Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_18(1)

AC_18(1)

Canada Federal PBMM 3-1-2020 AC 18(1)

Wireless Access

Wireless Access | Authentication and Encryption

Shared

The information system protects wireless access to the system using authentication of devices to wireless networks (e.g., Wi-Fi) and users to enterprise services and encryption.

To enhance security and protect against unauthorized access or data interception.

Canada_Federal_PBMM_3-1-2020_PE_10

PE_10

Canada Federal PBMM 3-1-2020 PE 10

Emergency Shutoff

Shared

1. The organization provides the capability of shutting off power to the information system or individual system components in emergency situations. 2. The organization places emergency shutoff switches or devices in organization-defined location by information system or system component to facilitate safe and easy access for personnel. 3. The organization protects emergency power shutoff capability from unauthorized activation.

To safeguard against unauthorized activation.

Canada_Federal_PBMM_3-1-2020_PE_11

PE_11

Canada Federal PBMM 3-1-2020 PE 11

Emergency Power

Shared

The organization provides a short-term uninterruptible power supply to facilitate transition of the information system to long-term alternate power in the event of a primary power source loss.

To prevent damage or destruction.

Canada_Federal_PBMM_3-1-2020_PE_12

PE_12

Canada Federal PBMM 3-1-2020 PE 12

Emergency Lighting

Shared

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

To ensure personnel safety.

Canada_Federal_PBMM_3-1-2020_PE_13

PE_13

Canada Federal PBMM 3-1-2020 PE 13

Fire Protection

Shared

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

To ensure personnel safety.

Canada_Federal_PBMM_3-1-2020_PE_13(2)

PE_13(2)

Canada Federal PBMM 3-1-2020 PE 13(2)

Fire Protection

Fire Protection | Suppression Devices / Systems

Shared

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and local fire department.

To ensure personnel safety.

Canada_Federal_PBMM_3-1-2020_RA_5(1)

RA_5(1)

Canada Federal PBMM 3-1-2020 RA 5(1)

Vulnerability Scanning

Vulnerability Scanning | Update Tool Capability

Shared

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

To employ vulnerability scanning tools.

Canada_Federal_PBMM_3-1-2020_SI_8(1)

SI_8(1)

Canada Federal PBMM 3-1-2020 SI 8(1)

Spam Protection

Spam Protection | Central Management of Protection Mechanisms

Shared

The organization centrally manages spam protection mechanisms.

To enhance overall security posture.

CMMC_L2_v1.9.0

RA.L2_3.11.2

CMMC_L2_v1.9.0_RA.L2_3.11.2

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.2

Risk Assessment

Vulnerability Scan

Shared

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

To enhance the overall security posture of the organization.

CMMC_L2_v1.9.0

RA.L2_3.11.3

CMMC_L2_v1.9.0_RA.L2_3.11.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.3

Risk Assessment

Vulnerability Remediation

Shared

Remediate vulnerabilities in accordance with risk assessments.

To reduce the likelihood of security breaches and minimize potential impacts on operations and assets.

CEK_03

CSA_v4.0.12_CEK_03

CSA Cloud Controls Matrix v4.0.12 CEK 03

Cryptography, Encryption & Key Management

Data Encryption

Shared

n/a

Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.

DSP_07

CSA_v4.0.12_DSP_07

CSA Cloud Controls Matrix v4.0.12 DSP 07

Data Security and Privacy Lifecycle Management

Data Protection by Design and Default

Shared

n/a

Develop systems, products, and business practices based upon a principle of security by design and industry best practices.

DSP_17

CSA_v4.0.12_DSP_17

CSA Cloud Controls Matrix v4.0.12 DSP 17

Data Security and Privacy Lifecycle Management

Sensitive Data Protection

Shared

n/a

Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle.

IVS_07

CSA_v4.0.12_IVS_07

CSA Cloud Controls Matrix v4.0.12 IVS 07

Infrastructure & Virtualization Security

Migration to Cloud Environments

Shared

n/a

Use secure and encrypted communication channels when migrating servers, services, applications, or data to cloud environments. Such channels must include only up-to-date and approved protocols.

