AzPolicyAdvertizer

last sync: 2025-Jul-18 17:23:11 UTC

The Log Analytics extension should be installed on Virtual Machine Scale Sets

Azure BuiltIn Policy definition

Source Azure Portal
Display name The Log Analytics extension should be installed on Virtual Machine Scale Sets
Id efbde977-ba53-4479-b8e9-10b957924fbf
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.1
Built-in Versioning [Preview]
Category Monitoring
Microsoft Learn
Description This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (4)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState Microsoft.Compute virtualMachineScaleSets/extensions properties.provisioningState True False
Microsoft.Compute/virtualMachineScaleSets/extensions/publisher Microsoft.Compute virtualMachineScaleSets/extensions properties.publisher True False
Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId Microsoft.Compute virtualMachineScaleSets/extensions properties.settings.workspaceId True False
Microsoft.Compute/virtualMachineScaleSets/extensions/type Microsoft.Compute virtualMachineScaleSets/extensions properties.type True False
Rule resource types IF (1)
Compliance
The following 143 compliance controls are associated with this Policy definition 'The Log Analytics extension should be installed on Virtual Machine Scale Sets' (efbde977-ba53-4479-b8e9-10b957924fbf)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 2.2 Azure_Security_Benchmark_v1.0_2.2 Azure Security Benchmark 2.2 Logging and Monitoring Configure central security log management Customer Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM. How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings How to collect Azure Virtual Machine internal host logs with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm How to get started with Azure Monitor and third-party SIEM integration: https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/ n/a link 4
Azure_Security_Benchmark_v1.0 2.4 Azure_Security_Benchmark_v1.0_2.4 Azure Security Benchmark 2.4 Logging and Monitoring Collect security logs from operating systems Customer If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files. How to collect Azure Virtual Machine internal host logs with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm Understand Azure Security Center data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection n/a link 2
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 50
Canada_Federal_PBMM_3-1-2020 AC_6(9) Canada_Federal_PBMM_3-1-2020_AC_6(9) Canada Federal PBMM 3-1-2020 AC 6(9) Least Privilege Least Privilege | Auditing Use of Privileged Functions Shared The information system audits the execution of privileged functions. To enhance oversight and detect potential security breaches or unauthorized activities. 14
Canada_Federal_PBMM_3-1-2020 AU_1 Canada_Federal_PBMM_3-1-2020_AU_1 Canada Federal PBMM 3-1-2020 AU 1 Audit and Accountability Policy and Procedures Audit and Accountability Policy and Procedures Shared 1. The organization develops, documents, and disseminates to personnel or roles with audit responsibilities; a. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. 2. The organization reviews and updates the current: a. Audit and accountability policy at least every three years; and b. Audit and accountability procedures at least annually. To ensure adherence to policies, alignment with regulatory requirements, and ongoing effectiveness of controls. 4
Canada_Federal_PBMM_3-1-2020 AU_12 Canada_Federal_PBMM_3-1-2020_AU_12 Canada Federal PBMM 3-1-2020 AU 12 Audit Generation Audit Generation Shared 1. The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. 2. The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. 3. The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. To support effective monitoring and logging of security events. 4
Canada_Federal_PBMM_3-1-2020 AU_2 Canada_Federal_PBMM_3-1-2020_AU_2 Canada Federal PBMM 3-1-2020 AU 2 Auditable Events Audit Events Shared 1. The organization determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. 2. The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. 3. The organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents. 4. The organization determines what organizationally-defined audited events (a subset of the auditable events defined in AU-2 a.) and the frequency of (or situation requiring) auditing for each identified event. To ensure comprehensive auditing capabilities to facilitate post-incident investigations and ensure alignment with organizational security objectives. 3
Canada_Federal_PBMM_3-1-2020 AU_2(3) Canada_Federal_PBMM_3-1-2020_AU_2(3) Canada Federal PBMM 3-1-2020 AU 2(3) Auditable Events Audit Events | Reviews and Updates Shared The organization reviews and updates the audited events annually or whenever there is a change in the threat environment. To maintain alignment with evolving security needs and ensure effective incident detection and response. 3
