Az Policy Advertizer

12.8

CIS_Controls_v8.1_12.8

CIS Controls v8.1 12.8

Network Infrastructure Management

Establish and maintain dedicated computing resources for all administrative work

Shared

1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. 2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.

To ensure administrative work is on a different system on which access to data and internet is restricted.

3.3

CIS_Controls_v8.1_3.3

CIS Controls v8.1 3.3

Data Protection

Configure data access control lists

Shared

1. Configure data access control lists based on a user’s need to know. 2. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.

To ensure that users have access only to the data necessary for their roles.

5.1

CIS_Controls_v8.1_5.1

CIS Controls v8.1 5.1

Account Management

Establish and maintain an inventory of accounts

Shared

1. Establish and maintain an inventory of all accounts managed in the enterprise. 2. The inventory must include both user and administrator accounts. 3. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. 4. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

To ensure accurate tracking and management of accounts.

5.4

CIS_Controls_v8.1_5.4

CIS Controls v8.1 5.4

Account Management

Restrict administrator privileges to dedicated administrator accounts.

Shared

1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. 2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

To restrict access to privileged accounts.

CMMC_L2_v1.9.0_AC.L1_3.1.1

6.8

CIS_Controls_v8.1_6.8

CIS Controls v8.1 6.8

Access Control Management

Define and maintain role-based access control.

Shared

1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. 2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

To implement a system of role-based access control.

CMMC_L2_v1.9.0

AC.L1_3.1.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.1

Access Control

Authorized Access Control

Shared

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

To ensure security and integrity.

CMMC_L2_v1.9.0

AC.L1_3.1.2

CMMC_L2_v1.9.0_AC.L1_3.1.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.2

Access Control

Transaction & Function Control

Shared

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

To restrict information system access.

CMMC_L2_v1.9.0

AC.L2_3.1.5

CMMC_L2_v1.9.0_AC.L2_3.1.5

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.5

Access Control

Least Privilege

Shared

Employ the principle of least privilege, including for specific security functions and privileged accounts.

To restrict information system access.

IAM_02

CSA_v4.0.12_IAM_02

CSA Cloud Controls Matrix v4.0.12 IAM 02

Identity & Access Management

Strong Password Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

IAM_04

CSA_v4.0.12_IAM_04

CSA Cloud Controls Matrix v4.0.12 IAM 04

Identity & Access Management

Separation of Duties

Shared

n/a

Employ the separation of duties principle when implementing information system access.

IAM_05

CSA_v4.0.12_IAM_05

CSA Cloud Controls Matrix v4.0.12 IAM 05

Identity & Access Management

Least Privilege

Shared

n/a

Employ the least privilege principle when implementing information system access.

IAM_06

CSA_v4.0.12_IAM_06

CSA Cloud Controls Matrix v4.0.12 IAM 06

Identity & Access Management

User Access Provisioning

Shared

n/a

Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets.

IAM_07

CSA_v4.0.12_IAM_07

CSA Cloud Controls Matrix v4.0.12 IAM 07

Identity & Access Management

User Access Changes and Revocation

Shared

n/a

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

IAM_10

CSA_v4.0.12_IAM_10

CSA Cloud Controls Matrix v4.0.12 IAM 10

Identity & Access Management

Management of Privileged Access Roles

Shared

n/a

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

IAM_13

CSA_v4.0.12_IAM_13

CSA Cloud Controls Matrix v4.0.12 IAM 13

Identity & Access Management

Uniquely Identifiable Users

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.

IAM_16

CSA_v4.0.12_IAM_16

CSA Cloud Controls Matrix v4.0.12 IAM 16

Identity & Access Management

Authorization Mechanisms

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_2

Cyber Essentials v3.1 2

Cyber Essentials

Secure Configuration

Shared

n/a

Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_5

Cyber Essentials v3.1 5

Cyber Essentials

Malware protection

Shared

n/a

Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FFIEC_CAT_2017

3.1.2

FFIEC_CAT_2017_3.1.2

FFIEC CAT 2017 3.1.2

Cybersecurity Controls

Access and Data Management

Shared

n/a

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames.

HITRUST_CSF_v11.3

01.c

HITRUST_CSF_v11.3_01.c

HITRUST CSF v11.3 01.c

Authorized Access to Information Systems

Control privileged access to information systems and services.

Shared

1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization.

The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.

