020 CM 2(1)

Baseline Configuration

Baseline Configuration | Reviews and Updates

Shared

The organization reviews and updates the baseline configuration of the information system: 1. at least annually; or 2. When required due to significant changes as defined in NIST SP 800-37 rev1; and 3. As an integral part of information system component installations and upgrades.

To ensure alignment with current security standards and operational requirements.

Canada_Federal_PBMM_3-1-2020_CM_2(2)

CM_2(2)

Canada Federal PBMM 3-1-2020 CM 2(2)

Baseline Configuration

Baseline Configuration | Automation Support for Accuracy / Currency

Shared

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration

Canada_Federal_PBMM_3-1-2020_IA_5

IA_5

Canada Federal PBMM 3-1-2020 IA 5

Authenticator Management

Shared

1. The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. 2. The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. 3. The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. 4. The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. 5. The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. 6. The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. 7. The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. 8. The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. 9. The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. 10. The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.

To effectively manage information system authenticators through verification of recipient identity.

Canada_Federal_PBMM_3-1-2020_IA_5(11)

IA_5(11)

Canada Federal PBMM 3-1-2020 IA 5(11)

Authenticator Management

Authenticator Management | Hardware Token-Based Authentication

Shared

The information system, for hardware token-based authentication, employs mechanisms that satisfy CCCS's ITSP.30.031 token quality requirements.

To enhance overall security and compliance with CCCS guidelines.

Canada_Federal_PBMM_3-1-2020_MP_1

MP_1

Canada Federal PBMM 3-1-2020 MP 1

Media Protection Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to all personnel: a. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the media protection policy and associated media protection controls. 2. The organization reviews and updates the current: a. Media protection policy at least every 3 years; and b. Media protection procedures at least annually.

To implement media protection policy and procedures.

Canada_Federal_PBMM_3-1-2020_PL_1

PL_1

Canada Federal PBMM 3-1-2020 PL 1

Security Planning Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with security planning responsibilities a. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the security planning policy and associated security planning controls. 2. The organization reviews and updates the current: a. Security planning policy at least every 3 years; and b. Security planning procedures at least annually.

To ensure safety of data and enhance security posture.

Canada_Federal_PBMM_3-1-2020_PL_2

PL_2

Canada Federal PBMM 3-1-2020 PL 2

System Security Plan

Shared

1. The organization develops a security plan for the information system that: a. Is consistent with the organization’s enterprise architecture; b. Explicitly defines the authorization boundary for the system; c. Describes the operational context of the information system in terms of missions and business processes; d. Provides the security categorization of the information system including supporting rationale; e. Describes the operational environment for the information system and relationships with or connections to other information systems; f. Provides an overview of the security requirements for the system; g. Identifies any relevant overlays, if applicable; h. Describes the security controls in place or planned for meeting those requirements including a rationale for tailoring decisions; and i. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation. 2. The organization distributes copies of the security plan and communicates subsequent changes to the plan to personnel or roles with security planning responsibilities. 3. The organization reviews the security plan for the information system at least annually. 4. The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. 5. The organization protects the security plan from unauthorized disclosure and modification.

To ensure safety of data and enhance security posture.

CIS_Azure_1.3.0

4.2.2

CIS_Azure_1.3.0_4.2.2

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2

4 Database Services

Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

Shared

The customer is responsible for implementing this recommendation.

Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.

CIS_Azure_1.4.0

4.2.2

CIS_Azure_1.4.0_4.2.2

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2

4 Database Services

Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

Shared

The customer is responsible for implementing this recommendation.

Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.

CIS_Azure_2.0.0

4.2.2

CIS_Azure_2.0.0_4.2.2

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2

4.2

Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

Shared

Enabling the `Microsoft Defender for SQL` features will incur additional costs for each SQL server.

Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases. Enabling Microsoft Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.

CIS_Azure_2.0.0

4.2.4

CIS_Azure_2.0.0_4.2.4

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4

4.2

Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

Shared

Enabling the `Microsoft Defender for SQL` features will incur additional costs for each SQL server.

Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers. Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.