Canada_Federal_PBMM_3-1-2020 AU_3 Canada_Federal_PBMM_3-1-2020_AU_3 Canada Federal PBMM 3-1-2020 AU 3 Content of Audit Records Content of Audit Records Shared The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. To enable thorough event tracking and analysis for security purposes. 3
Canada_Federal_PBMM_3-1-2020 AU_3(1) Canada_Federal_PBMM_3-1-2020_AU_3(1) Canada Federal PBMM 3-1-2020 AU 3(1) Content of Audit Records Content of Audit Records | Additional Audit Information Shared The information system generates audit records containing the following additional information: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon. To enhance event analysis and aid in identifying and diagnosing security-related activities. 3
Canada_Federal_PBMM_3-1-2020 AU_6 Canada_Federal_PBMM_3-1-2020_AU_6 Canada Federal PBMM 3-1-2020 AU 6 Audit Review, Analysis, and Reporting Audit Review, Analysis, and Reporting Shared 1. The organization reviews and analyses information system audit records at least every 7 days for indications of compromise identified in SI-4(5). 2. The organization reports findings to organization-defined personnel or roles. To ensure prompt response and mitigation of identified security threats or compromises. 3
Canada_Federal_PBMM_3-1-2020 AU_6(1) Canada_Federal_PBMM_3-1-2020_AU_6(1) Canada Federal PBMM 3-1-2020 AU 6(1) Audit Review, Analysis, and Reporting Audit Review, Analysis, and Reporting | Process Integration Shared The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. To enhance organizational capabilities for investigating and responding to suspicious activities efficiently and effectively. 3
Canada_Federal_PBMM_3-1-2020 AU_6(3) Canada_Federal_PBMM_3-1-2020_AU_6(3) Canada Federal PBMM 3-1-2020 AU 6(3) Audit Review, Analysis, and Reporting Audit Review, Analysis, and Reporting | Correlate Audit Repositories Shared The organization analyses and correlates audit records across different repositories to gain organization-wide situational awareness. To enable comprehensive understanding and detection of security-related events and trends. 3
Canada_Federal_PBMM_3-1-2020 AU_7 Canada_Federal_PBMM_3-1-2020_AU_7 Canada Federal PBMM 3-1-2020 AU 7 Audit Reduction and Report Generation Audit Reduction and Report Generation Shared 1. The information system provides an audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents. 2. The information system provides an audit reduction and report generation capability that does not alter the original content or time ordering of audit records. To ensure accurate and reliable results. 3
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 120
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 93
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 93
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 92
CIS_Controls_v8.1 10.7 CIS_Controls_v8.1_10.7 CIS Controls v8.1 10.7 Malware Defenses Use behaviour based anti-malware software Shared Use behaviour based anti-malware software To ensure that a generic anti-malware software is not used. 95
CIS_Controls_v8.1 13.1 CIS_Controls_v8.1_13.1 CIS Controls v8.1 13.1 Network Monitoring and Defense Centralize security event alerting Shared 1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard. To ensure that any security event is immediately alerted enterprise-wide. 97
CIS_Controls_v8.1 13.11 CIS_Controls_v8.1_13.11 CIS Controls v8.1 13.11 Network Monitoring and Defense Tune security event alerting thresholds Shared Tune security event alerting thresholds monthly, or more frequently. To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. 48
CIS_Controls_v8.1 13.3 CIS_Controls_v8.1_13.3 CIS Controls v8.1 13.3 Network Monitoring and Defense Deploy a network intrusion detection solution Shared 1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. To enhance the organization's cybersecurity. 95
CIS_Controls_v8.1 18.4 CIS_Controls_v8.1_18.4 CIS Controls v8.1 18.4 Penetration Testing Validate security measures Shared Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise. 89
CIS_Controls_v8.1 3.14 CIS_Controls_v8.1_3.14 CIS Controls v8.1 3.14 Data Protection Log sensitive data access Shared Log sensitive data access, including modification and disposal. To enhance accountability, traceability, and security measures within the enterprise. 45
CIS_Controls_v8.1 4.7 CIS_Controls_v8.1_4.7 CIS Controls v8.1 4.7 Secure Configuration of Enterprise Assets and Software Manage default accounts on enterprise assets and software Shared 1. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. 2. Example implementations can include: disabling default accounts or making them unusable. To ensure access to default accounts is restricted. 22
CIS_Controls_v8.1 5.3 CIS_Controls_v8.1_5.3 CIS Controls v8.1 5.3 Account Management Disable dormant accounts Shared Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. To implement time based expiry of access to systems. 21