TVM_07

CSA_v4.0.12_TVM_07

CSA Cloud Controls Matrix v4.0.12 TVM 07

Threat & Vulnerability Management

Vulnerability Identification

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly.

UEM_08

CSA_v4.0.12_UEM_08

CSA Cloud Controls Matrix v4.0.12 UEM 08

Universal Endpoint Management

Storage Encryption

Shared

n/a

Protect information from unauthorized disclosure on managed endpoint devices with storage encryption.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

194

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_2555_(NIS2)_2022_7

EU 2022/2555 (NIS2) 2022 7

National cybersecurity strategy

Shared

n/a

Requires Member States to adopt a national cybersecurity strategy.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

311

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

311

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

311

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

311

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

111

FBI_Criminal_Justice_Information_Services_v5.9.5_5

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

2.2.1

FFIEC_CAT_2017_2.2.1

FFIEC CAT 2017 2.2.1

Threat Intelligence and Collaboration

Monitoring and Analyzing

Shared

n/a

- Audit log records and other security event logs are reviewed and retained in a secure manner. - Computer event logs are used for investigations once an event has occurred.

01.q

HITRUST_CSF_v11.3_01.q

HITRUST CSF v11.3 01.q

Operating System Access Control

To prevent unauthorized access to operating systems and implement authentication technique to verify user.

Shared

1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability. 2. Multi-factor authentication to be implemented for network and local access to privileged accounts. 3. Users to be uniquely identified and authenticated for local access and remote access. 4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts.

All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user.

06.c

HITRUST_CSF_v11.3_06.c

HITRUST CSF v11.3 06.c

Compliance with Legal Requirements

To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements.

Shared

1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period.

Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements.

10.c

HITRUST_CSF_v11.3_10.c

HITRUST CSF v11.3 10.c

Correct Processing in Applications

To incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Shared

Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented.

Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

10.g

HITRUST_CSF_v11.3_10.g

HITRUST CSF v11.3 10.g

Cryptographic Controls

To ensure key management's support to the organization’s use of cryptographic techniques.

Shared

1. All cryptographic keys are to be protected against modification, loss, and destruction. 2. Secret/private keys, including split-keys, are to be protected against unauthorized disclosure.

Key management shall be in place to support the organization’s use of cryptographic techniques.

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

ISO_IEC_27017_2015_18.1.3

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

ISO_IEC_27001_2022

7.5.3

ISO_IEC_27001_2022_7.5.3

ISO IEC 27001 2022 7.5.3

Support

Control of documented information

Shared

1. Documented information required by the information security management system and by this document shall be controlled to ensure: a. it is available and suitable for use, where and when it is needed; and b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 2. For the control of documented information, the organization shall address the following activities, as applicable: a. distribution, access, retrieval and use; b. storage and preservation, including the preservation of legibility; c. control of changes (e.g. version control); and d. retention and disposition.

Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled

ISO_IEC_27002_2022

5.5

ISO_IEC_27002_2022_5.5

ISO IEC 27002 2022 5.5

Identifying, Protection, Response, Recovery, Preventive, Corrective Control

Contact with authorities

Shared

The organization should establish and maintain contact with relevant authorities.

To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.

ISO_IEC_27002_2022

8.22

ISO_IEC_27002_2022_8.22

ISO IEC 27002 2022 8.22

Protection, Preventive Control

Segregation of networks

Shared

Groups of information services, users and information systems should be segregated in the organization’s networks.

To split the network in security boundaries and to control traffic between them based on business needs.

ISO_IEC_27002_2022

8.8

ISO_IEC_27002_2022_8.8

ISO IEC 27002 2022 8.8

Identifying, Protection, Preventive Control

Management of technical vulnerabilities

Shared

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

To prevent exploitation of technical vulnerabilities.