CIS_Azure_2.0.0

4.2.5

CIS_Azure_2.0.0_4.2.5

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5

4.2

Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

Shared

Enabling the `Microsoft Defender for SQL` features will incur additional costs for each SQL server.

Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

12.1

CIS_Controls_v8.1_12.1

CIS Controls v8.1 12.1

Network Infrastructure Management

Ensure network infrastructure is up to date

Shared

1. Ensure network infrastructure is kept up-to-date. 2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. 3. Review software versions monthly, or more frequently, to verify software support.

To prevent any unauthorized or malicious activity on network systems.

12.3

CIS_Controls_v8.1_12.3

CIS Controls v8.1 12.3

Network Infrastructure Management

Securely manage network infrastructure

Shared

1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS.

To ensure proper management of network infrastructure.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

16.12

CIS_Controls_v8.1_16.12

CIS Controls v8.1 16.12

Application Software Security

Implement code-level security checks

Shared

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application.

16.13

CIS_Controls_v8.1_16.13

CIS Controls v8.1 16.13

Application Software Security

Conduct application penetration testing

Shared

1. Conduct application penetration testing. 2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. 3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

To identify potential security weaknesses and assess the overall security posture of the application.

16.2

CIS_Controls_v8.1_16.2

CIS Controls v8.1 16.2

Application Software Security

Establish and maintain a process to accept and address software vulnerabilities

Shared

1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. 2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. 3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. 4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. 5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.

To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures.

16.5

CIS_Controls_v8.1_16.5

CIS Controls v8.1 16.5

Application Software Security

Use up-to-date and trusted third-party software components

Shared

1. Use up-to-date and trusted third-party software components. 2. When possible, choose established and proven frameworks and libraries that provide adequate security. 3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.

To utilize up-to-date and trusted third-party software components in application development.

16.6

CIS_Controls_v8.1_16.6

CIS Controls v8.1 16.6

Application Software Security

Establish and maintain a severity rating system and process for application vulnerabilities

Shared

1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. 2. This process includes setting a minimum level of security acceptability for releasing code or applications. 3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. 4. Review and update the system and process annually.

To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks.

16.7

CIS_Controls_v8.1_16.7

CIS Controls v8.1 16.7

Application Software Security

Use standard hardening configuration templates for application infrastructure

Shared

1. Use standard, industry-recommended hardening configuration templates for application infrastructure components. 2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. 3. Do not allow in-house developed software to weaken configuration hardening.

To ensure that in-house developed software does not compromise the established configuration hardening standards.

18.1

CIS_Controls_v8.1_18.1

CIS Controls v8.1 18.1

Penetration Testing

Establish and maintain a penetration testing program

Shared

1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. 2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise.

18.2

CIS_Controls_v8.1_18.2

CIS Controls v8.1 18.2

Penetration Testing

Perform periodic external penetration tests

Shared

1. Perform periodic external penetration tests based on program requirements, no less than annually. 2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. 3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. 4. The testing may be clear box or opaque box.

To ensure thorough assessment and mitigation of potential vulnerabilities.

18.3

CIS_Controls_v8.1_18.3

CIS Controls v8.1 18.3

Penetration Testing

Remediate penetration test findings

Shared

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

To mitigate security risks effectively.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

CMMC_L2_v1.9.0_RA.L2_3.11.2

18.5

CIS_Controls_v8.1_18.5

404 not found

n/a

CMMC_2.0_L2

RA.L2-3.11.2

CMMC_2.0_L2_RA.L2-3.11.2

404 not found

n/a

CMMC_2.0_L2

RA.L2-3.11.3

CMMC_2.0_L2_RA.L2-3.11.3

404 not found

n/a

CMMC_L2_v1.9.0

RA.L2_3.11.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.2

Risk Assessment

Vulnerability Scan

Shared

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

To enhance the overall security posture of the organization.

CMMC_L2_v1.9.0

SI.L1_3.14.1

CMMC_L2_v1.9.0_SI.L1_3.14.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1

System and Information Integrity

Flaw Remediation

Shared

Identify, report, and correct information and information system flaws in a timely manner.

To safeguard assets and maintain operational continuity.

