compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'Security Settings - Account Policies'' (f2143251-70de-4e81-87a8-36cee5a2f29d)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
421 |
AU_ISM_421 |
AU ISM 421 |
Guidelines for System Hardening - Authentication hardening |
Single-factor authentication - 421 |
|
n/a |
Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. |
link |
4 |
| CMMC_L2_v1.9.0 |
IA.L2_3.5.10 |
CMMC_L2_v1.9.0_IA.L2_3.5.10 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.10 |
Identification and Authentication |
Cryptographically Protected Passwords |
Shared |
Store and transmit only cryptographically protected passwords. |
To enhance the overall security of the authentication process. |
|
2 |
| CMMC_L2_v1.9.0 |
IA.L2_3.5.7 |
CMMC_L2_v1.9.0_IA.L2_3.5.7 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.7 |
Identification and Authentication |
Password Complexity |
Shared |
Enforce a minimum password complexity and change of characters when new passwords are created. |
To reduce the risk of unauthorized access through password guessing or brute force attacks. |
|
6 |
| CMMC_L2_v1.9.0 |
IA.L2_3.5.9 |
CMMC_L2_v1.9.0_IA.L2_3.5.9 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L2 3.5.9 |
Identification and Authentication |
Temporary Passwords |
Shared |
Allow temporary password use for system logons with an immediate change to a permanent password. |
To ensure that temporary passwords are quickly replaced with more secure, permanent ones. |
|
2 |
| CMMC_L2_v1.9.0 |
MP.L2_3.8.6 |
CMMC_L2_v1.9.0_MP.L2_3.8.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L2 3.8.6 |
Media Protection |
Portable Storage Encryption |
Shared |
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
To ensure that sensitive information remains secure and confidential even if the media is lost, stolen, or intercepted during transit. |
|
9 |
| CMMC_L2_v1.9.0 |
SC.L2_3.13.8 |
CMMC_L2_v1.9.0_SC.L2_3.13.8 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.8 |
System and Communications Protection |
Data in Transit |
Shared |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
To maintain the confidentiality and integrity of CUI. |
|
2 |
| CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
54 |
| CSA_v4.0.12 |
IAM_02 |
CSA_v4.0.12_IAM_02 |
CSA Cloud Controls Matrix v4.0.12 IAM 02 |
Identity & Access Management |
Strong Password Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, implement, apply, evaluate
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually. |
|
52 |
| CSA_v4.0.12 |
IAM_03 |
CSA_v4.0.12_IAM_03 |
CSA Cloud Controls Matrix v4.0.12 IAM 03 |
Identity & Access Management |
Identity Inventory |
Shared |
n/a |
Manage, store, and review the information of system identities, and
level of access. |
|
7 |
| CSA_v4.0.12 |
IAM_14 |
CSA_v4.0.12_IAM_14 |
CSA Cloud Controls Matrix v4.0.12 IAM 14 |
Identity & Access Management |
Strong Authentication |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities. |
|
32 |
| CSA_v4.0.12 |
IAM_15 |
CSA_v4.0.12_IAM_15 |
CSA Cloud Controls Matrix v4.0.12 IAM 15 |
Identity & Access Management |
Passwords Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for the secure management of passwords. |
|
26 |
| CSA_v4.0.12 |
IAM_16 |
CSA_v4.0.12_IAM_16 |
CSA Cloud Controls Matrix v4.0.12 IAM 16 |
Identity & Access Management |
Authorization Mechanisms |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to verify access to data and system functions is authorized. |
|
46 |
| CSA_v4.0.12 |
UEM_08 |
CSA_v4.0.12_UEM_08 |
CSA Cloud Controls Matrix v4.0.12 UEM 08 |
Universal Endpoint Management |
Storage Encryption |
Shared |
n/a |
Protect information from unauthorized disclosure on managed endpoint
devices with storage encryption. |
|
14 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.6 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.6 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6 |
Policy and Implementation - Identification And Authentication |
Identification And Authentication |
Shared |
Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft. |
1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity.
2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources. |
|
19 |
| HITRUST_CSF_v11.3 |
06.c |
HITRUST_CSF_v11.3_06.c |
HITRUST CSF v11.3 06.c |
Compliance with Legal Requirements |
Prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. |
Shared |
1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information.
