compliance controls are associated with this Policy definition '[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets' (f655e522-adff-494d-95c2-52d4f6d56a42)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v3.0 |
PV-4 |
Azure_Security_Benchmark_v3.0_PV-4 |
Microsoft cloud security benchmark PV-4 |
Posture and Vulnerability Management |
Audit and enforce secure configurations for compute resources |
Shared |
**Security Principle:**
Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration in compute resources.
**Azure Guidance:**
Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.
Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
**Implementation and additional context:**
How to implement Microsoft Defender for Cloud vulnerability assessment recommendations:
https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
How to create an Azure virtual machine from an ARM template:
https://docs.microsoft.com/azure/virtual-machines/windows/ps-template
Azure Automation State Configuration overview:
https://docs.microsoft.com/azure/automation/automation-dsc-overview
Create a Windows virtual machine in the Azure portal:
https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Container security in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/container-security |
n/a |
link |
13 |
Canada_Federal_PBMM_3-1-2020 |
AC_18(1) |
Canada_Federal_PBMM_3-1-2020_AC_18(1) |
Canada Federal PBMM 3-1-2020 AC 18(1) |
Wireless Access |
Wireless Access | Authentication and Encryption |
Shared |
The information system protects wireless access to the system using authentication of devices to wireless networks (e.g., Wi-Fi) and users to enterprise services and encryption. |
To enhance security and protect against unauthorized access or data interception. |
|
1 |
Canada_Federal_PBMM_3-1-2020 |
PE_10 |
Canada_Federal_PBMM_3-1-2020_PE_10 |
Canada Federal PBMM 3-1-2020 PE 10 |
Emergency Shutoff |
Emergency Shutoff |
Shared |
1. The organization provides the capability of shutting off power to the information system or individual system components in emergency situations.
2. The organization places emergency shutoff switches or devices in organization-defined location by information system or system component to facilitate safe and easy access for personnel.
3. The organization protects emergency power shutoff capability from unauthorized activation. |
To safeguard against unauthorized activation. |
|
2 |
Canada_Federal_PBMM_3-1-2020 |
PE_11 |
Canada_Federal_PBMM_3-1-2020_PE_11 |
Canada Federal PBMM 3-1-2020 PE 11 |
Emergency Power |
Emergency Power |
Shared |
The organization provides a short-term uninterruptible power supply to facilitate transition of the information system to long-term alternate power in the event of a primary power source loss. |
To prevent damage or destruction. |
|
2 |
Canada_Federal_PBMM_3-1-2020 |
PE_12 |
Canada_Federal_PBMM_3-1-2020_PE_12 |
Canada Federal PBMM 3-1-2020 PE 12 |
Emergency Lighting |
Emergency Lighting |
Shared |
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
To ensure personnel safety. |
|
2 |
Canada_Federal_PBMM_3-1-2020 |
PE_13 |
Canada_Federal_PBMM_3-1-2020_PE_13 |
Canada Federal PBMM 3-1-2020 PE 13 |
Fire Protection |
Fire Protection |
Shared |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. |
To ensure personnel safety. |
|
2 |
Canada_Federal_PBMM_3-1-2020 |
PE_13(2) |
Canada_Federal_PBMM_3-1-2020_PE_13(2) |
Canada Federal PBMM 3-1-2020 PE 13(2) |
Fire Protection |
Fire Protection | Suppression Devices / Systems |
Shared |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and local fire department. |
To ensure personnel safety. |
|
2 |
Canada_Federal_PBMM_3-1-2020 |
RA_5(1) |
Canada_Federal_PBMM_3-1-2020_RA_5(1) |
Canada Federal PBMM 3-1-2020 RA 5(1) |
Vulnerability Scanning |
Vulnerability Scanning | Update Tool Capability |
Shared |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
To employ vulnerability scanning tools. |
|
21 |
Canada_Federal_PBMM_3-1-2020 |
SI_8(1) |
Canada_Federal_PBMM_3-1-2020_SI_8(1) |
Canada Federal PBMM 3-1-2020 SI 8(1) |
Spam Protection |
Spam Protection | Central Management of Protection Mechanisms |
Shared |
