Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_SC_2

SC_2

Canada Federal PBMM 3-1-2020 SC 2

Application Partitioning

Shared

The information system separates user functionality (including user interface services) from information system management functionality.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_5

SC_5

Canada Federal PBMM 3-1-2020 SC 5

Denial of Service Protection

Shared

The information system protects against or limits the effects of the following denial of service attempts that attack bandwidth, transactional capacity and storage by employing geo-replication, IP address blocking, and network-based DDoS protections.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_6

SC_6

Canada Federal PBMM 3-1-2020 SC 6

Resource Availability

Shared

The information system protects the availability of resources by allocating organization-defined resources by priority; quota, or organization-defined security safeguards.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7

SC_7

Canada Federal PBMM 3-1-2020 SC 7

Boundary Protection

Shared

1. The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. 2. The information system implements sub-networks for publicly accessible system components that are physically or logically separated from internal organizational networks. 3. The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(12)

SC_7(12)

Canada Federal PBMM 3-1-2020 SC 7(12)

Boundary Protection

Boundary Protection | Host-Based Protection

Shared

The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(3)

SC_7(3)

Canada Federal PBMM 3-1-2020 SC 7(3)

Boundary Protection

Boundary Protection | Access Points

Shared

The organization limits the number of external network connections to the information system.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(5)

SC_7(5)

Canada Federal PBMM 3-1-2020 SC 7(5)

Boundary Protection

Boundary Protection | Deny by Default / Allow by Exception

Shared

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(7)

SC_7(7)

Canada Federal PBMM 3-1-2020 SC 7(7)

Boundary Protection

Boundary Protection | Prevent Split Tunneling for Remote Devices

Shared

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

To strengthen security posture and mitigate potential security vulnerabilities.

Canada_Federal_PBMM_3-1-2020_SC_7(8)

SC_7(8)

Canada Federal PBMM 3-1-2020 SC 7(8)

Boundary Protection

Boundary Protection | Route Traffic to Authenticated Proxy Servers

Shared

The information system routes organization-defined internal communications traffic to all untrusted networks outside the control of the organization through authenticated proxy servers at managed interfaces.

To strengthen security posture and mitigate potential security vulnerabilities.

CMMC_L2_v1.9.0

AC.L1_3.1.20

CMMC_L2_v1.9.0_AC.L1_3.1.20

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20

Access Control

External Connections

Shared

Verify and control/limit connections to and use of external information systems.

To enhance security and minimise potential risks associated with external access.

CMMC_L2_v1.9.0

AC.L2_3.1.18

CMMC_L2_v1.9.0_AC.L2_3.1.18

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.18

Access Control

Mobile Device Connection

Shared

Control connection of mobile devices.

To mitigate the risk of unauthorized access or security breaches.

CMMC_L2_v1.9.0

CM.L2_3.4.8

CMMC_L2_v1.9.0_CM.L2_3.4.8

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.8

Configuration Management

Application Execution Policy

Shared

Apply deny by exception (blacklisting) policy to prevent the use of unauthorized software or deny all, permit by exception (whitelisting) policy to allow the execution of authorized software.

To reduce the risk of malware infections or unauthorized access.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

hipaa

1637.12b2Organizational.2-12.b

hipaa-1637.12b2Organizational.2-12.b

1637.12b2Organizational.2-12.b

16 Business Continuity & Disaster Recovery

1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management

Shared

n/a

Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability.

HITRUST_CSF_v11.3

10.h

HITRUST_CSF_v11.3_10.h

HITRUST CSF v11.3 10.h

Security of System Files

Ensure the security of system files, access to system files and program source code shall be controlled, and IT projects and support activities conducted in a secure manner.

Shared

The updation of operational software, applications, and program libraries is to be performed by authorized administrators.

There shall be procedures in place to control the installation of software on operational systems.

NIST_SP_800-171_R3_3

.1.18

NIST_SP_800-171_R3_3.1.18

NIST 800-171 R3 3.1.18

Access Control

Access Control for Mobile Devices

Shared

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields).

a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. b. Authorize the connection of mobile devices to the system. c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices.

NIST_SP_800-171_R3_3

.13.9

NIST_SP_800-171_R3_3.13.9

NIST 800-171 R3 3.13.9

System and Communications Protection Control

Network Disconnect

Shared

This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity.

NIST_SP_800-171_R3_3

.4.8

NIST_SP_800-171_R3_3.4.8

404 not found

n/a

NIST_SP_800-53_R5.1.1

AC.19

NIST_SP_800-53_R5.1.1_AC.19

NIST SP 800-53 R5.1.1 AC.19

Access Control

Access Control for Mobile Devices

Shared

a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems.

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

NIST_SP_800-53_R5.1.1

CM.7.2

NIST_SP_800-53_R5.1.1_CM.7.2

NIST SP 800-53 R5.1.1 CM.7.2

Configuration Management Control

Least Functionality | Prevent Program Execution

Shared

Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] ; rules authorizing the terms and conditions of software program usage].

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time.

11.4.11.C.01.

NZISM_v3.7_11.4.11.C.01.

NZISM v3.7 11.4.11.C.01.

Mobile Telephony

11.4.11.C.01. - enhance security awareness and minimise risks associated with mobile communication.

Shared

n/a

Agencies intending to use mobile devices for the transmission of classified information MUST ensure that: 1. the network has been certified and accredited for the purpose; 2. all classified traffic that passes over mobile devices is appropriately encrypted; and 3. users are aware of the area, surroundings, potential for overhearing and potential for oversight when using the device.