CA.2.158

CMMC_L3_CA.2.158

CMMC L3 CA.2.158

Security Assessment

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle.

CA.3.161

CMMC_L3_CA.3.161

CMMC L3 CA.3.161

Security Assessment

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements.

RM.2.141

CMMC_L3_RM.2.141

CMMC L3 RM.2.141

Risk Assessment

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle.

RM.2.142

CMMC_L3_RM.2.142

CMMC L3 RM.2.142

Risk Assessment

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning.

RM.2.143

CMMC_L3_RM.2.143

CMMC L3 RM.2.143

Risk Assessment

Remediate vulnerabilities in accordance with risk assessments.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

AIS_07

CSA_v4.0.12_AIS_07

CSA Cloud Controls Matrix v4.0.12 AIS 07

Application & Interface Security

Application Vulnerability Remediation

Shared

n/a

Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.

CCC_07

CSA_v4.0.12_CCC_07

CSA Cloud Controls Matrix v4.0.12 CCC 07

Change Control and Configuration Management

Detection of Baseline Deviation

Shared

n/a

Implement detection measures with proactive notification in case of changes deviating from the established baseline.

TVM_04

CSA_v4.0.12_TVM_04

CSA Cloud Controls Matrix v4.0.12 TVM 04

Threat & Vulnerability Management

Detection Updates

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

TVM_08

CSA_v4.0.12_TVM_08

CSA Cloud Controls Matrix v4.0.12 TVM 08

Threat & Vulnerability Management

Vulnerability Prioritization

Shared

n/a

Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

189

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FedRAMP_High_R4

RA-5

FedRAMP_High_R4_RA-5

FedRAMP High RA-5

Risk Assessment

Vulnerability Scanning

Shared

n/a

The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov.

FedRAMP_Moderate_R4

RA-5

FedRAMP_Moderate_R4_RA-5

FedRAMP Moderate RA-5

Risk Assessment

Vulnerability Scanning

Shared

n/a

hipaa-0709.10m1Organizational.1-10.m

hipaa

0709.10m1Organizational.1-10.m

0709.10m1Organizational.1-10.m

07 Vulnerability Management

0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management

Shared

n/a

Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner.

HITRUST_CSF_v11.3

10.c

HITRUST_CSF_v11.3_10.c

HITRUST CSF v11.3 10.c

Correct Processing in Applications

Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Shared

Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented.

Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

HITRUST_CSF_v11.3

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

408

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

385

2.10.9

K_ISMS_P_2018_2.10.9

K ISMS P 2018 2.10.9

2.10

Implement Protective Measures Against Malicious Code

Shared

n/a

Establish and implement measures for preventing, detecting, and responding to malicious codes such as viruses, worms, trojan horses, or ransomware to protect information systems and personal information.

New_Zealand_ISM_06.2.5.C.01

2.11.2

K_ISMS_P_2018_2.11.2

K ISMS P 2018 2.11.2

2.11

Perform Periodic Inspections of the Information System to Identify and Address Vulnerabilities

Shared

n/a

Perform periodic inspections of the information system to identify and address vulnerabilities in a timely manner. Continuous monitoring for new security vulnerabilities with analysis of its potential impacts to the information system must also be performed.

New_Zealand_ISM

06.2.5.C.01

06. Information security monitoring

06.2.5.C.01 Conducting vulnerability assessments

n/a

Agencies SHOULD conduct vulnerability assessments in order to establish a baseline. This SHOULD be done: before a system is first used; after any significant incident; after a significant change to the system; after changes to standards, policies and guidelines; when specified by an ITSM or system owner.

NIST_CSF_v2.0

DE.CM_09

NIST_CSF_v2.0_DE.CM_09

NIST CSF v2.0 DE.CM 09

DETECT- Continuous Monitoring

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_CSF_v2.0

ID.RA_01

NIST_CSF_v2.0_ID.RA_01

NIST CSF v2.0 ID.RA 01

IDENTIFY -Risk Assessment

Vulnerabilities in assets are identified, validated, and recorded.

Shared

n/a

To ensure that cybersecurity risks are known to the organization.