ISO_IEC_27017_2015

18.1.3

ISO IEC 27017 2015 18.1.3

Compliance

Protection of Records

Shared

For Cloud Service Customer: The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer.

To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.

LGPD_2018_Art.

LGPD_2018_Art._16

Brazilian General Data Protection Law (LGPD) 2018 Art. 16

Termination of Data Processing

Art. 16. Personal data shall be deleted following the termination of their processing

Shared

n/a

Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized.

NIST_SP_800-171_R3_3

.11.2

NIST_SP_800-171_R3_3.11.2

NIST 800-171 R3 3.11.2

Risk Assessment Control

Vulnerability Monitoring and Scanning

Shared

Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated and that employ the Extensible Configuration Checklist Description Format (XCCDF). Organizations also consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL). Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).

a. Monitor and scan for vulnerabilities in the system periodically and when new vulnerabilities affecting the system are identified. b. Remediate system vulnerabilities within [Assignment: organization-defined response times]. c. Update system vulnerabilities to be scanned periodically and when new vulnerabilities are identified and reported.

NIST_SP_800-53_R5.1.1_RA.5

RA.5

NIST SP 800-53 R5.1.1 RA.5

Risk Assessment Control

Vulnerability Monitoring and Scanning

Shared

a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

NIST_SP_800-53_R5.1.1_SC.17

SC.17

NIST SP 800-53 R5.1.1 SC.17

System and Communications Protection

Public Key Infrastructure Certificates

Shared

a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and b. Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Public key infrastructure certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

NIST_SP_800-53_R5.1.1_SC.28

SC.28

NIST SP 800-53 R5.1.1 SC.28

System and Communications Protection

Protection of Information at Rest

Shared

Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

NIST_SP_800-53_R5.1.1_SC.39

SC.39

NIST SP 800-53 R5.1.1 SC.39

System and Communications Protection

Process Isolation

Shared

Maintain a separate execution domain for each executing system process.

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

NIST_SP_800-53_R5.1.1_SI.7

SI.7

NIST SP 800-53 R5.1.1 SI.7

System and Information Integrity Control

Software, Firmware, and Information Integrity

Shared

a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.

NL_BIO_Cloud_Theme

U.05.2(2)

NL_BIO_Cloud_Theme_U.05.2(2)

U.05 Data protection

Cryptographic measures

n/a

Data stored in the cloud service shall be protected to the latest state of the art with encryption and with a key length sufficient at least for the purpose, whereby the key management is not purchased as a cloud service if possible and is carried out by the CSC itself.

NL_BIO_Cloud_Theme

U.11.3(2)

NL_BIO_Cloud_Theme_U.11.3(2)

U.11 Cryptoservices

Encrypted

n/a

Sensitive data (on transport and at rest) is always encrypted, with private keys managed by the CSC. The use of a private key by the CSP is based on a controlled procedure and must be jointly agreed with the CSC organisation.

NZISM_v3.7

17.8.10.C.01.

NZISM_v3.7_17.8.10.C.01.

NZISM v3.7 17.8.10.C.01.

Internet Protocol Security (IPSec)

17.8.10.C.01. - To enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use tunnel mode for IPSec connections.

NZISM_v3.7

17.8.10.C.02.

NZISM_v3.7_17.8.10.C.02.

NZISM v3.7 17.8.10.C.02.

Internet Protocol Security (IPSec)

17.8.10.C.02. - To enhance overall cybersecurity posture.

Shared

n/a

Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections.

NZISM_v3.7

17.9.37.C.01.

NZISM_v3.7_17.9.37.C.01.

NZISM v3.7 17.9.37.C.01.

Key Management

17.9.37.C.01. - To enhance the overall security posture of the systems and the sensitive information they protect.

Shared

n/a

Agencies MUST comply with NZCSI when using HACE.

10.3.4

PCI_DSS_v4.0.1_10.3.4

PCI DSS v4.0.1 10.3.4

Log and Monitor All Access to System Components and Cardholder Data

Log Integrity Monitoring

Shared

n/a

File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.