The organization centrally manages spam protection mechanisms. |
To enhance overall security posture. |
|
88 |
CMMC_L2_v1.9.0 |
RA.L2_3.11.2 |
CMMC_L2_v1.9.0_RA.L2_3.11.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.2 |
Risk Assessment |
Vulnerability Scan |
Shared |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
To enhance the overall security posture of the organization. |
|
15 |
CMMC_L2_v1.9.0 |
RA.L2_3.11.3 |
CMMC_L2_v1.9.0_RA.L2_3.11.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 RA.L2 3.11.3 |
Risk Assessment |
Vulnerability Remediation |
Shared |
Remediate vulnerabilities in accordance with risk assessments. |
To reduce the likelihood of security breaches and minimize potential impacts on operations and assets. |
|
15 |
CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
58 |
CSA_v4.0.12 |
DSP_07 |
CSA_v4.0.12_DSP_07 |
CSA Cloud Controls Matrix v4.0.12 DSP 07 |
Data Security and Privacy Lifecycle Management |
Data Protection by Design and Default |
Shared |
n/a |
Develop systems, products, and business practices based upon a principle
of security by design and industry best practices. |
|
16 |
CSA_v4.0.12 |
DSP_17 |
CSA_v4.0.12_DSP_17 |
CSA Cloud Controls Matrix v4.0.12 DSP 17 |
Data Security and Privacy Lifecycle Management |
Sensitive Data Protection |
Shared |
n/a |
Define and implement, processes, procedures and technical measures
to protect sensitive data throughout it's lifecycle. |
|
15 |
CSA_v4.0.12 |
IVS_07 |
CSA_v4.0.12_IVS_07 |
CSA Cloud Controls Matrix v4.0.12 IVS 07 |
Infrastructure & Virtualization Security |
Migration to Cloud Environments |
Shared |
n/a |
Use secure and encrypted communication channels when migrating servers,
services, applications, or data to cloud environments. Such channels must include
only up-to-date and approved protocols. |
|
8 |
CSA_v4.0.12 |
TVM_07 |
CSA_v4.0.12_TVM_07 |
CSA Cloud Controls Matrix v4.0.12 TVM 07 |
Threat & Vulnerability Management |
Vulnerability Identification |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures for the detection of vulnerabilities on organizationally managed assets
at least monthly. |
|
8 |
CSA_v4.0.12 |
UEM_08 |
CSA_v4.0.12_UEM_08 |
CSA Cloud Controls Matrix v4.0.12 UEM 08 |
Universal Endpoint Management |
Storage Encryption |
Shared |
n/a |
Protect information from unauthorized disclosure on managed endpoint
devices with storage encryption. |
|
14 |
Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
69 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
194 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
67 |
EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_7 |
EU_2555_(NIS2)_2022_7 |
EU 2022/2555 (NIS2) 2022 7 |
|
National cybersecurity strategy |
Shared |
n/a |
Requires Member States to adopt a national cybersecurity strategy. |
|
17 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
111 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
65 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
96 |
FFIEC_CAT_2017 |
2.2.1 |
FFIEC_CAT_2017_2.2.1 |
FFIEC CAT 2017 2.2.1 |
Threat Intelligence and Collaboration |
Monitoring and Analyzing |
Shared |
n/a |
- Audit log records and other security event logs are reviewed and retained in a secure manner.
- Computer event logs are used for investigations once an event has occurred. |
|
24 |
HITRUST_CSF_v11.3 |
01.q |
HITRUST_CSF_v11.3_01.q |
HITRUST CSF v11.3 01.q |
Operating System Access Control |
To prevent unauthorized access to operating systems and implement authentication technique to verify user. |
Shared |
1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability.
2. Multi-factor authentication to be implemented for network and local access to privileged accounts.
3. Users to be uniquely identified and authenticated for local access and remote access.
4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts. |
All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user. |
|
30 |
HITRUST_CSF_v11.3 |
06.c |
HITRUST_CSF_v11.3_06.c |
HITRUST CSF v11.3 06.c |
Compliance with Legal Requirements |
To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. |
Shared |
1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information.