NIST_SP_800-171_R2_3

.11.2

NIST_SP_800-171_R2_3.11.2

NIST SP 800-171 R2 3.11.2

Risk Assessment

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R2_3.11.3

NIST_SP_800-171_R2_3

.11.3

NIST SP 800-171 R2 3.11.3

Risk Assessment

Remediate vulnerabilities in accordance with risk assessments.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

NIST_SP_800-171_R3_3.11.2

NIST_SP_800-171_R3_3

.11.2

NIST 800-171 R3 3.11.2

Risk Assessment Control

Vulnerability Monitoring and Scanning

Shared

Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated and that employ the Extensible Configuration Checklist Description Format (XCCDF). Organizations also consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL). Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).

a. Monitor and scan for vulnerabilities in the system periodically and when new vulnerabilities affecting the system are identified. b. Remediate system vulnerabilities within [Assignment: organization-defined response times]. c. Update system vulnerabilities to be scanned periodically and when new vulnerabilities are identified and reported.

NIST_SP_800-171_R3_3

.14.1

NIST_SP_800-171_R3_3.14.1

NIST 800-171 R3 3.14.1

System and Information Integrity Control

Flaw Remediation

Shared

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

a. Identify, report, and correct system flaws. b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

NIST_SP_800-53_R4

RA-5

NIST_SP_800-53_R4_RA-5

NIST SP 800-53 Rev. 4 RA-5

Risk Assessment

Vulnerability Scanning

Shared

n/a

NIST_SP_800-53_R5.1.1_SA.11.2

NIST_SP_800-53_R5.1.1

SA.11.2

NIST SP 800-53 R5.1.1 SA.11.2

System and Services Acquisition Control

Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

Shared

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (a) Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (b) Employs the following tools and methods: [Assignment: organization-defined tools and methods]; (c) Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and (d) Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria].

Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated.

NIST_SP_800-53_R5.1.1

SA.15.7

NIST_SP_800-53_R5.1.1_SA.15.7

NIST SP 800-53 R5.1.1 SA.15.7

System and Services Acquisition Control

Development Process, Standards, and Tools | Automated Vulnerability Analysis

Shared

Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: (a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].

Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.

NIST_SP_800-53_R5.1.1

SI.2

NIST_SP_800-53_R5.1.1_SI.2

NIST SP 800-53 R5.1.1 SI.2

System and Information Integrity Control

Flaw Remediation

Shared

a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process.

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

NIST_SP_800-53_R5

RA-5

NIST_SP_800-53_R5_RA-5

NIST SP 800-53 Rev. 5 RA-5

Risk Assessment

Vulnerability Monitoring and Scanning

Shared

n/a

a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

NZ_ISM_v3.5

ISM-3

NZ_ISM_v3.5_ISM-3

NZISM Security Benchmark ISM-3

Information security monitoring

6.2.5 Conducting vulnerability assessments

Customer

n/a

A baseline or known point of origin is the basis of any comparison and allows measurement of changes and improvements when further information security monitoring activities are conducted.

NZISM_Security_Benchmark_v1.1

ISM-3

NZISM_Security_Benchmark_v1.1_ISM-3

NZISM Security Benchmark ISM-3

Information security monitoring

6.2.5 Conducting vulnerability assessments

Customer

Agencies should conduct vulnerability assessments on systems: - before the system is deployed, including conducting assessments during the system design and development stages - after a significant change to the system - after significant changes to the threats or risks faced by a system; for example, a software vendor announces a critical vulnerability in a product used by the agency at least annually, or as specified by an ITSM or the system owner.

A baseline or known point of origin is the basis of any comparison and allows measurement of changes and improvements when further information security monitoring activities are conducted.

12.4.4.C.01.

NZISM_v3.7_12.4.4.C.01.

NZISM v3.7 12.4.4.C.01.

Product Patching and Updating

12.4.4.C.01. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update.

12.4.4.C.02.

NZISM_v3.7_12.4.4.C.02.

NZISM v3.7 12.4.4.C.02.

Product Patching and Updating

12.4.4.C.02. - minimise the risk of disruptions or vulnerabilities introduced by the patches.

Shared

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

12.4.4.C.04.

