Internet-facing virtual machines should be protected with network security groups

Azure BuiltIn Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Security/assessments/status.code

Microsoft.Security

assessments

properties.status.code

True

False

Control Domain

Control

Name

MetadataId

Category

Title

Owner

Requirements

Description

Info

Policy#

AU_ISM

1182

AU_ISM_1182

AU ISM 1182

Guidelines for Networking - Network design and configuration

Network access controls - 1182

n/a

Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes.

link

Azure_Security_Benchmark_v1.0

1.1

Azure_Security_Benchmark_v1.0_1.1

Azure Security Benchmark 1.1

Network Security

Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

Customer

Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service. Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall. General Information on Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview How to create a Virtual Network: https://docs.microsoft.com/azure/virtual-network/quick-create-portal How to create an NSG with a security configuration: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal

n/a

link

Azure_Security_Benchmark_v2.0

NS-1

Azure_Security_Benchmark_v2.0_NS-1

Azure Security Benchmark NS-1

Network Security

Implement security for internal traffic

Customer

Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall. Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology). Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules. Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Adaptive Network Hardening in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening Azure Sentinel insecure protocols workbook:https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks

n/a

link

Azure_Security_Benchmark_v2.0

NS-4

Azure_Security_Benchmark_v2.0_NS-4

Azure Security Benchmark NS-4

Network Security

Protect applications and services from external network attacks

Customer

Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this: - Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. - Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks. - Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks. - Use Azure Security Center to detect misconfiguration risks related to the above. Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/ How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection

n/a

link

Azure_Security_Benchmark_v3.0

NS-1

Azure_Security_Benchmark_v3.0_NS-1

Microsoft cloud security benchmark NS-1

Network Security

Establish network segmentation boundaries

Shared

**Security Principle:** Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Examples of high-risk workload include: - An application storing or processing highly sensitive data. - An external network-facing application accessible by the public or users outside of your organization. - An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. **Azure Guidance:** Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. **Implementation and additional context:** Azure Virtual Network concepts and best practices: https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices Add, change, or delete a virtual network subnet: https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic Understand and use application security groups: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups

n/a

link

Canada_Federal_PBMM_3-1-2020

CA_3

Canada_Federal_PBMM_3-1-2020_CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020

CA_3(3)

Canada_Federal_PBMM_3-1-2020_CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020

CA_3(5)

Canada_Federal_PBMM_3-1-2020_CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020

CA_7

Canada_Federal_PBMM_3-1-2020_CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020

SI_3

Canada_Federal_PBMM_3-1-2020_SI_3

Canada Federal PBMM 3-1-2020 SI 3

Malicious Code Protection

Shared

1. The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. 2. The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. 3. The organization configures malicious code protection mechanisms to: a. Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and b. Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. 4. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

To mitigate potential impacts on system availability.

Canada_Federal_PBMM_3-1-2020

SI_3(1)

Canada_Federal_PBMM_3-1-2020_SI_3(1)

Canada Federal PBMM 3-1-2020 SI 3(1)

Malicious Code Protection

Malicious Code Protection | Central Management

Shared

The organization centrally manages malicious code protection mechanisms.

To centrally manage malicious code protection mechanisms.

Canada_Federal_PBMM_3-1-2020

SI_3(2)

Canada_Federal_PBMM_3-1-2020_SI_3(2)

Canada Federal PBMM 3-1-2020 SI 3(2)

Malicious Code Protection

Malicious Code Protection | Automatic Updates

Shared

The information system automatically updates malicious code protection mechanisms.

To ensure automatic updates in malicious code protection mechanisms.