2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. |
Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
|
26 |
| ISO_IEC_27017_2015 |
9.2.4 |
ISO_IEC_27017_2015_9.2.4 |
ISO IEC 27017 2015 9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
For Cloud Service Customer:
The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements.
For Cloud Service Provider:
The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication.
|
To ensure proper entity authentication and prevent failures of authentication processes. |
|
6 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
408 |
| NIST_CSF_v2.0 |
PR.DS_02 |
NIST_CSF_v2.0_PR.DS_02 |
NIST CSF v2.0 PR.DS 02 |
PROTECT-Data Security |
The confidentiality, integrity, and availability of data-in-transit are protected. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
2 |
| NIST_SP_800-171_R3_3 |
.13.8 |
NIST_SP_800-171_R3_3.13.8 |
NIST 800-171 R3 3.13.8 |
System and Communications Protection Control |
Transmission and Storage Confidentiality |
Shared |
This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e. information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to 03.13.11. |
Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage. |
|
12 |
| NIST_SP_800-171_R3_3 |
.5.12 |
NIST_SP_800-171_R3_3.5.12 |
NIST 800-171 R3 3.5.12 |
Identification and Authentication Control |
Authenticator Management |
Shared |
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication).
The requirement to protect individual authenticators may be implemented by 03.15.03 for authenticators in the possession of individuals and by 03.01.01, 03.01.02, 03.01.05, and 03.13.08 for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators. |
a. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.
b. Establish initial authenticator content for any authenticators issued by the organization.
c. Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators.
d. Change default authenticators at first use.
e. Change or refresh authenticators periodically or when the following events occur:[Assignment: organization-defined events].
f. Protect authenticator content from unauthorized disclosure and modification. |
|
6 |
| NIST_SP_800-171_R3_3 |
.5.7 |
NIST_SP_800-171_R3_3.5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
| NIST_SP_800-53_R5.1.1 |
IA.5.1 |
NIST_SP_800-53_R5.1.1_IA.5.1 |
NIST SP 800-53 R5.1.1 IA.5.1 |
Identification and Authentication Control |
Authenticator Management | Password-based Authentication |
Shared |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
SC.28.1 |
NIST_SP_800-53_R5.1.1_SC.28.1 |
NIST SP 800-53 R5.1.1 SC.28.1 |
System and Communications Protection |
Protection of Information at Rest | Cryptographic Protection |
Shared |
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. |
The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. |
|
9 |
| NZISM_Security_Benchmark_v1.1 |
AC-4 |
NZISM_Security_Benchmark_v1.1_AC-4 |
NZISM Security Benchmark AC-4 |
Access Control and Passwords |
16.1.40 Password selection policy |
Customer |
Agencies SHOULD implement a password policy enforcing either:
a minimum password length of 16 characters with no complexity requirement; or
-a minimum password length of ten characters, consisting of atleast three of the following character sets:
- lowercase characters (a-z);
- uppercase characters (A-Z);
- digits (0-9); and
- punctuation and special characters. |
Passwords are the primary authentication mechanism for almost all information systems and are fundamental part of access and authentication processes and mechanisms. While there are some limitations in the use of passwords, they remain the most cost effective means available with current technology.
Passwords are subject to three principal groups of risks:
Intentional password sharing;
Password theft, loss or compromise; and
Password guessing and cracking.
Associated with these risk groups are four principal methods of attacking passwords:
Interactive attempts including password guessing, brute force attacks or some knowledge of the user or agency.
Obtaining the password through social engineering or phishing.
Compromising the password through oversight, observation, use of keyloggers, cameras etc.
Cracking through network traffic interception, misconfiguration, malware, data capture etc. For example a simple eight-letter password can today be brute-forced in minutes by software freely available on the Internet.