5.15

ISO_IEC_27002_2022_5.15

ISO IEC 27002 2022 5.15

Protection, Preventive Control

Access control

Shared

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

To ensure authorized access and to prevent unauthorized access to information and other associated assets.

5.18

ISO_IEC_27002_2022_5.18

ISO IEC 27002 2022 5.18

Protection, Preventive Control

Access rights

Shared

Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

To ensure access to information and other associated assets is defined and authorized according to the business requirements.

8.2

ISO_IEC_27002_2022_8.2

ISO IEC 27002 2022 8.2

Protection, Preventive, Control

Privileged access rights

Shared

The allocation and use of privileged access rights should be restricted and managed.

To ensure only authorized users, software components and services are provided with privileged access rights.

ISO_IEC_27017_2015_12.4.3

8.3

ISO_IEC_27002_2022_8.3

ISO IEC 27002 2022 8.3

Protection, Preventive, Control

Information access restriction

Shared

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

To ensure only authorized access and to prevent unauthorized access to information and other associated assets.

ISO_IEC_27017_2015

12.4.3

ISO IEC 27017 2015 12.4.3

Operations Security

Administrator and Operation Logs

Shared

For Cloud Service Customer: If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. The cloud service customer should determine whether logging capabilities provided by the cloud service provider are appropriate or whether the cloud service customer should implement additional logging capabilities.

To log operation and performance of those operations wherein rivileged operation is delegated to the cloud service customer.

ISO_IEC_27017_2015

9.4.1

ISO_IEC_27017_2015_9.4.1

ISO IEC 27017 2015 9.4.1

Access Control

Information access restriction

Shared

For Cloud Service Customer: The cloud service customer should ensure that access to information in the cloud service can be restricted in accordance with its access control policy and that such restrictions are realized. This includes restricting access to cloud services, cloud service functions, and cloud service customer data maintained in the service. For Cloud Service Provider: The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service.

To ensure only authorized access and to prevent unauthorized access to information and other associated assets.

NIST_CSF_v2.0

PR.AA_05

NIST_CSF_v2.0_PR.AA_05

NIST CSF v2.0 PR.AA 05

PROTECT- Identity Management, Authentication, and Access

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

Shared

n/a

To implement safeguards for managing organization’s cybersecurity risks.

.1.2

NIST_SP_800-171_R3_3.1.2

NIST 800-171 R3 3.1.2

Access Control

Access Enforcement

Shared

Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions.

Enforce approved authorizations for logical access to CUI and system resources.

NIST_SP_800-171_R3_3.12.5

.12.5

NIST 800-171 R3 3.12.5

Security Assessment Control

Information Exchange

Shared

The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. Types of agreements can include interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service-level agreements, or other types of agreements. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (e.g., service providers, contractors, system developers, and system integrators). Examples of the types of information contained in exchange agreements include the interface characteristics, security requirements, controls, and responsibilities for each system.

a. Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements]. b. Document, as part of the exchange agreements, interface characteristics, security requirements, and responsibilities for each system. c. Review and update the exchange agreements periodically.

.5.5

NIST_SP_800-171_R3_3.5.5

404 not found

n/a

NIST_SP_800-53_R5.1.1_AC.3

.8.2

NIST_SP_800-171_R3_3.8.2

404 not found

n/a

NIST_SP_800-53_R5.1.1

AC.3

NIST SP 800-53 R5.1.1 AC.3

Access Control

Access Enforcement

Shared

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.

NIST_SP_800-53_R5.1.1

AC.3.7

NIST_SP_800-53_R5.1.1_AC.3.7

NIST SP 800-53 R5.1.1 AC.3.7

Access Control

Access Enforcement | Role-based Access Control

Shared

Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

NIST_SP_800-53_R5.1.1

AC.6

NIST_SP_800-53_R5.1.1_AC.6

NIST SP 800-53 R5.1.1 AC.6

Access Control

Least Privilege

Shared

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

10.8.36.C.01.

NZISM_v3.7_10.8.36.C.01.

NZISM v3.7 10.8.36.C.01.

Network Design, Architecture and IP Address Management

10.8.36.C.01. - ensure adherence to security protocols and mitigate the risk of unauthorized access or disclosure.

Shared

n/a

The classification and other restrictions on the security and control of information MUST be clearly identified for each part of the Agency network.

10.8.37.C.01.

NZISM_v3.7_10.8.37.C.01.