11.4.12.C.01.

NZISM_v3.7_11.4.12.C.01.

NZISM v3.7 11.4.12.C.01.

Mobile Telephony

11.4.12.C.01. - maintain the integrity of secure environments.

Shared

n/a

Mobile devices MUST be prevented from entering secure areas.

11.4.9.C.01.

NZISM_v3.7_11.4.9.C.01.

NZISM v3.7 11.4.9.C.01.

Mobile Telephony

11.4.9.C.01. - ensure standardized practices, security protocols, and compliance with relevant regulations regarding the handling of sensitive information.

Shared

n/a

Agencies MUST develop a policy governing the use of mobile devices.

16.4.37.C.01.

NZISM_v3.7_16.4.37.C.01.

NZISM v3.7 16.4.37.C.01.

Privileged Access Management

16.4.37.C.01. - enhance security and reduce the risk of unauthorized access or misuse.

Shared

n/a

Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency's overall user training and awareness requirement.

16.4.37.R.02.

NZISM_v3.7_16.4.37.R.02.

404 not found

n/a

19.5.29.C.01.

NZISM_v3.7_19.5.29.C.01.

NZISM v3.7 19.5.29.C.01.

Session Border Controllers

19.5.29.C.01. - enhance security measures and protect agency assets.

Shared

n/a

Agencies MUST develop and implement user awareness and training programmes to support and enable safe use of VoIP and UC services.

2.1.49.C.01.

NZISM_v3.7_2.1.49.C.01.

NZISM v3.7 2.1.49.C.01.

Overview of Key Agencies

2.1.49.C.01. - facilitate collaboration and access to resources for effective security management and response.

Shared

n/a

Security personnel MUST familiarise themselves with the information security roles and services provided by New Zealand Government organisations.

21.4.7.C.01.

NZISM_v3.7_21.4.7.C.01.

NZISM v3.7 21.4.7.C.01.

Non-Agency Owned Devices and Bring Your Own Device (BYOD)

21.4.7.C.01. - ensure proactive identification and mitigation of potential security risks.

Shared

n/a

Agencies MUST undertake a risk assessment and implement appropriate controls BEFORE implementing a BYOD Policy and permitting the use of BYOD.

21.4.7.C.02.

NZISM_v3.7_21.4.7.C.02.

NZISM v3.7 21.4.7.C.02.

Non-Agency Owned Devices and Bring Your Own Device (BYOD)

21.4.7.C.02. - ensure comprehensive protection of agency assets and sensitive information in the context of BYOD usage.

Shared

n/a

Agencies MUST take an integrated approach to BYOD security, covering policy, training, support, systems architecture, security, systems management, change management, incident detection & management and business continuity.

21.4.8.C.01.

NZISM_v3.7_21.4.8.C.01.

NZISM v3.7 21.4.8.C.01.

Non-Agency Owned Devices and Bring Your Own Device (BYOD)

21.4.8.C.01. - maintain security and compliance standards.

Shared

n/a

BYOD MUST only be permitted for agency information systems up to and including RESTRICTED.

21.4.8.C.02.

NZISM_v3.7_21.4.8.C.02.

NZISM v3.7 21.4.8.C.02.

Non-Agency Owned Devices and Bring Your Own Device (BYOD)

21.4.8.C.02. - maintain security and compliance standards.

Shared

n/a

BYOD MUST NOT be used for CONFIDENTIAL, SECRET or TOP SECRET systems.

21.4.9.C.01.

NZISM_v3.7_21.4.9.C.01.

NZISM v3.7 21.4.9.C.01.

Non-Agency Owned Devices and Bring Your Own Device (BYOD)

21.4.9.C.01. - mitigate security risks and ensure compliance with security standards.

Shared

n/a

Devices that have been jail-broken, rooted or have settings violations MUST NOT be used for any agency business or be allowed to connect to any agency systems UNLESS this been specifically authorised.

3.3.13.C.01.

NZISM_v3.7_3.3.13.C.01.

NZISM v3.7 3.3.13.C.01.

Information Technology Security Managers

3.3.13.C.01. - foster a culture of security awareness and equipping personnel with the knowledge and skills to effectively mitigate security risks.

Shared

n/a

ITSMs SHOULD provide or arrange for the provision of information security awareness and training for all agency personnel.

5.1.12.C.02.

NZISM_v3.7_5.1.12.C.02.

NZISM v3.7 5.1.12.C.02.

Documentation Fundamentals

5.1.12.C.02. - enhance the agency's ability to mitigate risks and minimize disruptions to operations.

Shared

n/a

Agency personnel MUST be trained in and periodically exercise the Incident Response Plan.

5.7.4.C.01.

NZISM_v3.7_5.7.4.C.01.

NZISM v3.7 5.7.4.C.01.

Emergency Procedures

5.7.4.C.01. - ensure the protection of classified information and systems.

Shared

n/a

Agencies MUST include in procedures for personnel evacuating a facility the requirement to secure classified information and systems prior to the evacuation.

9.1.4.C.01.

NZISM_v3.7_9.1.4.C.01.

NZISM v3.7 9.1.4.C.01.

Information Security Awareness and Training

9.1.4.C.01. - enhance the capability to safeguard sensitive information and mitigate security risks effectively.

Shared

n/a

Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128