NZISM_v3.7_12.4.4.C.04.

NZISM v3.7 12.4.4.C.04.

Product Patching and Updating

12.4.4.C.04. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update.

12.4.4.C.05.

NZISM_v3.7_12.4.4.C.05.

NZISM v3.7 12.4.4.C.05.

Product Patching and Updating

12.4.4.C.05. - reduce the potential attack surface for malicious actors.

Shared

n/a

Agencies SHOULD apply all non-critical security patches as soon as possible.

12.4.4.C.06.

NZISM_v3.7_12.4.4.C.06.

NZISM v3.7 12.4.4.C.06.

Product Patching and Updating

12.4.4.C.06. - maintain the integrity and effectiveness of the patching process.

Shared

n/a

Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

op.exp.2 Security configuration

404 not found

n/a

112

op.exp.3 Security configuration management

404 not found

n/a

123

op.exp.4 Security maintenance and updates

404 not found

n/a

op.exp.5 Change management

404 not found

n/a

op.mon.3 Monitoring

404 not found

n/a

PCI_DSS_v4.0.1

6.3.1

PCI_DSS_v4.0.1_6.3.1

PCI DSS v4.0.1 6.3.1

Develop and Maintain Secure Systems and Software

Security vulnerabilities are identified and managed as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact. Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment. Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered

Shared

n/a

Examine policies and procedures for identifying and managing security vulnerabilities to verify that processes are defined in accordance with all elements specified in this requirement. Interview responsible personnel, examine documentation, and observe processes to verify that security vulnerabilities are identified and managed in accordance with all elements specified in this requirement

PCI_DSS_v4.0.1

6.3.3

PCI_DSS_v4.0.1_6.3.3

PCI DSS v4.0.1 6.3.3

Develop and Maintain Secure Systems and Software

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1

Shared

n/a

Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement

PCI_DSS_v4.0.1

6.4.1

PCI_DSS_v4.0.1_6.4.1

PCI DSS v4.0.1 6.4.1

Develop and Maintain Secure Systems and Software

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes. By an entity that specializes in application security. Including, at a minimum, all common software attacks in Requirement 6.2.4. All vulnerabilities are ranked in accordance with requirement 6.3.1. All vulnerabilities are corrected. The application is re-evaluated after the corrections. OR Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: Installed in front of public-facing web applications to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated

Shared

n/a

For public-facing web applications, ensure that either one of the required methods is in place as follows: If manual or automated vulnerability security assessment tools or methods are in use, examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed in accordance with all elements of this requirement specific to the tool/method. OR If an automated technical solution(s) is installed that continually detects and prevents web-based attacks, examine the system configuration settings and audit logs, and interview responsible personnel to verify that the automated technical solution(s) is installed in accordance with all elements of this requirement specific to the solution(s)

13.2

RBI_CSF_Banks_v2016_13.2

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.2

n/a

Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices ???(Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring.

13.4

RBI_CSF_Banks_v2016_13.4

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.4

n/a

Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway

18.1

RBI_CSF_Banks_v2016_18.1

Vulnerability Assessment And Penetration Test And Red Team Exercises

Vulnerability Assessment And Penetration Test And Red Team Exercises-18.1

n/a

Periodically conduct vulnerability assessment and penetration testing exercises for all the critical systems, particularly those facing the internet.

18.2

RBI_CSF_Banks_v2016_18.2

Vulnerability Assessment And Penetration Test And Red Team Exercises

Vulnerability Assessment And Penetration Test And Red Team Exercises-18.2

n/a

The vulnerabilities detected are to be remedied promptly in terms of the bank???s risk management/treatment framework so asto avoid exploitation of such vulnerabilities.

20.1

RBI_CSF_Banks_v2016_20.1

Risk Based Transaction Monitoring

Risk Based Transaction Monitoring-20.1

n/a

Risk based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system across all -delivery channels.

7.1

RBI_CSF_Banks_v2016_7.1

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.1

n/a

Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure.

7.2

RBI_CSF_Banks_v2016_7.2

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.2

n/a

Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/ Middleware, etc.