CIS_Controls_v8.1 8.1 CIS_Controls_v8.1_8.1 CIS Controls v8.1 8.1 Audit Log Management Establish and maintain an audit log management process Shared 1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. 2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. 3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure appropriate management of audit log systems. 29
CIS_Controls_v8.1 8.11 CIS_Controls_v8.1_8.11 CIS Controls v8.1 8.11 Audit Log Management Conduct audit log reviews Shared 1. Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. 2. Conduct reviews on a weekly, or more frequent, basis. To ensure the integrity of the data in audit logs. 59
CIS_Controls_v8.1 8.2 CIS_Controls_v8.1_8.2 CIS Controls v8.1 8.2 Audit Log Management Collect audit logs. Shared 1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. To assist in troubleshooting of system issues and ensure integrity of data systems. 30
CIS_Controls_v8.1 8.3 CIS_Controls_v8.1_8.3 CIS Controls v8.1 8.3 Audit Log Management Ensure adequate audit log storage Shared Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. To ensure all important and required logs can be stored for retrieval as and when required. 21
CIS_Controls_v8.1 8.5 CIS_Controls_v8.1_8.5 CIS Controls v8.1 8.5 Audit Log Management Collect detailed audit logs. Shared 1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. 32
CIS_Controls_v8.1 8.7 CIS_Controls_v8.1_8.7 CIS Controls v8.1 8.7 Audit Log Management Collect URL request audit logs Shared Collect URL request audit logs on enterprise assets, where appropriate and supported. To maintain an audit trail of all URL requests made. 29
CIS_Controls_v8.1 8.8 CIS_Controls_v8.1_8.8 CIS Controls v8.1 8.8 Audit Log Management Collect command-line audit logs Shared Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. To ensure recording of the commands and arguments used by a process. 29
CIS_Controls_v8.1 8.9 CIS_Controls_v8.1_8.9 CIS Controls v8.1 8.9 Audit Log Management Centralize audit logs Shared Centralize, to the extent possible, audit log collection and retention across enterprise assets. To optimize and simply the process of audit log management. 29
CMMC_2.0_L2 AU.L2-3.3.1 CMMC_2.0_L2_AU.L2-3.3.1 404 not found n/a n/a 32
CMMC_2.0_L2 AU.L2-3.3.2 CMMC_2.0_L2_AU.L2-3.3.2 404 not found n/a n/a 32
CMMC_L2_v1.9.0 AU.L2_3.3.1 CMMC_L2_v1.9.0_AU.L2_3.3.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 Audit and Accountability System Auditing Shared Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. To enhance security and accountability measures. 40
CMMC_L2_v1.9.0 AU.L2_3.3.3 CMMC_L2_v1.9.0_AU.L2_3.3.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 Audit and Accountability Event Review Shared Review and update logged events. To enhance the effectiveness of security measures. 33
CMMC_L2_v1.9.0 SI.L2_3.14.3 CMMC_L2_v1.9.0_SI.L2_3.14.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.3 System and Information Integrity Security Alerts & Advisories Shared Monitor system security alerts and advisories and take action in response. To proactively defend against emerging threats and minimize the risk of security incidents or breaches. 15
CMMC_L2_v1.9.0 SI.L2_3.14.6 CMMC_L2_v1.9.0_SI.L2_3.14.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.6 System and Information Integrity Monitor Communications for Attacks Shared Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. To protect systems and data from unauthorized access or compromise. 15
CMMC_L2_v1.9.0 SI.L2_3.14.7 CMMC_L2_v1.9.0_SI.L2_3.14.7 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L2 3.14.7 System and Information Integrity Identify Unauthorized Use Shared Identify unauthorized use of organizational systems. To enable the organization to take appropriate action, such as revoking access privileges, investigating security incidents, and implementing additional security controls to prevent future unauthorized access. 14
CMMC_L3 AU.2.041 CMMC_L3_AU.2.041 CMMC L3 AU.2.041 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 11
CMMC_L3 AU.2.042 CMMC_L3_AU.2.042 CMMC L3 AU.2.042 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. link 11
CMMC_L3 AU.3.048 CMMC_L3_AU.3.048 CMMC L3 AU.3.048 Audit and Accountability Collect audit information (e.g., logs) into one or more central repositories. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations must aggregate and store audit logs in a central location to enable analysis activities and protect audit information. The repository should have the necessary infrastructure, capacity, and protection mechanisms to meet the organization’s audit requirements. link 4
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 54
CSA_v4.0.12 HRS_06 CSA_v4.0.12_HRS_06 CSA Cloud Controls Matrix v4.0.12 HRS 06 Human Resources Employment Termination Shared n/a Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment. 13