Canada_Federal_PBMM_3-1-2020

SI_3(7)

Canada_Federal_PBMM_3-1-2020_SI_3(7)

Canada Federal PBMM 3-1-2020 SI 3(7)

Malicious Code Protection

Malicious Code Protection | Non Signature-Based Detection

Shared

The information system implements non-signature-based malicious code detection mechanisms.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020

SI_4

Canada_Federal_PBMM_3-1-2020_SI_4

Canada Federal PBMM 3-1-2020 SI 4

Information System Monitoring

Shared

1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020

SI_4(1)

Canada_Federal_PBMM_3-1-2020_SI_4(1)

Canada Federal PBMM 3-1-2020 SI 4(1)

Information System Monitoring

Information System Monitoring | System-Wide Intrusion Detection System

Shared

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020

SI_4(2)

Canada_Federal_PBMM_3-1-2020_SI_4(2)

Canada Federal PBMM 3-1-2020 SI 4(2)

Information System Monitoring

Information System Monitoring | Automated Tools for Real-Time Analysis

Shared

The organization employs automated tools to support near real-time analysis of events.

To enhance overall security posture.

Canada_Federal_PBMM_3-1-2020

SI_8(1)

Canada_Federal_PBMM_3-1-2020_SI_8(1)

Canada Federal PBMM 3-1-2020 SI 8(1)

Spam Protection

Spam Protection | Central Management of Protection Mechanisms

Shared

The organization centrally manages spam protection mechanisms.

To enhance overall security posture.

CIS_Azure_1.1.0

2.9

CIS_Azure_1.1.0_2.9

CIS Microsoft Azure Foundations Benchmark recommendation 2.9

2 Security Center

Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled"

Shared

The customer is responsible for implementing this recommendation.

Enable next generation firewall recommendations for virtual machines.

link

CMMC_2.0_L2

AC.L2-3.1.3

CMMC_2.0_L2_AC.L2-3.1.3

404 not found

n/a

CMMC_2.0_L2

SC.L1-3.13.1

CMMC_2.0_L2_SC.L1-3.13.1

404 not found

n/a

CMMC_2.0_L2

SC.L1-3.13.5

CMMC_2.0_L2_SC.L1-3.13.5

404 not found

n/a

CMMC_2.0_L2

SC.L2-3.13.2

CMMC_2.0_L2_SC.L2-3.13.2

404 not found

n/a

CMMC_2.0_L2

SC.L2-3.13.6

CMMC_2.0_L2_SC.L2-3.13.6

404 not found

n/a

CMMC_L2_v1.9.0

SC.L1_3.13.1

CMMC_L2_v1.9.0_SC.L1_3.13.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1

System and Communications Protection

Boundary Protection

Shared

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

To protect information assets from external attacks and insider threats.

CMMC_L2_v1.9.0

SC.L1_3.13.5

CMMC_L2_v1.9.0_SC.L1_3.13.5

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5

System and Communications Protection

Public Access System Separation

Shared

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources.

CMMC_L3

AC.1.003

CMMC_L3_AC.1.003

CMMC L3 AC.1.003

Access Control

Verify and control/limit connections to and use of external information systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

link

CMMC_L3

AC.2.016

CMMC_L3_AC.2.016

CMMC L3 AC.2.016

Access Control

Control the flow of CUI in accordance with approved authorizations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

link

CMMC_L3

CM.3.068

CMMC_L3_CM.3.068

CMMC L3 CM.3.068

Configuration Management

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.

link

CMMC_L3

SC.1.175

CMMC_L3_SC.1.175

CMMC L3 SC.1.175

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

link

CMMC_L3

SC.1.176

CMMC_L3_SC.1.176

CMMC L3 SC.1.176

System and Communications Protection

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

CMMC_L3

SC.3.183

CMMC_L3_SC.3.183

CMMC L3 SC.3.183

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

link

CSA_v4.0.12

DSP_05

CSA_v4.0.12_DSP_05

CSA Cloud Controls Matrix v4.0.12 DSP 05

Data Security and Privacy Lifecycle Management

Data Flow Documentation

Shared

n/a

Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.