2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. |
Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
|
26 |
HITRUST_CSF_v11.3 |
10.c |
HITRUST_CSF_v11.3_10.c |
HITRUST CSF v11.3 10.c |
Correct Processing in Applications |
To incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. |
Shared |
Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. |
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
|
36 |
HITRUST_CSF_v11.3 |
10.g |
HITRUST_CSF_v11.3_10.g |
HITRUST CSF v11.3 10.g |
Cryptographic Controls |
To ensure key management's support to the organization’s use of cryptographic techniques. |
Shared |
1. All cryptographic keys are to be protected against modification, loss, and destruction.
2. Secret/private keys, including split-keys, are to be protected against unauthorized disclosure. |
Key management shall be in place to support the organization’s use of cryptographic techniques. |
|
7 |
HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
34 |
HITRUST_CSF_v11.3 |
10.m |
HITRUST_CSF_v11.3_10.m |
HITRUST CSF v11.3 10.m |
Technical Vulnerability Management |
To reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. |
Shared |
1. The necessary secure services, protocols required for the function of the system are to be enabled.
2. Security features to be implemented for any required services that are considered to be insecure.
3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media.
4. Configuration standards to be consistent with industry-accepted system hardening standards.
5. An enterprise security posture review within every 365 days is to be conducted.
6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities. |
Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk. |
|
47 |
ISO_IEC_27001_2022 |
7.5.3 |
ISO_IEC_27001_2022_7.5.3 |
ISO IEC 27001 2022 7.5.3 |
Support |
Control of documented information |
Shared |
1. Documented information required by the information security management system and by this document shall be controlled to ensure:
a. it is available and suitable for use, where and when it is needed; and
b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
2. For the control of documented information, the organization shall address the following activities, as applicable:
a. distribution, access, retrieval and use;
b. storage and preservation, including the preservation of legibility;
c. control of changes (e.g. version control); and
d. retention and disposition. |
Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled |
|
32 |
ISO_IEC_27002_2022 |
5.5 |
ISO_IEC_27002_2022_5.5 |
ISO IEC 27002 2022 5.5 |
Identifying,
Protection,
Response,
Recovery,
Preventive,
Corrective Control |
Contact with authorities |
Shared |
The organization should establish and maintain contact with relevant authorities.
|
To ensure appropriate flow of information takes place with respect to information security between
the organization and relevant legal, regulatory and supervisory authorities. |
|
14 |
ISO_IEC_27002_2022 |
8.22 |
ISO_IEC_27002_2022_8.22 |
ISO IEC 27002 2022 8.22 |
Protection,
Preventive Control |
Segregation of networks |
Shared |
Groups of information services, users and information systems should be segregated in the
organization’s networks.
|
To split the network in security boundaries and to control traffic between them based on business
needs. |
|
1 |
ISO_IEC_27002_2022 |
8.8 |
ISO_IEC_27002_2022_8.8 |
ISO IEC 27002 2022 8.8 |
Identifying,
Protection,
Preventive Control |
Management of technical vulnerabilities |
Shared |
Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.
|
To prevent exploitation of technical vulnerabilities. |
|
15 |
ISO_IEC_27017_2015 |
18.1.3 |
ISO_IEC_27017_2015_18.1.3 |
ISO IEC 27017 2015 18.1.3 |
Compliance |
Protection of Records |
Shared |
For Cloud Service Customer:
The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service
customer.
For Cloud Service Provider:
The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. |
To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. |
|
17 |
LGPD_2018_Art. |
16 |
LGPD_2018_Art._16 |
Brazilian General Data Protection Law (LGPD) 2018 Art. 16 |
Termination of Data Processing |
Art. 16. Personal data shall be deleted following the termination of their processing |
Shared |
n/a |
Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized. |
|
18 |
NIST_SP_800-171_R3_3 |
.11.2 |
NIST_SP_800-171_R3_3.11.2 |
NIST 800-171 R3 3.11.2 |
Risk Assessment Control |
Vulnerability Monitoring and Scanning |
Shared |
Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms.