11.3.1

PCI_DSS_v4.0.1_11.3.1

PCI DSS v4.0.1 11.3.1

Test Security of Systems and Networks Regularly

Internal Vulnerability Scans

Shared

n/a

Internal vulnerability scans are performed as follows: • At least once every three months. • Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved. • Rescans are performed that confirm all high-risk and all critical vulnerabilities (as noted above) have been resolved. • Scan tool is kept up to date with latest vulnerability information. • Scans are performed by qualified personnel and organizational independence of the tester exists.

11.3.1.1

PCI_DSS_v4.0.1_11.3.1.1

PCI DSS v4.0.1 11.3.1.1

Test Security of Systems and Networks Regularly

Management of Other Vulnerabilities

Shared

n/a

All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: • Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. • Rescans are conducted as needed.

11.4.4

PCI_DSS_v4.0.1_11.4.4

PCI DSS v4.0.1 11.4.4

Test Security of Systems and Networks Regularly

Addressing Penetration Testing Findings

Shared

n/a

Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: • In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1. • Penetration testing is repeated to verify the corrections.

11.5.2

PCI_DSS_v4.0.1_11.5.2

PCI DSS v4.0.1 11.5.2

Test Security of Systems and Networks Regularly

Change-Detection Mechanism Deployment

Shared

n/a

A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. • To perform critical file comparisons at least once weekly.

6.4.1

PCI_DSS_v4.0.1_6.4.1

PCI DSS v4.0.1 6.4.1

Develop and Maintain Secure Systems and Software

For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes. By an entity that specializes in application security. Including, at a minimum, all common software attacks in Requirement 6.2.4. All vulnerabilities are ranked in accordance with requirement 6.3.1. All vulnerabilities are corrected. The application is re-evaluated after the corrections. OR Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: Installed in front of public-facing web applications to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated

Shared

n/a

For public-facing web applications, ensure that either one of the required methods is in place as follows: If manual or automated vulnerability security assessment tools or methods are in use, examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed in accordance with all elements of this requirement specific to the tool/method. OR If an automated technical solution(s) is installed that continually detects and prevents web-based attacks, examine the system configuration settings and audit logs, and interview responsible personnel to verify that the automated technical solution(s) is installed in accordance with all elements of this requirement specific to the solution(s)

RBI_CSF_Banks_v2016

13.1

RBI_CSF_Banks_v2016_13.1

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.1

n/a

Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise.

SOC_2

CC6.8

SOC_2_CC6.8

SOC 2 Type 2 CC6.8

Logical and Physical Access Controls

Prevent or detect against unauthorized or malicious software

Shared

The customer is responsible for implementing this recommendation.

Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.

SOC_2

CC8.1

SOC_2_CC8.1

SOC 2 Type 2 CC8.1

Change Management

Changes to infrastructure, data, and software

Shared

The customer is responsible for implementing this recommendation.

Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

To facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

To maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

147

CC9.1

SOC_2023_CC9.1

SOC 2023 CC9.1

Risk Mitigation

To enhance resilience and ensure continuity of critical operations in the face of adverse events or threats.

Shared

n/a

Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

2.1

SWIFT_CSCF_2024_2.1

SWIFT Customer Security Controls Framework 2024 2.1

Risk Management

Internal Data Flow Security

Shared

The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit.

To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components.

2.7

SWIFT_CSCF_2024_2.7

SWIFT Customer Security Controls Framework 2024 2.7

Risk Management

Vulnerability Scanning

Shared

1. The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack. 2. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action.

To identify known vulnerabilities within the user’s Swift environment by implementing a regular vulnerability scanning process and act upon results.

6.2

SWIFT_CSCF_2024_6.2

SWIFT Customer Security Controls Framework 2024 6.2

Risk Management

Software Integrity

Shared

Software integrity checks provide a detective control against unexpected modification to operational software.

To ensure the software integrity of the Swift-related components and act upon results.