RBI_ITF_NBFC_v2017

RBI_ITF_NBFC_v2017_1

RBI IT Framework 1

IT Governance

IT Governance-1

n/a

IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC???s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry.

RBI_ITF_NBFC_v2017

3.3

RBI_ITF_NBFC_v2017_3.3

RBI IT Framework 3.3

Information and Cyber Security

Vulnerability Management-3.3

n/a

A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy

RMiT_v1.0

11.8

RMiT_v1.0_11.8

RMiT 11.8

Cybersecurity Operations

Cybersecurity Operations - 11.8

Shared

n/a

A financial institution must ensure that its cybersecurity operations continuously prevent and detect any potential compromise of its security controls or weakening of its security posture. For large financial institutions, this must include performing a quarterly vulnerability assessment of external and internal network components that support all critical systems.

SOC_2

CC3.2

SOC_2_CC3.2

SOC 2 Type 2 CC3.2

Risk Assessment

COSO Principle 7

Shared

The customer is responsible for implementing this recommendation.

Points of focus specified in the COSO framework: • Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. • Analyzes Internal and External Factors — Risk identification considers both internal and external factors and their impact on the achievement of objectives. • Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. • Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes estimating the potential significance of the risk. • Determines How to Respond to Risks — Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Additional points of focus specifically related to all engagements using the trust services criteria: • Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities — The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets. • Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. • Considers the Significance of the Risk — The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood.

SOC_2

CC7.1

SOC_2_CC7.1

SOC 2 Type 2 CC7.1

System Operations

Detection and monitoring of new vulnerabilities

Shared

The customer is responsible for implementing this recommendation.

• Uses Defined Configuration Standards — Management has defined configuration standards. • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. • Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. • Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components. • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis

SOC_2023

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

214

SOC_2023

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

225

SOC_2023

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

209

SWIFT_CSCF_2024

2.2

SWIFT_CSCF_2024_2.2

SWIFT Customer Security Controls Framework 2024 2.2

Risk Management

Security Updates

Shared

1. The closure of known security vulnerabilities is effective in reducing the various pathways that an attacker may use during an attack. 2. A security update process that is comprehensive, repeatable, and implemented in a timely manner is necessary to continuously close these known vulnerabilities when security updates are available.

To minimise the occurrence of known technical vulnerabilities on operator PCs and within the user’s Swift infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.

SWIFT_CSCF_2024

4.2

SWIFT_CSCF_2024_4.2

SWIFT Customer Security Controls Framework 2024 4.2

Access Control

Multi-Factor Authentication

Shared

1. Multi-factor authentication requires the presentation of two or more of the following common authentication factors: (A). Knowledge factor: something the operator knows (for example, a password) (B). Possession factor: something the operator has (for example, connected USB tokens or smart cards, or disconnected tokens such as a (time based) one-time password- (T)OTP- generator or application storing a cryptographic private key that runs on another device like operator’s mobile phone considered as a software token, RSA token, 3-Skey Digital and its mobile version considered as a software token, or Digipass) (C). Inherence factor: something the operator is (for example, biometrics such as fingerprints, retina scans, or voice recognition) Implementing multi-factor authentication provides an additional layer of protection against common authentication attacks (for example, shoulder surfing, password re-use, or weak passwords) and provides further protection from account compromises for malicious transaction processing. Attackers often use the privileges of a compromised account to move laterally within an environment and to progress an attack.

To prevent that a compromise of a single authentication factor allows access into Swift-related systems or applications by implementing multi-factor authentication.

SWIFT_CSCF_v2021

2.7

SWIFT_CSCF_v2021_2.7

SWIFT CSCF v2021 2.7

Reduce Attack Surface and Vulnerabilities

Vulnerability Scanning

n/a

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.

U.09.3 - Detection, prevention and recovery

404 not found

n/a

UK_NCSC_CSP

5.2

UK_NCSC_CSP_5.2

UK NCSC CSP 5.2

Operational security

Vulnerability management

Shared

n/a

Service providers should have a management processes in place to identify, triage and mitigate vulnerabilities. Services which don’t, will quickly become vulnerable to attack using publicly known methods and tools.