To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated and that employ the Extensible Configuration Checklist Description Format (XCCDF). Organizations also consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL). Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS). |
a. Monitor and scan for vulnerabilities in the system periodically and when new vulnerabilities affecting the system are identified.
b. Remediate system vulnerabilities within [Assignment: organization-defined response times].
c. Update system vulnerabilities to be scanned periodically and when new vulnerabilities are identified and reported. |
|
15 |
NIST_SP_800-53_R5.1.1 |
RA.5 |
NIST_SP_800-53_R5.1.1_RA.5 |
NIST SP 800-53 R5.1.1 RA.5 |
Risk Assessment Control |
Vulnerability Monitoring and Scanning |
Shared |
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;
d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.
Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).
Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.
Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points. |
|
13 |
NIST_SP_800-53_R5.1.1 |
SC.17 |
NIST_SP_800-53_R5.1.1_SC.17 |
NIST SP 800-53 R5.1.1 SC.17 |
System and Communications Protection |
Public Key Infrastructure Certificates |
Shared |
a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and
b. Include only approved trust anchors in trust stores or certificate stores managed by the organization. |
Public key infrastructure certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates. |
|
1 |
NIST_SP_800-53_R5.1.1 |
SC.28 |
NIST_SP_800-53_R5.1.1_SC.28 |
NIST SP 800-53 R5.1.1 SC.28 |
System and Communications Protection |
Protection of Information at Rest |
Shared |
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. |
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage. |
|
17 |
NIST_SP_800-53_R5.1.1 |
SC.39 |
NIST_SP_800-53_R5.1.1_SC.39 |
NIST SP 800-53 R5.1.1 SC.39 |
System and Communications Protection |
Process Isolation |
Shared |
Maintain a separate execution domain for each executing system process. |
Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies. |
|
1 |
NIST_SP_800-53_R5.1.1 |
SI.7 |
NIST_SP_800-53_R5.1.1_SI.7 |
NIST SP 800-53 R5.1.1 SI.7 |
System and Information Integrity Control |
Software, Firmware, and Information Integrity |
Shared |
a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and
b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]. |
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications. |
|
7 |
NL_BIO_Cloud_Theme |
U.05.2(2) |
NL_BIO_Cloud_Theme_U.05.2(2) |
NL_BIO_Cloud_Theme_U.05.2(2) |
U.05 Data protection |
Cryptographic measures |
|
n/a |
Data stored in the cloud service shall be protected to the latest state of the art with encryption and with a key length sufficient at least for the purpose, whereby the key management is not purchased as a cloud service if possible and is carried out by the CSC itself. |
|
52 |
NL_BIO_Cloud_Theme |
U.11.3(2) |
NL_BIO_Cloud_Theme_U.11.3(2) |
NL_BIO_Cloud_Theme_U.11.3(2) |
U.11 Cryptoservices |
Encrypted |
|
n/a |
Sensitive data (on transport and at rest) is always encrypted, with private keys managed by the CSC. The use of a private key by the CSP is based on a controlled procedure and must be jointly agreed with the CSC organisation. |
|
52 |
NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - To enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
NZISM_v3.7 |
17.9.37.C.01. |
NZISM_v3.7_17.9.37.C.01. |
NZISM v3.7 17.9.37.C.01. |
Key Management |
17.9.37.C.01. - To enhance the overall security posture of the systems and the sensitive information they protect. |
Shared |
n/a |
Agencies MUST comply with NZCSI when using HACE. |
|
5 |
PCI_DSS_v4.0.1 |
10.3.4 |
PCI_DSS_v4.0.1_10.3.4 |
PCI DSS v4.0.1 10.3.4 |
Log and Monitor All Access to System Components and Cardholder Data |
Log Integrity Monitoring |
Shared |
n/a |
File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
|
28 |
PCI_DSS_v4.0.1 |
11.3.1 |
PCI_DSS_v4.0.1_11.3.1 |
PCI DSS v4.0.1 11.3.1 |
Test Security of Systems and Networks Regularly |
Internal Vulnerability Scans |
Shared |
n/a |
Internal vulnerability scans are performed as follows:
• At least once every three months.
• Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high-risk and all critical vulnerabilities (as noted above) have been resolved.