NZISM v3.7 10.8.37.C.01.

Network Design, Architecture and IP Address Management

10.8.37.C.01. - prevent unauthorized access or inadvertent incorrect handling of sensitive information.

Shared

n/a

Systems of different classifications MUST be visually distinct.

11.3.6.C.01.

NZISM_v3.7_11.3.6.C.01.

NZISM v3.7 11.3.6.C.01.

Telephones and Telephone Systems

11.3.6.C.01. - ensure compliance with security protocols and minimise the risk of unauthorized disclosure of classified information.

Shared

n/a

Agencies MUST advise personnel of the maximum permitted classification for conversations using both internal and external telephone connections.

11.4.10.C.01.

NZISM_v3.7_11.4.10.C.01.

NZISM v3.7 11.4.10.C.01.

Mobile Telephony

11.4.10.C.01. - ensure adherence to security protocols and minimise the risk of unauthorized disclosure of classified information.

Shared

n/a

Agencies MUST advise personnel of the maximum permitted classification for conversations using both internal and external mobile devices.

11.4.10.C.02.

NZISM_v3.7_11.4.10.C.02.

NZISM v3.7 11.4.10.C.02.

Mobile Telephony

11.4.10.C.02. - promote awareness and mitigate potential threats to the confidentiality of sensitive information.

Shared

n/a

Agencies SHOULD advise personnel of all known security risks posed by using mobile devices in areas where classified conversations can occur.

14.1.10.C.01.

NZISM_v3.7_14.1.10.C.01.

NZISM v3.7 14.1.10.C.01.

Standard Operating Environments

14.1.10.C.01. - reduce potential vulnerabilities.

Shared

n/a

Agencies MUST reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords before or during the installation process.

14.1.10.C.02.

NZISM_v3.7_14.1.10.C.02.

NZISM v3.7 14.1.10.C.02.

Standard Operating Environments

14.1.10.C.02. - reduce potential vulnerabilities.

Shared

n/a

Agencies SHOULD reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords, before or during the installation process.

16.1.47.C.01.

NZISM_v3.7_16.1.47.C.01.

NZISM v3.7 16.1.47.C.01.

Identification, Authentication and Passwords

16.1.47.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD ensure that repeated account lockouts are investigated before reauthorising access.

17.5.7.C.01.

NZISM_v3.7_17.5.7.C.01.

NZISM v3.7 17.5.7.C.01.

Secure Shell

17.5.7.C.01. - enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use public key-based authentication before using password-based authentication.

17.5.7.C.02.

NZISM_v3.7_17.5.7.C.02.

NZISM v3.7 17.5.7.C.02.

Secure Shell

17.5.7.C.02. - enhance overall cybersecurity posture.

Shared

n/a

Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password.

20.4.4.C.01.

NZISM_v3.7_20.4.4.C.01.

NZISM v3.7 20.4.4.C.01.

Databases

20.4.4.C.01. - enhance data security and integrity.

Shared

n/a

Agencies MUST protect database files from access that bypasses the database's normal access controls.

20.4.4.C.02.

NZISM_v3.7_20.4.4.C.02.

NZISM v3.7 20.4.4.C.02.

Databases

20.4.4.C.02. - enhance data security and integrity.

Shared

n/a

Agencies SHOULD protect database files from access that bypass normal access controls.

20.4.5.C.01.

NZISM_v3.7_20.4.5.C.01.

NZISM v3.7 20.4.5.C.01.

Databases

20.4.5.C.01. - enhance data security and integrity.

Shared

n/a

Agencies MUST enable logging and auditing of system users' actions.

20.4.5.C.02.

NZISM_v3.7_20.4.5.C.02.

NZISM v3.7 20.4.5.C.02.

Databases

20.4.5.C.02. - bolster data security and compliance measures.

Shared

n/a

Agencies SHOULD ensure that databases provide functionality to allow for auditing of system users' actions.

20.4.6.C.01.

NZISM_v3.7_20.4.6.C.01.

NZISM v3.7 20.4.6.C.01.

Databases

20.4.6.C.01. - mitigate the risk of unauthorized access to sensitive information and ensuring compliance with security clearance requirements.

Shared

n/a

If results from database queries cannot be appropriately filtered, agencies MUST ensure that all query results are appropriately sanitised to meet the minimum security clearances of system users.

20.4.6.C.02.

NZISM_v3.7_20.4.6.C.02.