Password controls are designed to manage these risks and attack methods using the controls specified in this section. For example, passwords with at least ten characters utilising upper and lower case, numbers and special characters have a much greater resistance to brute force attacks. When use in combination with controls such as password history and regular password change, passwords can present high resistance to known attack methods. |
link |
2 |
| NZISM_v3.7 |
14.3.10.C.01. |
NZISM_v3.7_14.3.10.C.01. |
NZISM v3.7 14.3.10.C.01. |
Web Applications |
14.3.10.C.01. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways. |
|
24 |
| NZISM_v3.7 |
14.3.10.C.02. |
NZISM_v3.7_14.3.10.C.02. |
NZISM v3.7 14.3.10.C.02. |
Web Applications |
14.3.10.C.02. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address. |
|
23 |
| NZISM_v3.7 |
14.3.10.C.03. |
NZISM_v3.7_14.3.10.C.03. |
NZISM v3.7 14.3.10.C.03. |
Web Applications |
14.3.10.C.03. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites. |
|
22 |
| NZISM_v3.7 |
14.3.10.C.04. |
NZISM_v3.7_14.3.10.C.04. |
NZISM v3.7 14.3.10.C.04. |
Web Applications |
14.3.10.C.04. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective. |
|
22 |
| NZISM_v3.7 |
19.1.10.C.01. |
NZISM_v3.7_19.1.10.C.01. |
NZISM v3.7 19.1.10.C.01. |
Gateways |
19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. |
Shared |
n/a |
When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. |
|
46 |
| NZISM_v3.7 |
19.1.11.C.01. |
NZISM_v3.7_19.1.11.C.01. |
NZISM v3.7 19.1.11.C.01. |
Gateways |
19.1.11.C.01. - ensure network protection through gateway mechanisms. |
Shared |
n/a |
Agencies MUST ensure that:
1. all agency networks are protected from networks in other security domains by one or more gateways;
2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
|
45 |
| NZISM_v3.7 |
19.1.11.C.02. |
NZISM_v3.7_19.1.11.C.02. |
NZISM v3.7 19.1.11.C.02. |
Gateways |
19.1.11.C.02. - maintain security and integrity across domains. |
Shared |
n/a |
For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. |
|
44 |
| NZISM_v3.7 |
19.1.12.C.01. |
NZISM_v3.7_19.1.12.C.01. |
NZISM v3.7 19.1.12.C.01. |
Gateways |
19.1.12.C.01. - minimize security risks and ensure effective control over network communications |
Shared |
n/a |
Agencies MUST ensure that gateways:
1. are the only communications paths into and out of internal networks;
2. by default, deny all connections into and out of the network;
3. allow only explicitly authorised connections;
4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network);
5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and
6. provide real-time alerts. |
|
43 |
| NZISM_v3.7 |
19.1.14.C.01. |
NZISM_v3.7_19.1.14.C.01. |
NZISM v3.7 19.1.14.C.01. |
Gateways |
19.1.14.C.01. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies MUST use demilitarised zones to house systems and information directly accessed externally. |
|
37 |
| NZISM_v3.7 |
19.1.14.C.02. |
NZISM_v3.7_19.1.14.C.02. |
NZISM v3.7 19.1.14.C.02. |
Gateways |
19.1.14.C.02. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. |
|
37 |
| NZISM_v3.7 |
19.1.19.C.01. |
NZISM_v3.7_19.1.19.C.01. |
NZISM v3.7 19.1.19.C.01. |
Gateways |
19.1.19.C.01. - enhance security posture. |
Shared |
n/a |
Agencies MUST limit access to gateway administration functions. |
|
33 |
| NZISM_v3.7 |
19.2.16.C.02. |
NZISM_v3.7_19.2.16.C.02. |
NZISM v3.7 19.2.16.C.02. |
Cross Domain Solutions (CDS) |
19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.
|
Shared |
n/a |
Agencies MUST NOT implement a gateway permitting data to flow directly from:
1. a TOP SECRET network to any network below SECRET;
2. a SECRET network to an UNCLASSIFIED network; or
3. a CONFIDENTIAL network to an UNCLASSIFIED network. |
|
33 |
| NZISM_v3.7 |
19.2.18.C.01. |
NZISM_v3.7_19.2.18.C.01. |
NZISM v3.7 19.2.18.C.01. |
Cross Domain Solutions (CDS) |
19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. |
Shared |
n/a |
Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. |
|
33 |
| NZISM_v3.7 |
19.2.19.C.01. |
NZISM_v3.7_19.2.19.C.01. |
NZISM v3.7 19.2.19.C.01. |
Cross Domain Solutions (CDS) |
19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.
|
Shared |
n/a |
Trusted sources MUST be:
1. a strictly limited list derived from business requirements and the result of a security risk assessment;
2. where necessary an appropriate security clearance is held; and
3. approved by the Accreditation Authority. |
|
33 |
| NZISM_v3.7 |
19.2.19.C.02. |
NZISM_v3.7_19.2.19.C.02. |
NZISM v3.7 19.2.19.C.02. |
Cross Domain Solutions (CDS) |
19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches. |
Shared |
n/a |
Trusted sources MUST authorise all data to be exported from a security domain. |
|
28 |
| NZISM_v3.7 |
19.3.8.C.03. |
NZISM_v3.7_19.3.8.C.03. |
NZISM v3.7 19.3.8.C.03. |
Firewalls |
19.3.8.C.03. - minimise the risk of unauthorized access or data leakage between networks |
Shared |
n/a |
Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains.