CSA_v4.0.12

DSP_10

CSA_v4.0.12_DSP_10

CSA Cloud Controls Matrix v4.0.12 DSP 10

Data Security and Privacy Lifecycle Management

Sensitive Data Transfer

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

EU_GDPR_2016_679_Art.

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FedRAMP_High_R4

AC-4

FedRAMP_High_R4_AC-4

FedRAMP High AC-4

Access Control

Information Flow Enforcement

Shared

n/a

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None.

link

FedRAMP_High_R4

SC-7

FedRAMP_High_R4_SC-7

FedRAMP High SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77.

link

FedRAMP_High_R4

SC-7(3)

FedRAMP_High_R4_SC-7(3)

FedRAMP High SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

link

FedRAMP_Moderate_R4

AC-4

FedRAMP_Moderate_R4_AC-4

FedRAMP Moderate AC-4

Access Control

Information Flow Enforcement

Shared

n/a

link

FedRAMP_Moderate_R4

SC-7

FedRAMP_Moderate_R4_SC-7

FedRAMP Moderate SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

link

FedRAMP_Moderate_R4

SC-7(3)

FedRAMP_Moderate_R4_SC-7(3)

FedRAMP Moderate SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

link

FFIEC_CAT_2017

3.1.1

FFIEC_CAT_2017_3.1.1

FFIEC CAT 2017 3.1.1

Cybersecurity Controls

Infrastructure Management

Shared

n/a

- Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)

FFIEC_CAT_2017

4.1.1

FFIEC_CAT_2017_4.1.1

FFIEC CAT 2017 4.1.1

External Dependency Management

Connections

Shared

n/a

- The critical business processes that are dependent on external connectivity have been identified. - The institution ensures that third-party connections are authorized. - A network diagram is in place and identifies all external connections. - Data flow diagrams are in place and document information flow to external parties.

hipaa

0805.01m1Organizational.12-01.m

hipaa-0805.01m1Organizational.12-01.m

0805.01m1Organizational.12-01.m

08 Network Protection

0805.01m1Organizational.12-01.m 01.04 Network Access Control

Shared

n/a

The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains.

hipaa

0806.01m2Organizational.12356-01.m

hipaa-0806.01m2Organizational.12356-01.m

0806.01m2Organizational.12356-01.m

08 Network Protection

0806.01m2Organizational.12356-01.m 01.04 Network Access Control

Shared

n/a

The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements.

hipaa

0809.01n2Organizational.1234-01.n

hipaa-0809.01n2Organizational.1234-01.n

0809.01n2Organizational.1234-01.n

08 Network Protection

0809.01n2Organizational.1234-01.n 01.04 Network Access Control

Shared

n/a

Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface.

hipaa

0810.01n2Organizational.5-01.n

hipaa-0810.01n2Organizational.5-01.n

0810.01n2Organizational.5-01.n

08 Network Protection

0810.01n2Organizational.5-01.n 01.04 Network Access Control

Shared

n/a

Transmitted information is secured and, at a minimum, encrypted over open, public networks.

hipaa

0811.01n2Organizational.6-01.n

hipaa-0811.01n2Organizational.6-01.n

0811.01n2Organizational.6-01.n

08 Network Protection

0811.01n2Organizational.6-01.n 01.04 Network Access Control

Shared

n/a

Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need.

hipaa

0812.01n2Organizational.8-01.n

hipaa-0812.01n2Organizational.8-01.n

0812.01n2Organizational.8-01.n

08 Network Protection

0812.01n2Organizational.8-01.n 01.04 Network Access Control

Shared

n/a

Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources.

hipaa

0814.01n1Organizational.12-01.n

hipaa-0814.01n1Organizational.12-01.n

0814.01n1Organizational.12-01.n

08 Network Protection

0814.01n1Organizational.12-01.n 01.04 Network Access Control

Shared

n/a

The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications.

hipaa

0894.01m2Organizational.7-01.m

hipaa-0894.01m2Organizational.7-01.m

0894.01m2Organizational.7-01.m

08 Network Protection

0894.01m2Organizational.7-01.m 01.04 Network Access Control

Shared

n/a

Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers.