CSA_v4.0.12 IAM_12 CSA_v4.0.12_IAM_12 CSA Cloud Controls Matrix v4.0.12 IAM 12 Identity & Access Management Safeguard Logs Integrity Shared n/a Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures. 38
CSA_v4.0.12 LOG_05 CSA_v4.0.12_LOG_05 CSA Cloud Controls Matrix v4.0.12 LOG 05 Logging and Monitoring Audit Logs Monitoring and Response Shared n/a Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies. 8
CSA_v4.0.12 LOG_07 CSA_v4.0.12_LOG_07 CSA Cloud Controls Matrix v4.0.12 LOG 07 Logging and Monitoring Logging Scope Shared n/a Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment. 33
CSA_v4.0.12 LOG_08 CSA_v4.0.12_LOG_08 CSA Cloud Controls Matrix v4.0.12 LOG 08 Logging and Monitoring Log Records Shared n/a Generate audit records containing relevant security information. 23
CSA_v4.0.12 LOG_10 CSA_v4.0.12_LOG_10 CSA Cloud Controls Matrix v4.0.12 LOG 10 Logging and Monitoring Encryption Monitoring and Reporting Shared n/a Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls. 23
CSA_v4.0.12 LOG_11 CSA_v4.0.12_LOG_11 CSA Cloud Controls Matrix v4.0.12 LOG 11 Logging and Monitoring Transaction/Activity Logging Shared n/a Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys. 23
CSA_v4.0.12 TVM_04 CSA_v4.0.12_TVM_04 CSA Cloud Controls Matrix v4.0.12 TVM 04 Threat & Vulnerability Management Detection Updates Shared n/a Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis. 46
DORA_2022_2554 10.1 DORA_2022_2554_10.1 DORA 2022 2554 10.1 10 Implement Mechanisms to Detect Anomalous Activities in ICT Systems Shared n/a Establish mechanisms to detect anomalous activities within information and communication technology (ICT) systems, including network performance issues and ICT-related incidents. Additionally, identify potential material single points of failure to enhance overall system resilience and response capabilities. 38
DORA_2022_2554 10.2 DORA_2022_2554_10.2 DORA 2022 2554 10.2 10 Establish Multi-Layered Detection Mechanisms for ICT Incidents Shared n/a Implement detection mechanisms that provide multiple layers of control, defining alert thresholds and criteria to trigger information and communication technology (ICT) related incident response processes. This includes automated alert mechanisms to notify resources managing ICT-related incidents. 40
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 64
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 62
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 189
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 62
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 60
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .4 FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 404 not found n/a n/a 40
FFIEC_CAT_2017 2.2.1 FFIEC_CAT_2017_2.2.1 FFIEC CAT 2017 2.2.1 Threat Intelligence and Collaboration Monitoring and Analyzing Shared n/a - Audit log records and other security event logs are reviewed and retained in a secure manner. - Computer event logs are used for investigations once an event has occurred. 22
FFIEC_CAT_2017 3.2.2 FFIEC_CAT_2017_3.2.2 FFIEC CAT 2017 3.2.2 Cybersecurity Controls Anomalous Activity Detection Shared n/a - The institution is able to detect anomalous activities through monitoring across the environment. - Customer transactions generating anomalous activity alerts are monitored and reviewed. - Logs of physical and/or logical access are reviewed following events. - Access to critical systems by third parties is monitored for unauthorized or unusual activity. - Elevated privileges are monitored. 26
FFIEC_CAT_2017 3.2.3 FFIEC_CAT_2017_3.2.3 FFIEC CAT 2017 3.2.3 Cybersecurity Controls Event Detection Shared n/a - A normal network activity baseline is established. - Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - Responsibilities for monitoring and reporting suspicious systems activity have been assigned. - The physical environment is monitored to detect potential unauthorized access. 30
hipaa 12101.09ab1Organizational.3-09.ab hipaa-12101.09ab1Organizational.3-09.ab 12101.09ab1Organizational.3-09.ab 12 Audit Logging & Monitoring 12101.09ab1Organizational.3-09.ab 09.10 Monitoring Shared n/a The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 18
hipaa 1216.09ab3System.12-09.ab hipaa-1216.09ab3System.12-09.ab 1216.09ab3System.12-09.ab 12 Audit Logging & Monitoring 1216.09ab3System.12-09.ab 09.10 Monitoring Shared n/a Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. 20
HITRUST_CSF_v11.3 09.aa HITRUST_CSF_v11.3_09.aa HITRUST CSF v11.3 09.aa Monitoring Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. Shared 1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. 37
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 109