Your network: Restricted and below
Their network: Unclassified
You require: EAL4 firewall
They require: N/A
Your network: Restricted and below
Their network: Restricted
You require: EAL2 or PP firewall
They require:EAL2 or PP firewall
Your network: Restricted and below
Their network: Confidential
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Secret
You require: EAL2 or PP firewall
They require:EAL4 firewall
Your network: Restricted and below
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Confidential
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Confidential
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Confidential
You require: EAL2 or PP firewal
They require: EAL2 or PP firewall
Your network: Confidential
Their network: Secret
You require: EAL2 or PP firewal
They require: EAL4 firewall
Your network: Confidential
Their network: Top Secret
You require: EAL2 or PP firewall
They require: Consultation with GCSB
Your network: Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Secret
Their network: Restricted
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Confidential
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Secret
You require: EAL2 or PP firewall
They require: EAL2 or PP firewall
Your network: Secret
Their network: Top Secret
You require: EAL2 or PP firewall
They require: EAL4 firewall
Your network: Top Secret
Their network: Unclassified
You require: Consultation with GCSB
They require: N/A
Your network: Top Secret
Their network: Restricted
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Confidential
You require: Consultation with GCSB
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Secret
You require: EAL4 firewall
They require: EAL2 or PP firewall
Your network: Top Secret
Their network: Top Secret
You require: EAL4 firewall
They require: EAL4 firewall
|
|
18 |
| PCI_DSS_v4.0.1 |
3.3.2 |
PCI_DSS_v4.0.1_3.3.2 |
PCI DSS v4.0.1 3.3.2 |
Protect Stored Account Data |
SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography |
Shared |
n/a |
Examine data stores, system configurations, and/or vendor documentation to verify that all SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography |
|
2 |
| PCI_DSS_v4.0.1 |
3.3.3 |
PCI_DSS_v4.0.1_3.3.3 |
PCI DSS v4.0.1 3.3.3 |
Protect Stored Account Data |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need and is secured. Encrypted using strong cryptography |
Shared |
n/a |
Additional testing procedure for issuers and companies that support issuing services and store sensitive authentication data: Examine documented policies and interview personnel to verify there is a documented business justification for the storage of sensitive authentication data. Examine data stores and system configurations to verify that the sensitive authentication data is stored securely |
|
6 |
| PCI_DSS_v4.0.1 |
3.5.1.2 |
PCI_DSS_v4.0.1_3.5.1.2 |
PCI DSS v4.0.1 3.5.1.2 |
Protect Stored Account Data |
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: on removable electronic media OR if used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1 |
Shared |
n/a |
Examine encryption processes to verify that, if disk-level or partition-level encryption is used to render PAN unreadable, it is implemented only as follows: on removable electronic media, OR if used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered unreadable via another method that meets Requirement 3.5.1. Examine configurations and/or vendor documentation and observe encryption processes to verify the system is configured according to vendor documentation the result is that the disk or the partition is rendered unreadable |
|
9 |
| PCI_DSS_v4.0.1 |
4.2.1.2 |
PCI_DSS_v4.0.1_4.2.1.2 |
PCI DSS v4.0.1 4.2.1.2 |
Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission |
Shared |
n/a |
Examine system configurations to verify that wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission |
|
2 |
| PCI_DSS_v4.0.1 |
4.2.2 |
PCI_DSS_v4.0.1_4.2.2 |
PCI DSS v4.0.1 4.2.2 |
Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies |
Shared |
n/a |
Examine documented policies and procedures to verify that processes are defined to secure PAN with strong cryptography whenever sent over end-user messaging technologies. Examine system configurations and vendor documentation to verify that PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies |
|
2 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| SWIFT_CSCF_2024 |
4.1 |
SWIFT_CSCF_2024_4.1 |
SWIFT Customer Security Controls Framework 2024 4.1 |
Password Management |
Password Policy |
Shared |
1. Implementing a password policy that protects against common password attacks (for example, guessing and brute force) is effective for protecting against account compromise. Attackers often use the privileges of a compromised account to move laterally within an environment and progress the attack.