NZISM v3.7 20.4.6.C.02.

Databases

20.4.6.C.02. - enhance data security.

Shared

n/a

Agencies SHOULD ensure that system users who do not have sufficient security clearances to view database contents cannot see or interrogate associated metadata in a list of results from a search engine query.

7.2.1

PCI_DSS_v4.0.1_7.2.1

PCI DSS v4.0.1 7.2.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function

Shared

n/a

Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement

7.2.2

PCI_DSS_v4.0.1_7.2.2

PCI DSS v4.0.1 7.2.2

Restrict Access to System Components and Cardholder Data by Business Need to Know

Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities

Shared

n/a

Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement

7.2.3

PCI_DSS_v4.0.1_7.2.3

PCI DSS v4.0.1 7.2.3

Restrict Access to System Components and Cardholder Data by Business Need to Know

Required privileges are approved by authorized personnel

Shared

n/a

Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel. Examine user IDs and assigned privileges, and compare with documented approvals to verify that: Documented approval exists for the assigned privileges. The approval was by authorized personnel. Specified privileges match the roles assigned to the individual

7.2.4

PCI_DSS_v4.0.1_7.2.4

PCI DSS v4.0.1 7.2.4

Restrict Access to System Components and Cardholder Data by Business Need to Know

All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate

Shared

n/a

Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement

7.2.5

PCI_DSS_v4.0.1_7.2.5

PCI DSS v4.0.1 7.2.5

Restrict Access to System Components and Cardholder Data by Business Need to Know

All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use

Shared

n/a

Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement

7.2.5.1

PCI_DSS_v4.0.1_7.2.5.1

PCI DSS v4.0.1 7.2.5.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate

Shared

n/a

Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement

7.2.6

PCI_DSS_v4.0.1_7.2.6

PCI DSS v4.0.1 7.2.6

Restrict Access to System Components and Cardholder Data by Business Need to Know

All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD

Shared

n/a

Examine policies and procedures and interview personnel to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with all elements specified in this requirement. Examine configuration settings for querying repositories of stored cardholder data to verify they are in accordance with all elements specified in this requirement

Sarbanes_Oxley_Act_(1)_2022_1

7.3.1

PCI_DSS_v4.0.1_7.3.1

PCI DSS v4.0.1 7.3.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components

Shared

n/a

Examine vendor documentation and system settings to verify that access is managed for each system component via an access control system(s) that restricts access based on a user’s need to know and covers all system components

RMiT_v1.0

10.55

RMiT_v1.0_10.55

RMiT 10.55

Access Control

Access Control - 10.55

Shared

n/a

In observing paragraph 10.54, a financial institution should consider the following principles in its access control policy: (a) adopt a 'deny all' access control policy for users by default unless explicitly authorised; (b) employ 'least privilege' access rights or on a 'need-to-have' basis where only the minimum sufficient permissions are granted to legitimate users to perform their roles; (c) employ time-bound access rights which restrict access to a specific period including access rights granted to service providers; (d) employ segregation of incompatible functions where no single person is responsible for an entire operation that may provide the ability to independently modify, circumvent, and disable system security features. This may include a combination of functions such as: (i) system development and technology operations; (ii) security administration and system administration; and (iii) network operation and network security;" (e) employ dual control functions which require two or more persons to execute an activity; (f) adopt stronger authentication for critical activities including for remote access; (g) limit and control the use of the same user ID for multiple concurrent sessions; (h) limit and control the sharing of user ID and passwords across multiple users; and (i) control the use of generic user ID naming conventions in favour of more personally identifiable IDs.

link

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

CC2.1

SOC_2023_CC2.1

SOC 2023 CC2.1

Information and Communication

Effectively obtain or generate and utilize relevant, high-quality information to support internal control functions.

Shared

n/a

Entity obtains or generates and uses relevant, quality information to support the functioning of internal control by identifying information requirements, capturing internal and external source data, processing relevant data into information, maintaining quality throughout the processing by ensuring the information is timely, current, accurate, complete, accessible, protected, verifiable, and retained.

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC6.2

SOC_2023_CC6.2

SOC 2023 CC6.2

Logical and Physical Access Controls

Ensure effective access control and ensuring the security of the organization's systems and data.

Shared

n/a

1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3

SOC_2023_CC6.3

404 not found

n/a

CC6.7

SOC_2023_CC6.7

404 not found

n/a

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167