HITRUST_CSF_v11.3 11.a HITRUST_CSF_v11.3_11.a HITRUST CSF v11.3 11.a Reporting Information Security Incidents and Weaknesses Ensure information security events and weaknesses associated with information systems are handled in a manner allowing timely corrective action to be taken. Shared A designated and widely known point of contact is to be established within the organization to promptly report information security events, ensuring availability and timely responses; additionally, a maintained list of third-party contacts, such as information security officers' email addresses, facilitates for the reporting of security incidents. Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible. 10
ISO_IEC_27001_2022 9.1 ISO_IEC_27001_2022_9.1 ISO IEC 27001 2022 9.1 Performance Evaluation Monitoring, measurement, analysis and evaluation Shared 1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results. Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. 43
ISO_IEC_27002_2022 8.15 ISO_IEC_27002_2022_8.15 ISO IEC 27002 2022 8.15 Detection Control Logging Shared Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 29
ISO_IEC_27002_2022 8.16 ISO_IEC_27002_2022_8.16 ISO IEC 27002 2022 8.16 Response, Detection, Corrective Control Monitoring activities Shared Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. To detect anomalous behaviour and potential information security incidents. 15
ISO_IEC_27017_2015 12.4.1 ISO_IEC_27017_2015_12.4.1 ISO IEC 27017 2015 12.4.1 Operations Security Event Logging Shared For Cloud Service Customer: The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. For Cloud Service Provider: The cloud service provider should provide logging capabilities to the cloud service customer. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 24
K_ISMS_P_2018 2.10.1 K_ISMS_P_2018_2.10.1 K ISMS P 2018 2.10.1 2.10 Establish Procedures for Managing the Security of System Operations Shared n/a Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. 408
K_ISMS_P_2018 2.10.2 K_ISMS_P_2018_2.10.2 K ISMS P 2018 2.10.2 2.10 Establish Protective Measures for Administrator Privileges and Security Configurations Shared n/a Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. 385
K_ISMS_P_2018 2.11.1 K_ISMS_P_2018_2.11.1 K ISMS P 2018 2.11.1 2.11 Establish Procedures for Managing Internal and External Intrusion Attempts Shared n/a Establish procedures for detecting, analyzing, sharing, and effectively responding to internal and external intrusion attempts to prevent personal information leakage. Additionally, implement a framework for collaboration with relevant external agencies and experts. 57
K_ISMS_P_2018 2.11.3 K_ISMS_P_2018_2.11.3 K ISMS P 2018 2.11.3 2.11 Collect, Monitor, and Analyze Data and Network Traffic Shared n/a Collect, monitor, and analyze data and network traffic to respond to internal or external infringement attempts in a timely manner. 31
K_ISMS_P_2018 2.11.5 K_ISMS_P_2018_2.11.5 K ISMS P 2018 2.11.5 2.11 Establish Procedures to Respond and Recover from Incidents Shared n/a Establish procedures to respond and recover from incidents in a timely manner, including legal obligations for disclosing information. Additional procedures must be established and implemented to prevent recurrence. 57
K_ISMS_P_2018 2.9.2a K_ISMS_P_2018_2.9.2a K ISMS P 2018 2.9.2a 2.9.2a Establish Procedures for Information System Failures Shared n/a Establish procedures to detect, record, analyze, report, and respond to information system failures. 39
K_ISMS_P_2018 2.9.4 K_ISMS_P_2018_2.9.4 K ISMS P 2018 2.9.4 2.9 Maintain Logs and Establish Log Management Procedures Shared n/a Maintain log records for servers, applications, security systems, and networks. Define log types, access permissions, retention periods, and storage methods to ensure secure retention and prevent forgery, alteration, theft, and loss. 45
NIST_CSF_v2.0 DE.AE_03 NIST_CSF_v2.0_DE.AE_03 NIST CSF v2.0 DE.AE 03 DETECT-Adverse Event Analysis Information is correlated from multiple sources. Shared n/a To identify and analyze the cybersecurity attacks and compromises. 25
NIST_CSF_v2.0 DE.CM NIST_CSF_v2.0_DE.CM 404 not found n/a n/a 15
NIST_SP_800-171_R2_3 .3.1 NIST_SP_800-171_R2_3.3.1 NIST SP 800-171 R2 3.3.1 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management. link 48
NIST_SP_800-171_R2_3 .3.2 NIST_SP_800-171_R2_3.3.2 NIST SP 800-171 R2 3.3.2 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 34
NIST_SP_800-171_R3_3 .14.6 NIST_SP_800-171_R3_3.14.6 NIST 800-171 R3 3.14.6 System and Information Integrity Control System Monitoring Shared System monitoring involves external and internal monitoring. External monitoring includes the observation of events that occur at the system boundary. Internal monitoring includes the observation of events that occur within the system. Organizations can monitor the system, for example, by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives. Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the internet). A remote connection is any connection with a device that communicates through an external network (e.g., the internet). Network, remote, and local connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements. a. Monitor the system to detect: 1. Attacks and indicators of potential attacks; and 2. Unauthorized connections. b. Identify unauthorized use of the system. c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions. 14