HITRUST_CSF_v11.3

01.m

HITRUST_CSF_v11.3_01.m

HITRUST CSF v11.3 01.m

Network Access Control

Ensure segregation in networks.

Shared

Security gateways, internal network perimeters, wireless network segregation, firewalls, and logical network domains with controlled data flows to be implemented to enhance network security.

Groups of information services, users, and information systems should be segregated on networks.

HITRUST_CSF_v11.3

01.n

HITRUST_CSF_v11.3_01.n

HITRUST CSF v11.3 01.n

Network Access Control

Prevent unauthorised access to shared networks.

Shared

Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security.

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.

New_Zealand_ISM

18.1.13.C.02

New_Zealand_ISM_18.1.13.C.02

18. Network security

18.1.13.C.02 Limiting network access

n/a

Agencies SHOULD implement network access controls on all networks.

NIS2

PV._Posture_and_Vulnerability_Management_5

NIS2_PV._Posture_and_Vulnerability_Management_5

PV. Posture and Vulnerability Management

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

n/a

missing value

NIST_SP_800-171_R2_3

.1.3

NIST_SP_800-171_R2_3.1.3

NIST SP 800-171 R2 3.1.3

Access Control

Control the flow of CUI in accordance with approved authorizations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

link

NIST_SP_800-171_R2_3

.13.1

NIST_SP_800-171_R2_3.13.1

NIST SP 800-171 R2 3.13.1

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

NIST_SP_800-171_R2_3

.13.2

NIST_SP_800-171_R2_3.13.2

NIST SP 800-171 R2 3.13.2

System and Communications Protection

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.

link

NIST_SP_800-171_R2_3

.13.5

NIST_SP_800-171_R2_3.13.5

NIST SP 800-171 R2 3.13.5

System and Communications Protection

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies

link

NIST_SP_800-171_R2_3

.13.6

NIST_SP_800-171_R2_3.13.6

NIST SP 800-171 R2 3.13.6

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

link

NIST_SP_800-171_R3_3

.13.1

NIST_SP_800-171_R3_3.13.1

NIST 800-171 R3 3.13.1

System and Communications Protection Control

Boundary Protection

Shared

Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. c. Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

NIST_SP_800-53_R4

AC-4

NIST_SP_800-53_R4_AC-4

NIST SP 800-53 Rev. 4 AC-4

Access Control

Information Flow Enforcement

Shared

n/a

link

NIST_SP_800-53_R4

SC-7

NIST_SP_800-53_R4_SC-7

NIST SP 800-53 Rev. 4 SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

link

NIST_SP_800-53_R4

SC-7(3)

NIST_SP_800-53_R4_SC-7(3)

NIST SP 800-53 Rev. 4 SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

link

NIST_SP_800-53_R5.1.1

SC.7

NIST_SP_800-53_R5.1.1_SC.7

NIST SP 800-53 R5.1.1 SC.7

System and Communications Protection

Boundary Protection

Shared

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

NIST_SP_800-53_R5

AC-4

NIST_SP_800-53_R5_AC-4

NIST SP 800-53 Rev. 5 AC-4

Access Control

Information Flow Enforcement

Shared

n/a

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

link

NIST_SP_800-53_R5

SC-7

NIST_SP_800-53_R5_SC-7

NIST SP 800-53 Rev. 5 SC-7

System and Communications Protection

Boundary Protection

Shared

n/a

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

link

NIST_SP_800-53_R5

SC-7(3)

NIST_SP_800-53_R5_SC-7(3)

NIST SP 800-53 Rev. 5 SC-7 (3)

System and Communications Protection

Access Points

Shared

n/a

Limit the number of external network connections to the system.

link

NZ_ISM_v3.5

GS-2

NZ_ISM_v3.5_GS-2

NZISM Security Benchmark GS-2

Gateway security

19.1.11 Using Gateways

Customer

n/a

Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks

link

NZISM_Security_Benchmark_v1.1

GS-2

NZISM_Security_Benchmark_v1.1_GS-2

NZISM Security Benchmark GS-2

Gateway security

19.1.11 Using Gateways

Customer

Agencies MUST ensure that: all agency networks are protected from networks in other security domains by one or more gateways; all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks

link

NZISM_v3.7

14.3.10.C.01.