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists. |
|
15 |
PCI_DSS_v4.0.1 |
11.3.1.1 |
PCI_DSS_v4.0.1_11.3.1.1 |
PCI DSS v4.0.1 11.3.1.1 |
Test Security of Systems and Networks Regularly |
Management of Other Vulnerabilities |
Shared |
n/a |
All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows:
• Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Rescans are conducted as needed. |
|
14 |
PCI_DSS_v4.0.1 |
11.4.4 |
PCI_DSS_v4.0.1_11.4.4 |
PCI DSS v4.0.1 11.4.4 |
Test Security of Systems and Networks Regularly |
Addressing Penetration Testing Findings |
Shared |
n/a |
Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:
• In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1.
• Penetration testing is repeated to verify the corrections. |
|
14 |
PCI_DSS_v4.0.1 |
11.5.2 |
PCI_DSS_v4.0.1_11.5.2 |
PCI DSS v4.0.1 11.5.2 |
Test Security of Systems and Networks Regularly |
Change-Detection Mechanism Deployment |
Shared |
n/a |
A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.
• To perform critical file comparisons at least once weekly. |
|
31 |
PCI_DSS_v4.0.1 |
6.4.1 |
PCI_DSS_v4.0.1_6.4.1 |
PCI DSS v4.0.1 6.4.1 |
Develop and Maintain Secure Systems and Software |
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes. By an entity that specializes in application security. Including, at a minimum, all common software attacks in Requirement 6.2.4. All vulnerabilities are ranked in accordance with requirement 6.3.1. All vulnerabilities are corrected. The application is re-evaluated after the corrections. OR Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: Installed in front of public-facing web applications to detect and prevent web-based attacks. Actively running and up to date as applicable. Generating audit logs. Configured to either block web-based attacks or generate an alert that is immediately investigated |
Shared |
n/a |
For public-facing web applications, ensure that either one of the required methods is in place as follows: If manual or automated vulnerability security assessment tools or methods are in use, examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed in accordance with all elements of this requirement specific to the tool/method. OR If an automated technical solution(s) is installed that continually detects and prevents web-based attacks, examine the system configuration settings and audit logs, and interview responsible personnel to verify that the automated technical solution(s) is installed in accordance with all elements of this requirement specific to the solution(s) |
|
15 |
RBI_CSF_Banks_v2016 |
13.1 |
RBI_CSF_Banks_v2016_13.1 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.1 |
|
n/a |
Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. |
|
21 |
SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
47 |
SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
To facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
To maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
SOC_2023 |
CC9.1 |
SOC_2023_CC9.1 |
SOC 2023 CC9.1 |
Risk Mitigation |
To enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. |
Shared |
n/a |
Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
|
18 |
SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
SWIFT_CSCF_2024 |
2.7 |
SWIFT_CSCF_2024_2.7 |
SWIFT Customer Security Controls Framework 2024 2.7 |
Risk Management |
Vulnerability Scanning |
Shared |
1. The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack.
2. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action. |
To identify known vulnerabilities within the user’s Swift environment by implementing a regular vulnerability scanning process and act upon results. |
|
16 |
SWIFT_CSCF_2024 |
6.2 |
SWIFT_CSCF_2024_6.2 |
SWIFT Customer Security Controls Framework 2024 6.2 |
Risk Management |
Software Integrity |
Shared |
Software integrity checks provide a detective control against unexpected modification to operational software. |
To ensure the software integrity of the Swift-related components and act upon results. |
|
16 |
SWIFT_CSCF_2024 |
6.3 |
SWIFT_CSCF_2024_6.3 |
SWIFT Customer Security Controls Framework 2024 6.3 |
Risk Management |
Database Integrity |
Shared |
Database integrity checks allow unexpected modification to records stored within the database to be detected. |
To ensure the integrity of the database records for the Swift messaging interface or the customer connector and act upon results. |
|
16 |
|
U.05.2 - Cryptographic measures |
U.05.2 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
U.11.3 - Encrypted |
U.11.3 - Encrypted |
404 not found |
|
|
|
n/a |
n/a |
|
51 |