NIST_SP_800-171_R3_3 .3.1 NIST_SP_800-171_R3_3.3.1 404 not found n/a n/a 33
NIST_SP_800-171_R3_3 .3.5 NIST_SP_800-171_R3_3.3.5 404 not found n/a n/a 16
NIST_SP_800-53_R5.1.1 AU.12 NIST_SP_800-53_R5.1.1_AU.12 NIST SP 800-53 R5.1.1 AU.12 Audit and Accountability Control Audit Record Generation Shared a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. 20
NIST_SP_800-53_R5.1.1 AU.2 NIST_SP_800-53_R5.1.1_AU.2 NIST SP 800-53 R5.1.1 AU.2 Audit and Accountability Control Event Logging Shared a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. 23
NIST_SP_800-53_R5.1.1 AU.6 NIST_SP_800-53_R5.1.1_AU.6 NIST SP 800-53 R5.1.1 AU.6 Audit and Accountability Control Audit Record Review, Analysis, and Reporting Shared a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. 8
NIST_SP_800-53_R5.1.1 SI.4 NIST_SP_800-53_R5.1.1_SI.4 NIST SP 800-53 R5.1.1 SI.4 System and Information Integrity Control System Monitoring Shared a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency] ]. System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 13
NZISM_v3.7 14.1.12.C.01. NZISM_v3.7_14.1.12.C.01. NZISM v3.7 14.1.12.C.01. Standard Operating Environments 14.1.12.C.01. - reduce the risk of security incidents and safeguard sensitive information from unauthorized access or tampering Shared n/a Agencies SHOULD: 1. characterise all servers whose functions are critical to the agency, and those identified as being at a high security risk of compromise; 2. store the characterisation information securely off the server in a manner that maintains integrity; 3. update the characterisation information after every legitimate change to a system as part of the change control process; 4. as part of the agency's ongoing audit schedule, compare the stored characterisation information against current characterisation information to determine whether a compromise, or a legitimate but incorrectly completed system modification, has occurred; 5. perform the characterisation from a trusted environment rather than the standard operating system wherever possible; and 6. resolve any detected changes in accordance with the agency's information security incident management procedures. 4
NZISM_v3.7 14.1.8.C.01. NZISM_v3.7_14.1.8.C.01. NZISM v3.7 14.1.8.C.01. Standard Operating Environments 14.1.8.C.01. - minimise vulnerabilities and enhance system security Shared n/a Agencies SHOULD develop a hardened SOE for workstations and servers, covering: 1. removal of unneeded software and operating system components; 2. removal or disabling of unneeded services, ports and BIOS settings; 3. disabling of unused or undesired functionality in software and operating systems; 4. implementation of access controls on relevant objects to limit system users and programs to the minimum access required; 5. installation of antivirus and anti-malware software; 6. installation of software-based firewalls limiting inbound and outbound network connections; 7. configuration of either remote logging or the transfer of local event logs to a central server; and 8. protection of audit and other logs through the use of a one way pipe to reduce likelihood of compromise key transaction records. 30
NZISM_v3.7 14.3.12.C.01. NZISM_v3.7_14.3.12.C.01. NZISM v3.7 14.3.12.C.01. Web Applications 14.3.12.C.01. - strengthening the overall security posture of the agency's network environment. Shared n/a Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations. 77
NZISM_v3.7 16.1.31.C.01. NZISM_v3.7_16.1.31.C.01. NZISM v3.7 16.1.31.C.01. Identification, Authentication and Passwords 16.1.31.C.01. - promote security and accountability within the agency's systems. Shared n/a Agencies MUST: 1. develop, implement and maintain a set of policies and procedures covering all system users: a. identification; b. authentication; c. authorisation; d. privileged access identification and management; and 2. make their system users aware of the agency's policies and procedures. 22
NZISM_v3.7 16.1.32.C.01. NZISM_v3.7_16.1.32.C.01. NZISM v3.7 16.1.32.C.01. Identification, Authentication and Passwords 16.1.32.C.01. - promote security and accountability within the agency's systems. Shared n/a Agencies MUST ensure that all system users are: 1. uniquely identifiable; and 2. authenticated on each occasion that access is granted to a system. 21
NZISM_v3.7 16.6.10.C.01. NZISM_v3.7_16.6.10.C.01. NZISM v3.7 16.6.10.C.01. Event Logging and Auditing 16.6.10.C.01. - enhance system security and accountability. Shared n/a Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users. 31
NZISM_v3.7 16.6.10.C.02. NZISM_v3.7_16.6.10.C.02. NZISM v3.7 16.6.10.C.02. Event Logging and Auditing 16.6.10.C.02. - enhance system security and accountability. Shared n/a Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency. 48