NZISM_v3.7_14.3.10.C.01.

NZISM v3.7 14.3.10.C.01.

Web Applications

14.3.10.C.01. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways.

NZISM_v3.7

14.3.10.C.02.

NZISM_v3.7_14.3.10.C.02.

NZISM v3.7 14.3.10.C.02.

Web Applications

14.3.10.C.02. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address.

NZISM_v3.7

14.3.10.C.03.

NZISM_v3.7_14.3.10.C.03.

NZISM v3.7 14.3.10.C.03.

Web Applications

14.3.10.C.03. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites.

NZISM_v3.7

14.3.10.C.04.

NZISM_v3.7_14.3.10.C.04.

NZISM v3.7 14.3.10.C.04.

Web Applications

14.3.10.C.04. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities.

Shared

n/a

Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective.

NZISM_v3.7

17.8.10.C.02.

NZISM_v3.7_17.8.10.C.02.

NZISM v3.7 17.8.10.C.02.

Internet Protocol Security (IPSec)

17.8.10.C.02. - enhance overall cybersecurity posture.

Shared

n/a

Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections.

NZISM_v3.7

19.1.10.C.01.

NZISM_v3.7_19.1.10.C.01.

NZISM v3.7 19.1.10.C.01.

Gateways

19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks.

Shared

n/a

When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection.

NZISM_v3.7

19.1.11.C.01.

NZISM_v3.7_19.1.11.C.01.

NZISM v3.7 19.1.11.C.01.

Gateways

19.1.11.C.01. - ensure network protection through gateway mechanisms.

Shared

n/a

Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

NZISM_v3.7

19.1.11.C.02.

NZISM_v3.7_19.1.11.C.02.

NZISM v3.7 19.1.11.C.02.

Gateways

19.1.11.C.02. - maintain security and integrity across domains.

Shared

n/a

For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party.

NZISM_v3.7

19.1.12.C.01.

NZISM_v3.7_19.1.12.C.01.

NZISM v3.7 19.1.12.C.01.

Gateways

19.1.12.C.01. - minimize security risks and ensure effective control over network communications

Shared

n/a

Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts.

NZISM_v3.7

19.1.14.C.01.

NZISM_v3.7_19.1.14.C.01.

NZISM v3.7 19.1.14.C.01.

Gateways

19.1.14.C.01. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies MUST use demilitarised zones to house systems and information directly accessed externally.

NZISM_v3.7

19.1.14.C.02.

NZISM_v3.7_19.1.14.C.02.

NZISM v3.7 19.1.14.C.02.

Gateways

19.1.14.C.02. - enhance security by segregating resources from the internal network.

Shared

n/a

Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally.

NZISM_v3.7

19.1.19.C.01.

NZISM_v3.7_19.1.19.C.01.

NZISM v3.7 19.1.19.C.01.

Gateways

19.1.19.C.01. - enhance security posture.

Shared

n/a

Agencies MUST limit access to gateway administration functions.

NZISM_v3.7

19.2.16.C.02.

NZISM_v3.7_19.2.16.C.02.

NZISM v3.7 19.2.16.C.02.

Cross Domain Solutions (CDS)

19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.

Shared

n/a

Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network.

NZISM_v3.7

19.2.18.C.01.

NZISM_v3.7_19.2.18.C.01.

NZISM v3.7 19.2.18.C.01.