2. Another risk is the compromise of local authentication keys to tamper with the integrity of transactions. However, it is important to recognise that passwords alone are generally not sufficient in the current cyber-threat landscape. Users should consider this control in close relationship with the multi-factor authentication requirement. |
To ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. |
|
7 |
| SWIFT_CSCF_2024 |
5.2 |
SWIFT_CSCF_2024_5.2 |
SWIFT Customer Security Controls Framework 2024 5.2 |
Access Control |
Token Management |
Shared |
1. The protection of connected and disconnected hardware authentication, personal tokens or software tokens is essential to safeguard the related operator or system account.
2. It also reinforces good security practice by providing an additional layer of protection from attackers. |
To ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal and software tokens (when tokens are used). |
|
7 |
| SWIFT_CSCF_2024 |
5.4 |
SWIFT_CSCF_2024_5.4 |
SWIFT Customer Security Controls Framework 2024 5.4 |
Password Management |
Password Repository Protection |
Shared |
1. The secure storage of recorded passwords (repository) makes sure that passwords are not easily accessible to others, thereby protecting against simple password theft.
2. Common unsecure methods include, but are not limited to: recording passwords in a spreadsheet or a text document saved in cleartext on a desktop, or in a shared directory, or a server, saved on a mobile phone, written/printed on a post-it or a leaflet.
3. This control covers the storage of emergency, privileged or any other account passwords.
4. All accounts have to be considered because (i) combination of compromised, not-privileged, accounts, such as transaction creator account and approver account can be damageable, and (ii) even monitoring accounts provide valuable information during the reconnaissance time. |
To protect physically and logically the repository of recorded passwords. |
|
7 |
| UK_NCSC_CAF_v3.2 |
B2.a |
UK_NCSC_CAF_v3.2_B2.a |
NCSC Cyber Assurance Framework (CAF) v3.2 B2.a |
Identity and Access Control |
Identity Verification, Authentication and Authorisation |
Shared |
1. The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to networks and information systems that support the essential function.
2. Only authorised and individually authenticated users can physically access and logically connect to the networks or information systems on which that essential function depends.
3. The number of authorised users and systems that have access to all the networks and information systems supporting the essential function is limited to the minimum necessary.
4. Use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all systems that operate or support the essential function.
5. Use additional authentication mechanisms, such as multi-factor (MFA), when there is individual authentication and authorisation of all remote user access to all the networks and information systems that support the essential function.
6. The list of users and systems with access to networks and systems supporting and delivering the essential functions reviewed on a regular basis, at least every six months. |
The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. Robustly verify, authenticate and authorise access to the networks and information systems supporting the essential function. |
|
32 |
| UK_NCSC_CAF_v3.2 |
B3.b |
UK_NCSC_CAF_v3.2_B3.b |
NCSC Cyber Assurance Framework (CAF) v3.2 B3.b |
Data Security |
Data in Transit |
Shared |
1. Identify and protect (effectively and proportionately) all the data links that carry data important to the operation of the essential function.
2. Apply appropriate physical and / or technical means to protect data that travels over non-trusted or openly accessible carriers, with justified confidence in the robustness of the protection applied.
3. Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of the essential function due to resource limitation (e.g. transmission equipment or function failure, or important data being blocked or jammed). |
Protect the transit of data important to the operation of the essential function. This includes the transfer of data to third parties. |
|
2 |
| UK_NCSC_CAF_v3.2 |
C1.b |
UK_NCSC_CAF_v3.2_C1.b |
NCSC Cyber Assurance Framework (CAF) v3.2 C1.b |
Security Monitoring |
Securing Logs |
Shared |
1. The integrity of logging data is protected, or any modification is detected and attributed.
2. The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the function itself, and the data within it.
3. Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.
4. Logging datasets are synchronised, using an accurate common time source, so that separate datasets can be correlated in different ways.
5. Access to logging data is limited to those with business need and no others.
6. All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user.
7. Legitimate reasons for accessing logging data are given in use policies. |
Hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. |
|
11 |