NZISM_v3.7 16.6.11.C.01. NZISM_v3.7_16.6.11.C.01. NZISM v3.7 16.6.11.C.01. Event Logging and Auditing 16.6.11.C.01. - enhance system security and accountability. Shared n/a For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification. 48
NZISM_v3.7 16.6.12.C.01. NZISM_v3.7_16.6.12.C.01. NZISM v3.7 16.6.12.C.01. Event Logging and Auditing 16.6.12.C.01. - maintain integrity of the data. Shared n/a Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period. 48
NZISM_v3.7 16.6.6.C.01. NZISM_v3.7_16.6.6.C.01. NZISM v3.7 16.6.6.C.01. Event Logging and Auditing 16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST maintain system management logs for the life of a system. 48
NZISM_v3.7 16.6.7.C.01. NZISM_v3.7_16.6.7.C.01. NZISM v3.7 16.6.7.C.01. Event Logging and Auditing 16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations. Shared n/a A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities. 48
NZISM_v3.7 16.6.9.C.01. NZISM_v3.7_16.6.9.C.01. NZISM v3.7 16.6.9.C.01. Event Logging and Auditing 16.6.9.C.01. - enhance system security and accountability. Shared n/a Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency. 46
NZISM_v3.7 19.1.10.C.01. NZISM_v3.7_19.1.10.C.01. NZISM v3.7 19.1.10.C.01. Gateways 19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. Shared n/a When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. 46
NZISM_v3.7 19.1.11.C.01. NZISM_v3.7_19.1.11.C.01. NZISM v3.7 19.1.11.C.01. Gateways 19.1.11.C.01. - ensure network protection through gateway mechanisms. Shared n/a Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. 45
NZISM_v3.7 19.1.11.C.02. NZISM_v3.7_19.1.11.C.02. NZISM v3.7 19.1.11.C.02. Gateways 19.1.11.C.02. - maintain security and integrity across domains. Shared n/a For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. 44
NZISM_v3.7 19.1.12.C.01. NZISM_v3.7_19.1.12.C.01. NZISM v3.7 19.1.12.C.01. Gateways 19.1.12.C.01. - minimize security risks and ensure effective control over network communications Shared n/a Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts. 43
PCI_DSS_v4.0.1 10.2.1.2 PCI_DSS_v4.0.1_10.2.1.2 PCI DSS v4.0.1 10.2.1.2 Log and Monitor All Access to System Components and Cardholder Data Administrative Actions Logging Shared n/a Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. 24
PCI_DSS_v4.0.1 10.3.4 PCI_DSS_v4.0.1_10.3.4 PCI DSS v4.0.1 10.3.4 Log and Monitor All Access to System Components and Cardholder Data Log Integrity Monitoring Shared n/a File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. 24
PCI_DSS_v4.0.1 10.4.1 PCI_DSS_v4.0.1_10.4.1 PCI DSS v4.0.1 10.4.1 Log and Monitor All Access to System Components and Cardholder Data Daily Audit Log Review Shared n/a The following audit logs are reviewed at least once daily: • All security events. • Logs of all system components that store, process, or transmit CHD and/or SAD. • Logs of all critical system components. • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). 9
PCI_DSS_v4.0.1 10.4.1.1 PCI_DSS_v4.0.1_10.4.1.1 PCI DSS v4.0.1 10.4.1.1 Log and Monitor All Access to System Components and Cardholder Data Automated Log Review Mechanisms Shared n/a Automated mechanisms are used to perform audit log reviews. 9
PCI_DSS_v4.0.1 10.4.2 PCI_DSS_v4.0.1_10.4.2 PCI DSS v4.0.1 10.4.2 Log and Monitor All Access to System Components and Cardholder Data Periodic Review of Other Logs Shared n/a Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. 9
PCI_DSS_v4.0.1 10.4.2.1 PCI_DSS_v4.0.1_10.4.2.1 PCI DSS v4.0.1 10.4.2.1 Log and Monitor All Access to System Components and Cardholder Data Frequency of Log Reviews Shared n/a The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 25
PCI_DSS_v4.0.1 10.4.3 PCI_DSS_v4.0.1_10.4.3 PCI DSS v4.0.1 10.4.3 Log and Monitor All Access to System Components and Cardholder Data Addressing Log Anomalies Shared n/a Exceptions and anomalies identified during the review process are addressed. 8
PCI_DSS_v4.0.1 11.5.1 PCI_DSS_v4.0.1_11.5.1 PCI DSS v4.0.1 11.5.1 Test Security of Systems and Networks Regularly Intrusion Detection/Prevention Shared n/a Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date 19
PCI_DSS_v4.0.1 11.5.1.1 PCI_DSS_v4.0.1_11.5.1.1 PCI DSS v4.0.1 11.5.1.1 Test Security of Systems and Networks Regularly Covert Malware Detection Shared n/a Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels. 17
PCI_DSS_v4.0.1 11.5.2 PCI_DSS_v4.0.1_11.5.2 PCI DSS v4.0.1 11.5.2 Test Security of Systems and Networks Regularly Change-Detection Mechanism Deployment Shared n/a A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly. 27
RBI_ITF_NBFC_v2017 3.1.g RBI_ITF_NBFC_v2017_3.1.g RBI IT Framework 3.1.g Information and Cyber Security Trails-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. link 33
RMiT_v1.0 10.66 RMiT_v1.0_10.66 RMiT 10.66 Security of Digital Services Security of Digital Services - 10.66 Shared n/a A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures link 29