Cross Domain Solutions (CDS)

19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks.

Shared

n/a

Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path.

NZISM_v3.7

19.2.19.C.01.

NZISM_v3.7_19.2.19.C.01.

NZISM v3.7 19.2.19.C.01.

Cross Domain Solutions (CDS)

19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.

Shared

n/a

Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority.

NZISM_v3.7

19.2.19.C.02.

NZISM_v3.7_19.2.19.C.02.

NZISM v3.7 19.2.19.C.02.

Cross Domain Solutions (CDS)

19.2.19.C.02. - reduce the risk of unauthorized data transfers and potential breaches.

Shared

n/a

Trusted sources MUST authorise all data to be exported from a security domain.

PCI_DSS_v4.0.1

1.4.4

PCI_DSS_v4.0.1_1.4.4

PCI DSS v4.0.1 1.4.4

Install and Maintain Network Security Controls

System components that store cardholder data are not directly accessible from untrusted networks

Shared

n/a

Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks

RBI_CSF_Banks_v2016

10.1

RBI_CSF_Banks_v2016_10.1

Secure Mail And Messaging Systems

Secure Mail And Messaging Systems-10.1

n/a

Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc

RBI_CSF_Banks_v2016

10.2

RBI_CSF_Banks_v2016_10.2

Secure Mail And Messaging Systems

Secure Mail And Messaging Systems-10.2

n/a

Document and implement emailserver specific controls

RBI_CSF_Banks_v2016

13.3

RBI_CSF_Banks_v2016_13.3

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.3

n/a

Consider implementing whitelisting of internet websites/systems.

RBI_CSF_Banks_v2016

13.4

RBI_CSF_Banks_v2016_13.4

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.4

n/a

Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway

RBI_CSF_Banks_v2016

4.10

RBI_CSF_Banks_v2016_4.10

Network Management And Security

Perimeter Protection And Detection-4.10

n/a

Boundary defences should be multi-layered with properly configured firewalls, proxies, DMZ perimeter networks, and network--???based IPS and IDS. Mechanism to filter both inbound and outbound traffic to be put in place.

RBI_CSF_Banks_v2016

4.3

RBI_CSF_Banks_v2016_4.3

Network Management And Security

Network Device Configuration Management-4.3

n/a

Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security.

RBI_CSF_Banks_v2016

4.7

RBI_CSF_Banks_v2016_4.7

Network Management And Security

Anomaly Detection-4.7

n/a

Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.

RBI_ITF_NBFC_v2017

RBI_ITF_NBFC_v2017_5

RBI IT Framework 5

IS Audit

Policy for Information System Audit (IS Audit)-5

n/a

The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization???s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.

link

RMiT_v1.0

10.33

RMiT_v1.0_10.33

RMiT 10.33

Network Resilience

Network Resilience - 10.33

Shared

n/a

A financial institution must design a reliable, scalable and secure enterprise network that is able to support its business activities, including future growth plans.

link

RMiT_v1.0

Appendix_5.7

RMiT_v1.0_Appendix_5.7

RMiT Appendix 5.7

Control Measures on Cybersecurity

Control Measures on Cybersecurity - Appendix 5.7

Customer

n/a

Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls; (d) endpoint protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents.

link

SOC_2

CC6.1

SOC_2_CC6.1

SOC 2 Type 2 CC6.1

Logical and Physical Access Controls

Logical access security software, infrastructure, and architectures

Shared

The customer is responsible for implementing this recommendation.

The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction

SOC_2

CC6.6

SOC_2_CC6.6

SOC 2 Type 2 CC6.6

Logical and Physical Access Controls

Security measures against threats outside system boundaries

Shared

The customer is responsible for implementing this recommendation.

• Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts

SOC_2

CC6.7

SOC_2_CC6.7

SOC 2 Type 2 CC6.7

Logical and Physical Access Controls

Restrict the movement of information to authorized users

Shared

The customer is responsible for implementing this recommendation.

• Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets

SOC_2023

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

SOC_2023

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

SOC_2023

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213

SWIFT_CSCF_2024

1.1

SWIFT_CSCF_2024_1.1

SWIFT Customer Security Controls Framework 2024 1.1

Physical and Environmental Security

Swift Environment Protection

Shared

1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment.

SWIFT_CSCF_2024

1.5

SWIFT_CSCF_2024_1.5

SWIFT Customer Security Controls Framework 2024 1.5

Physical and Environmental Security

Customer Environment Protection

Shared

1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

SWIFT_CSCF_2024

9.1

SWIFT_CSCF_2024_9.1

404 not found

n/a

SWIFT_CSCF_v2021

1.1

SWIFT_CSCF_v2021_1.1

SWIFT CSCF v2021 1.1

SWIFT Environment Protection

n/a

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

link

SWIFT_CSCF_v2022

1.1

SWIFT_CSCF_v2022_1.1

SWIFT CSCF v2022 1.1

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

Shared

n/a

A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments.

link

SWIFT_CSCF_v2022

1.4

SWIFT_CSCF_v2022_1.4

SWIFT CSCF v2022 1.4

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Control/Protect Internet access from operator PCs and systems within the secure zone.

Shared

n/a

All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business.

link

SWIFT_CSCF_v2022

1.5A

SWIFT_CSCF_v2022_1.5A

SWIFT CSCF v2022 1.5A

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

Shared

n/a

A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment.

link

U.07.1 - Isolated

404 not found

n/a

Initiative DisplayName

Initiative Id

Initiative Category

State

Type

polSet in AzUSGov

[Deprecated]: Azure Security Benchmark v1

42a694ed-f65e-42b2-aa9e-8052e9740a92

Regulatory Compliance

Deprecated

BuiltIn

true

[Deprecated]: Azure Security Benchmark v2

bb522ac1-bc39-4957-b194-429bcd3bcb0b

Regulatory Compliance

Deprecated

BuiltIn

true

[Deprecated]: New Zealand ISM Restricted

d1a462af-7e6d-4901-98ac-61570b4ed22a

Regulatory Compliance

Deprecated

BuiltIn

unknown

[Deprecated]: New Zealand ISM Restricted v3.5

93d2179e-3068-c82f-2428-d614ae836a04

Regulatory Compliance

Deprecated

BuiltIn

unknown

[Preview]: Australian Government ISM PROTECTED

27272c0b-c225-4cc3-b8b0-f2534b093077

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: CMMC 2.0 Level 2

4e50fd13-098b-3206-61d6-d1d78205cb45

Regulatory Compliance

Preview

BuiltIn

true

[Preview]: NIS2

32ff9e30-4725-4ca7-ba3a-904a7721ee87

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: Reserve Bank of India - IT Framework for Banks

d0d5578d-cc08-2b22-31e3-f525374f235a

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: Reserve Bank of India - IT Framework for NBFC

7f89f09c-48c1-f28d-1bd5-84f3fb22f86c

Regulatory Compliance

Preview

BuiltIn

unknown

[Preview]: SWIFT CSP-CSCF v2021

abf84fac-f817-a70c-14b5-47eec767458a

Regulatory Compliance

Preview

BuiltIn

unknown

Canada Federal PBMM 3-1-2020

f8f5293d-df94-484a-a3e7-6b422a999d91

Regulatory Compliance

BuiltIn

unknown

CIS Microsoft Azure Foundations Benchmark v1.1.0

1a5bb27d-173f-493e-9568-eb56638dde4d

Regulatory Compliance

BuiltIn

true

CMMC Level 3

b5629c75-5c77-4422-87b9-2509e680f8de

Regulatory Compliance

BuiltIn

true

CSA CSA Cloud Controls Matrix v4.0.12

8791506a-dec4-497a-a83f-3abfde37c400

Regulatory Compliance

BuiltIn

unknown

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0

a4087154-2edb-4329-b56a-1cc986807f3c

Regulatory Compliance

BuiltIn

unknown

EU 2022/2555 (NIS2) 2022

42346945-b531-41d8-9e46-f95057672e88

Regulatory Compliance

BuiltIn

unknown

EU General Data Protection Regulation (GDPR) 2016/679

7326812a-86a4-40c8-af7c-8945de9c4913

Regulatory Compliance

BuiltIn

unknown

FBI Criminal Justice Information Services (CJIS) v5.9.5

4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721

Regulatory Compliance

BuiltIn

unknown

FedRAMP High

d5264498-16f4-418a-b659-fa7ef418175f

Regulatory Compliance

BuiltIn

true

FedRAMP Moderate

e95f5a9f-57ad-4d03-bb0b-b1d16db93693

Regulatory Compliance

BuiltIn

true

FFIEC CAT 2017

1d5dbdd5-6f93-43ce-a939-b19df3753cf7

Regulatory Compliance

BuiltIn

unknown

HITRUST CSF v11.3

e0d47b75-5d99-442a-9d60-07f2595ab095

Regulatory Compliance

BuiltIn

unknown

HITRUST/HIPAA

a169a624-5599-4385-a696-c8d643089fab

Regulatory Compliance

BuiltIn

unknown

Microsoft cloud security benchmark

1f3afdf9-d0c9-4c3d-847f-89da613e70a8

Security Center

BuiltIn

true

New Zealand ISM

4f5b1359-4f8e-4d7c-9733-ea47fcde891e

Regulatory Compliance

BuiltIn

unknown

NIST 800-171 R3

38916c43-6876-4971-a4b1-806aa7e55ccc

Regulatory Compliance

BuiltIn

unknown

NIST SP 800-171 Rev. 2

03055927-78bd-4236-86c0-f36125a10dc9

Regulatory Compliance

BuiltIn

true

NIST SP 800-53 R5.1.1

60205a79-6280-4e20-a147-e2011e09dc78

Regulatory Compliance

BuiltIn

unknown

NIST SP 800-53 Rev. 4

cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f

Regulatory Compliance

BuiltIn

true

NIST SP 800-53 Rev. 5

179d1daa-458f-4e47-8086-2a68d0d6c38f

Regulatory Compliance

BuiltIn

true

NL BIO Cloud Theme

6ce73208-883e-490f-a2ac-44aac3b3687f

Regulatory Compliance

BuiltIn

unknown

NL BIO Cloud Theme V2

d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee

Regulatory Compliance

BuiltIn

unknown

NZISM v3.7

4476df0a-18ab-4bfe-b6ad-cccae1cf320f

Regulatory Compliance

BuiltIn

unknown

PCI DSS v4.0.1

a06d5deb-24aa-4991-9d58-fa7563154e31

Regulatory Compliance

BuiltIn

unknown

RMIT Malaysia

97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6

Regulatory Compliance

BuiltIn

unknown

SOC 2 Type 2

4054785f-702b-4a98-9215-009cbd58b141

Regulatory Compliance

BuiltIn

true

SOC 2023

53ad89f5-8542-49e9-ba81-1cbd686e0d52

Regulatory Compliance

BuiltIn

unknown

SWIFT CSP-CSCF v2022

7bc7cd6c-4114-ff31-3cac-59be3157596d

Regulatory Compliance

BuiltIn

unknown

SWIFT Customer Security Controls Framework 2024

7499005e-df5a-45d9-810f-041cf346678c

Regulatory Compliance

BuiltIn

unknown

Date/Time (UTC ymd) (i)

Change type

Change detail

2021-01-05 16:06:49

change

Major (2.0.0 > 3.0.0)

2020-01-10 16:39:23

change

Previous DisplayName: Virtual machines should be associated with a Network Security Group