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 107
SOC_2023 CC.5.3 SOC_2023_CC.5.3 404 not found n/a n/a 35
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 214
SOC_2023 CC4.1 SOC_2023_CC4.1 SOC 2023 CC4.1 Monitoring Activities Enhance the ability to manage risks and achieve objectives. Shared n/a The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 36
SOC_2023 CC4.2 SOC_2023_CC4.2 SOC 2023 CC4.2 Monitoring Activities Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. Shared n/a The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. 35
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 225
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations Maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 163
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 209
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 143
SWIFT_CSCF_2024 2.9 SWIFT_CSCF_2024_2.9 SWIFT Customer Security Controls Framework 2024 2.9 Transaction Controls Transaction Business Controls Shared 1. Implementing business controls that restrict Swift transactions to the fullest extent possible reduces the opportunity for the sending (outbound) and, optionally, receiving (inbound) of fraudulent transactions. 2. These restrictions are best determined through an analysis of normal business activity. Parameters can then be set to restrict business to acceptable thresholds based on “normal” activity. To ensure outbound transaction activity within the expected bounds of normal business. 21
SWIFT_CSCF_2024 6.4 SWIFT_CSCF_2024_6.4 SWIFT Customer Security Controls Framework 2024 6.4 Access Control Logging and Monitoring Shared 1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. 38
SWIFT_CSCF_2024 6.5 SWIFT_CSCF_2024_6.5 404 not found n/a n/a 18
SWIFT_CSCF_v2021 6.4 SWIFT_CSCF_v2021_6.4 SWIFT CSCF v2021 6.4 Detect Anomalous Activity to Systems or Transaction Records Logging and Monitoring n/a Record security events and detect anomalous actions and operations within the local SWIFT environment. link 29
SWIFT_CSCF_v2022 6.4 SWIFT_CSCF_v2022_6.4 SWIFT CSCF v2022 6.4 6. Detect Anomalous Activity to Systems or Transaction Records Record security events and detect anomalous actions and operations within the local SWIFT environment. Shared n/a Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. link 47
UK_NCSC_CAF_v3.2 C UK_NCSC_CAF_v3.2_C 404 not found n/a n/a 14
UK_NCSC_CAF_v3.2 C1 UK_NCSC_CAF_v3.2_C1 404 not found n/a n/a 15
UK_NCSC_CAF_v3.2 C1.c UK_NCSC_CAF_v3.2_C1.c NCSC Cyber Assurance Framework (CAF) v3.2 C1.c Security Monitoring Generating Alerts Shared 1. Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. 2. A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts. 3. Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time. 4. Security alerts relating to all essential functions are prioritised and this information is used to support incident management. 5. Logs are reviewed almost continuously, in real time. 6. Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms. Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. 18
UK_NCSC_CAF_v3.2 C1.d UK_NCSC_CAF_v3.2_C1.d NCSC Cyber Assurance Framework (CAF) v3.2 C1.d Security Monitoring Identifying Security Incidents Shared 1. Select threat intelligence sources or services using risk-based and threat-informed decisions based on the business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based info share, special interest groups). 2. Apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them. 3. Receive signature updates for all the protective technologies (e.g. AV, IDS). 4. Track the effectiveness of the intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies). Contextualise alerts with knowledge of the threat and the systems, to identify those security incidents that require some form of response. 17
UK_NCSC_CAF_v3.2 C2 UK_NCSC_CAF_v3.2_C2 404 not found n/a n/a 15
UK_NCSC_CAF_v3.2 C2.b UK_NCSC_CAF_v3.2_C2.b NCSC Cyber Assurance Framework (CAF) v3.2 C2.b Proactive Security Event Discovery Proactive Attack Discovery Shared 1. Routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches. 2. Have justified confidence in the effectiveness of the searches for system abnormalities indicative of malicious activity. Use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. 15
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
DORA 2022 2554 f9c0485f-da8e-43b5-961e-58ebd54b907c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27001 2022 5e4ff661-23bf-42fa-8e3a-309a55091cc7 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
K ISMS P 2018 e0782c37-30da-4a78-9f92-50bfe7aa2553 Regulatory Compliance GA BuiltIn unknown
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-09-27 15:52:17 change Patch (1.0.0 > 1.0.1)
2019-10-11 00:02:54 add efbde977-ba53-4479-b8e9-10b957924fbf
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC