Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_AC_2

AC_2

Canada Federal PBMM 3-1-2020 AC 2

Account Management

Shared

1. The organization identifies and selects which types of information system accounts support organizational missions/business functions. 2. The organization assigns account managers for information system accounts. 3. The organization establishes conditions for group and role membership. 4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. 5. The organization requires approvals by responsible managers for requests to create information system accounts. 6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. 7. The organization monitors the use of information system accounts. 8. The organization notifies account managers: a. When accounts are no longer required; b. When users are terminated or transferred; and c. When individual information system usage or need-to-know changes. 9. The organization authorizes access to the information system based on: a. A valid access authorization; b. Intended system usage; and c. Other attributes as required by the organization or associated missions/business functions. 10. The organization reviews accounts for compliance with account management requirements at least annually. 11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

To ensure the security, integrity, and efficiency of the information systems.

Canada_Federal_PBMM_3-1-2020_AC_2(1)

AC_2(1)

Canada Federal PBMM 3-1-2020 AC 2(1)

Account Management

Account Management | Automated System Account Management

Shared

The organization employs automated mechanisms to support the management of information system accounts.

To streamline and enhance information system account management processes.

Canada_Federal_PBMM_3-1-2020_CA_2

CA_2

Canada Federal PBMM 3-1-2020 CA 2

Security Assessments

Shared

1. The organization develops a security assessment plan that describes the scope of the assessment including: a. Security controls and control enhancements under assessment; b. Assessment procedures to be used to determine security control effectiveness; and c. Assessment environment, assessment team, and assessment roles and responsibilities. 2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. 3. The organization produces a security assessment report that documents the results of the assessment. 4. The organization provides the results of the security control assessment to organization-defined individuals or roles.

To enhance the overall security posture of the organization.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

124

Canada_Federal_PBMM_3-1-2020_CM_2

CM_2

Canada Federal PBMM 3-1-2020 CM 2

Baseline Configuration

Shared

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

To support effective management and security practices.

Canada_Federal_PBMM_3-1-2020_CM_2(1)

CM_2(1)

Canada Federal PBMM 3-1-2020 CM 2(1)

Baseline Configuration

Baseline Configuration | Reviews and Updates

Shared

The organization reviews and updates the baseline configuration of the information system: 1. at least annually; or 2. When required due to significant changes as defined in NIST SP 800-37 rev1; and 3. As an integral part of information system component installations and upgrades.

To ensure alignment with current security standards and operational requirements.

Canada_Federal_PBMM_3-1-2020_CM_2(2)

CM_2(2)

Canada Federal PBMM 3-1-2020 CM 2(2)

Baseline Configuration

Baseline Configuration | Automation Support for Accuracy / Currency

Shared

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

To ensure the information system maintains an up-to-date, complete, accurate, and readily available baseline configuration

Canada_Federal_PBMM_3-1-2020_IA_5

IA_5

Canada Federal PBMM 3-1-2020 IA 5

Authenticator Management

Shared

1. The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. 2. The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. 3. The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. 4. The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. 5. The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. 6. The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. 7. The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. 8. The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. 9. The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. 10. The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.

To effectively manage information system authenticators through verification of recipient identity.

Canada_Federal_PBMM_3-1-2020_IA_5(11)

IA_5(11)

Canada Federal PBMM 3-1-2020 IA 5(11)

Authenticator Management

Authenticator Management | Hardware Token-Based Authentication

Shared

The information system, for hardware token-based authentication, employs mechanisms that satisfy CCCS's ITSP.30.031 token quality requirements.

To enhance overall security and compliance with CCCS guidelines.

Canada_Federal_PBMM_3-1-2020_MP_1

MP_1

Canada Federal PBMM 3-1-2020 MP 1

Media Protection Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to all personnel: a. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the media protection policy and associated media protection controls. 2. The organization reviews and updates the current: a. Media protection policy at least every 3 years; and b. Media protection procedures at least annually.

To implement media protection policy and procedures.

Canada_Federal_PBMM_3-1-2020_PL_1

PL_1

Canada Federal PBMM 3-1-2020 PL 1

Security Planning Policy and Procedures

Shared

1. The organization develops, documents, and disseminates to personnel or roles with security planning responsibilities a. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Procedures to facilitate the implementation of the security planning policy and associated security planning controls. 2. The organization reviews and updates the current: a. Security planning policy at least every 3 years; and b. Security planning procedures at least annually.

To ensure safety of data and enhance security posture.

Canada_Federal_PBMM_3-1-2020_PL_2

PL_2

Canada Federal PBMM 3-1-2020 PL 2

System Security Plan

Shared

1. The organization develops a security plan for the information system that: a. Is consistent with the organization’s enterprise architecture; b. Explicitly defines the authorization boundary for the system; c. Describes the operational context of the information system in terms of missions and business processes; d. Provides the security categorization of the information system including supporting rationale; e. Describes the operational environment for the information system and relationships with or connections to other information systems; f. Provides an overview of the security requirements for the system; g. Identifies any relevant overlays, if applicable; h. Describes the security controls in place or planned for meeting those requirements including a rationale for tailoring decisions; and i. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation. 2. The organization distributes copies of the security plan and communicates subsequent changes to the plan to personnel or roles with security planning responsibilities. 3. The organization reviews the security plan for the information system at least annually. 4. The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. 5. The organization protects the security plan from unauthorized disclosure and modification.

To ensure safety of data and enhance security posture.

Canada_Federal_PBMM_3-1-2020_RA_5(1)

RA_5(1)

Canada Federal PBMM 3-1-2020 RA 5(1)

Vulnerability Scanning

Vulnerability Scanning | Update Tool Capability

Shared

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

To employ vulnerability scanning tools.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

12.1

CIS_Controls_v8.1_12.1

CIS Controls v8.1 12.1

Network Infrastructure Management

Ensure network infrastructure is up to date

Shared

1. Ensure network infrastructure is kept up-to-date. 2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. 3. Review software versions monthly, or more frequently, to verify software support.

To prevent any unauthorized or malicious activity on network systems.

12.3

CIS_Controls_v8.1_12.3

CIS Controls v8.1 12.3

Network Infrastructure Management

Securely manage network infrastructure

Shared

1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS.

To ensure proper management of network infrastructure.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

101

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

16.12

CIS_Controls_v8.1_16.12

CIS Controls v8.1 16.12

Application Software Security

Implement code-level security checks

Shared

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application.

16.13

CIS_Controls_v8.1_16.13

CIS Controls v8.1 16.13

Application Software Security

Conduct application penetration testing

Shared

1. Conduct application penetration testing. 2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. 3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

To identify potential security weaknesses and assess the overall security posture of the application.

16.2

CIS_Controls_v8.1_16.2

CIS Controls v8.1 16.2

Application Software Security

Establish and maintain a process to accept and address software vulnerabilities

Shared

1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. 2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. 3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. 4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. 5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.

To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures.

16.5

CIS_Controls_v8.1_16.5

CIS Controls v8.1 16.5

Application Software Security

Use up-to-date and trusted third-party software components

Shared

1. Use up-to-date and trusted third-party software components. 2. When possible, choose established and proven frameworks and libraries that provide adequate security. 3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.

To utilize up-to-date and trusted third-party software components in application development.

16.6

CIS_Controls_v8.1_16.6

CIS Controls v8.1 16.6

Application Software Security

Establish and maintain a severity rating system and process for application vulnerabilities

Shared

1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. 2. This process includes setting a minimum level of security acceptability for releasing code or applications. 3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. 4. Review and update the system and process annually.

To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks.

16.7

CIS_Controls_v8.1_16.7

CIS Controls v8.1 16.7

Application Software Security

Use standard hardening configuration templates for application infrastructure

Shared

1. Use standard, industry-recommended hardening configuration templates for application infrastructure components. 2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. 3. Do not allow in-house developed software to weaken configuration hardening.

To ensure that in-house developed software does not compromise the established configuration hardening standards.

18.1

CIS_Controls_v8.1_18.1

CIS Controls v8.1 18.1

Penetration Testing

Establish and maintain a penetration testing program

Shared

1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. 2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise.

18.2

CIS_Controls_v8.1_18.2

CIS Controls v8.1 18.2

Penetration Testing

Perform periodic external penetration tests

Shared

1. Perform periodic external penetration tests based on program requirements, no less than annually. 2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. 3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. 4. The testing may be clear box or opaque box.

To ensure thorough assessment and mitigation of potential vulnerabilities.

18.3

CIS_Controls_v8.1_18.3

CIS Controls v8.1 18.3

Penetration Testing

Remediate penetration test findings

Shared

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

To mitigate security risks effectively.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

CMMC_L2_v1.9.0_CM.L2_3.4.3

18.5

CIS_Controls_v8.1_18.5

404 not found

n/a

CMMC_L2_v1.9.0

CM.L2_3.4.3

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.3

Configuration Management

System Change Management

Shared

Track, review, approve or disapprove, and log changes to organizational systems.

To ensure accountability, transparency, and compliance with established procedures and security requirements.

CMMC_L2_v1.9.0

SI.L1_3.14.1

CMMC_L2_v1.9.0_SI.L1_3.14.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1

System and Information Integrity

Flaw Remediation

Shared

Identify, report, and correct information and information system flaws in a timely manner.

To safeguard assets and maintain operational continuity.

AIS_01

CSA_v4.0.12_AIS_01

CSA Cloud Controls Matrix v4.0.12 AIS 01

Application & Interface Security

Application and Interface Security Policy and Procedures

Shared

n/a

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually.

CCC_02

CSA_v4.0.12_CCC_02

CSA Cloud Controls Matrix v4.0.12 CCC 02

Change Control and Configuration Management

Quality Testing

Shared

n/a

Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.

CCC_03

CSA_v4.0.12_CCC_03

CSA Cloud Controls Matrix v4.0.12 CCC 03

Change Control and Configuration Management

Change Management Technology

Shared

n/a

Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced).

CCC_04

CSA_v4.0.12_CCC_04

CSA Cloud Controls Matrix v4.0.12 CCC 04

Change Control and Configuration Management

Unauthorized Change Protection

Shared

n/a

Restrict the unauthorized addition, removal, update, and management of organization assets.

CCC_05

CSA_v4.0.12_CCC_05

CSA Cloud Controls Matrix v4.0.12 CCC 05

Change Control and Configuration Management

Change Agreements

Shared

n/a

Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.

CCC_06

CSA_v4.0.12_CCC_06

CSA Cloud Controls Matrix v4.0.12 CCC 06

Change Control and Configuration Management

Change Management Baseline

Shared

n/a

Establish change management baselines for all relevant authorized changes on organization assets.

CCC_08

CSA_v4.0.12_CCC_08

CSA Cloud Controls Matrix v4.0.12 CCC 08

Change Control and Configuration Management

Exception Management

Shared

n/a

'Implement a procedure for the management of exceptions, including emergencies, in the change and configuration process. Align the procedure with the requirements of GRC-04: Policy Exception Process.'

CCC_09

CSA_v4.0.12_CCC_09

CSA Cloud Controls Matrix v4.0.12 CCC 09

Change Control and Configuration Management

Change Restoration

Shared

n/a

Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.

CEK_05

CSA_v4.0.12_CEK_05

CSA Cloud Controls Matrix v4.0.12 CEK 05

Cryptography, Encryption & Key Management

Encryption Change Management

Shared

n/a

Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.

CEK_06

CSA_v4.0.12_CEK_06

CSA Cloud Controls Matrix v4.0.12 CEK 06

Cryptography, Encryption & Key Management

Encryption Change Cost Benefit Analysis

Shared

n/a

Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis.

CEK_07

CSA_v4.0.12_CEK_07

CSA Cloud Controls Matrix v4.0.12 CEK 07

Cryptography, Encryption & Key Management

Encryption Risk Management

Shared

n/a

Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.

CEK_20

CSA_v4.0.12_CEK_20

CSA Cloud Controls Matrix v4.0.12 CEK 20

Cryptography, Encryption & Key Management

Key Recovery

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements.

DSP_03

CSA_v4.0.12_DSP_03

CSA Cloud Controls Matrix v4.0.12 DSP 03

Data Security and Privacy Lifecycle Management

Data Inventory

Shared

n/a

Create and maintain a data inventory, at least for any sensitive data and personal data.

DSP_07

CSA_v4.0.12_DSP_07

CSA Cloud Controls Matrix v4.0.12 DSP 07

Data Security and Privacy Lifecycle Management

Data Protection by Design and Default

Shared

n/a

Develop systems, products, and business practices based upon a principle of security by design and industry best practices.

DSP_08

CSA_v4.0.12_DSP_08

CSA Cloud Controls Matrix v4.0.12 DSP 08

Data Security and Privacy Lifecycle Management

Data Privacy by Design and Default

Shared

n/a

Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations.

DSP_12

CSA_v4.0.12_DSP_12

CSA Cloud Controls Matrix v4.0.12 DSP 12

Data Security and Privacy Lifecycle Management

Limitation of Purpose in Personal Data Processing

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to ensure that personal data is processed according to any applicable laws and regulations and for the purposes declared to the data subject.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FFIEC_CAT_2017

1.2.2

FFIEC_CAT_2017_1.2.2

FFIEC CAT 2017 1.2.2

Cyber Risk Management and Oversight

Risk Assessment

Shared

n/a

- A risk assessment focused on safeguarding customer information identifies reasonable and foreseeable internal and external threats, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, and customer information systems. - The risk assessment identifies internet-based systems and high-risk transactions that warrant additional authentication controls. - The risk assessment is updated to address new technologies, products, services, and connections before deployment

FFIEC_CAT_2017

3.3.1

FFIEC_CAT_2017_3.3.1

FFIEC CAT 2017 3.3.1

Cybersecurity Controls

Patch Management

Shared

n/a

- A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. - Patches are tested before being applied to systems and/or software. - Patch management reports are reviewed and reflect missing security patches.

HITRUST_CSF_v11.3

10.c

HITRUST_CSF_v11.3_10.c

HITRUST CSF v11.3 10.c

Correct Processing in Applications

Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Shared

Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented.

Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

HITRUST_CSF_v11.3

10.k

HITRUST_CSF_v11.3_10.k

HITRUST CSF v11.3 10.k

Security In Development and Support Processes

Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.

Shared

1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed. 2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process. 3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control.

The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures.

HITRUST_CSF_v11.3

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

6.3

ISO_IEC_27001_2022_6.3

ISO IEC 27001 2022 6.3

Planning

Planning of changes

Shared

When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

Specifies that the organisation must carry out changes to information security management system in a planned manner.

7.5.3

ISO_IEC_27001_2022_7.5.3

ISO IEC 27001 2022 7.5.3

Support

Control of documented information

Shared

1. Documented information required by the information security management system and by this document shall be controlled to ensure: a. it is available and suitable for use, where and when it is needed; and b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 2. For the control of documented information, the organization shall address the following activities, as applicable: a. distribution, access, retrieval and use; b. storage and preservation, including the preservation of legibility; c. control of changes (e.g. version control); and d. retention and disposition.

Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled

8.1

ISO_IEC_27001_2022_8.1

ISO IEC 27001 2022 8.1

Operation

Operational planning and control

Shared

1. The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: a. establishing criteria for the processes; b. implementing control of the processes in accordance with the criteria. 2. Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. 3. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. 4. The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.

Specifies the steps to be taken to establish an operational plan and ensure proper implementation and control of the same.

NIS2_PV._Posture_and_Vulnerability_Management_5

9.3.3

ISO_IEC_27001_2022_9.3.3

ISO IEC 27001 2022 9.3.3

Internal Audit

Management Review Results

Shared

The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Specifies the considertions that the management review results shall include.

ISO_IEC_27002_2022

8.32

ISO_IEC_27002_2022_8.32

ISO IEC 27002 2022 8.32

Protection, Preventive Control

Change management

Shared

Changes to information processing facilities and information systems should be subject to change management procedures.

To preserve information security when executing changes.

NIS2

PV._Posture_and_Vulnerability_Management_5

PV. Posture and Vulnerability Management

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

n/a

missing value

NIST_CSF_v2.0

DE.CM_09

NIST_CSF_v2.0_DE.CM_09

NIST CSF v2.0 DE.CM 09

DETECT- Continuous Monitoring

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_CSF_v2.0

ID.RA_07

NIST_CSF_v2.0_ID.RA_07

NIST CSF v2.0 ID.RA 07

IDENTIFY -Risk Assessment

Changes and exceptions are managed, assessed for risk impact, recorded, and tracked.

Shared

n/a

To ensure that cybersecurity risks are known to the organization.

NIST_SP_800-171_R3_3

.14.1

NIST_SP_800-171_R3_3.14.1

NIST 800-171 R3 3.14.1

System and Information Integrity Control

Flaw Remediation

Shared

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

a. Identify, report, and correct system flaws. b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

NIST_SP_800-171_R3_3

.4.3

NIST_SP_800-171_R3_3.4.3

404 not found

n/a

NIST_SP_800-53_R5.1.1

CM.3

NIST_SP_800-53_R5.1.1_CM.3

NIST SP 800-53 R5.1.1 CM.3

Configuration Management Control

Configuration Change Control

Shared

a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency] ; when [Assignment: organization-defined configuration change conditions] ].

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

NIST_SP_800-53_R5.1.1

SI.2

NIST_SP_800-53_R5.1.1_SI.2

NIST SP 800-53 R5.1.1 SI.2

System and Information Integrity Control

Flaw Remediation

Shared

a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process.

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

NIST_SP_800-53_R5.1.1

SI.2.4

NIST_SP_800-53_R5.1.1_SI.2.4

NIST SP 800-53 R5.1.1 SI.2.4

System and Information Integrity Control

Flaw Remediation | Automated Patch Management Tools

Shared

Employ automated patch management tools to facilitate flaw remediation to the following system components: [Assignment: organization-defined system components].

Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations.

12.4.4.C.01.

NZISM_v3.7_12.4.4.C.01.

NZISM v3.7 12.4.4.C.01.

Product Patching and Updating

12.4.4.C.01. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update.

12.4.4.C.02.

NZISM_v3.7_12.4.4.C.02.

NZISM v3.7 12.4.4.C.02.

Product Patching and Updating

12.4.4.C.02. - minimise the risk of disruptions or vulnerabilities introduced by the patches.

Shared

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

12.4.4.C.04.

NZISM_v3.7_12.4.4.C.04.

NZISM v3.7 12.4.4.C.04.

Product Patching and Updating

12.4.4.C.04. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update.

12.4.4.C.05.

NZISM_v3.7_12.4.4.C.05.

NZISM v3.7 12.4.4.C.05.

Product Patching and Updating

12.4.4.C.05. - reduce the potential attack surface for malicious actors.

Shared

n/a

Agencies SHOULD apply all non-critical security patches as soon as possible.

12.4.4.C.06.

NZISM_v3.7_12.4.4.C.06.

NZISM v3.7 12.4.4.C.06.

Product Patching and Updating

12.4.4.C.06. - maintain the integrity and effectiveness of the patching process.

Shared

n/a

Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

16.3.5.C.01.

NZISM_v3.7_16.3.5.C.01.

NZISM v3.7 16.3.5.C.01.

Privileged User Access

16.3.5.C.01. - enhance overall security posture.

Shared

n/a

Agencies MUST: 1. ensure strong change management practices are implemented; 2. ensure that the use of privileged accounts is controlled and accountable; 3. ensure that system administrators are assigned and consistently use, an individual account for the performance of their administration tasks; 4. keep privileged accounts to a minimum; and 5. allow the use of privileged accounts for administrative work only.

16.3.5.C.02.

NZISM_v3.7_16.3.5.C.02.

NZISM v3.7 16.3.5.C.02.

Privileged User Access

16.3.5.C.02. - enhance overall security posture.

Shared

n/a

Agencies SHOULD: 1. ensure strong change management practices are implemented; 2. ensure that the use of privileged accounts is controlled and accountable; 3. ensure that system administrators are assigned an individual account for the performance of their administration tasks; 4. keep privileged accounts to a minimum; and 5. allow the use of privileged accounts for administrative work only.

19.1.22.C.02.

NZISM_v3.7_19.1.22.C.02.

NZISM v3.7 19.1.22.C.02.

Gateways

19.1.22.C.02. - ensure transparency, accountability, and adherence to established procedures for maintaining network security and integrity.

Shared

n/a

Agencies MUST document any changes to gateways in accordance with the agency's Change Management Policy.

3.3.6.C.05.

NZISM_v3.7_3.3.6.C.05.

NZISM v3.7 3.3.6.C.05.

Information Technology Security Managers

3.3.6.C.05. - enhance the integrity and security of agency IT operations.

Shared

n/a

ITSMs SHOULD be included in the agency's change management and change control processes to ensure that risks are properly identified and controls are properly applied to manage those risks.

6.3.6.C.01.

NZISM_v3.7_6.3.6.C.01.

NZISM v3.7 6.3.6.C.01.

Change Management

6.3.6.C.01. - maintain the integrity and security of systems.

Shared

n/a

Agencies MUST ensure that for routine and urgent changes: 1. the change management process, as defined in the relevant information security documentation, is followed; 2. the proposed change is approved by the relevant authority; 3. any proposed change that could impact the security or accreditation status of a system is submitted to the Accreditation Authority for approval; and 4. all associated information security documentation is updated to reflect the change.

6.3.6.C.02.

NZISM_v3.7_6.3.6.C.02.

NZISM v3.7 6.3.6.C.02.

Change Management

6.3.6.C.02. - maintain operational integrity and security posture.

Shared

n/a

Agencies SHOULD ensure that for routine and urgent changes: 1. the change management process, as defined in the relevant information security documentation, is followed; 2. the proposed change is approved by the relevant authority; 3. any proposed change that could impact the security of a system or accreditation status is submitted to the Accreditation Authority for approval; and 4. all associated information security documentation is updated to reflect the change.

6.3.7.C.01.

NZISM_v3.7_6.3.7.C.01.

NZISM v3.7 6.3.7.C.01.

Change Management

6.3.7.C.01. - foster systematic and responsive management of critical alterations.

Shared

n/a

An agency's change management process MUST define appropriate actions to be followed before and after urgent changes are implemented.

6.3.7.C.02.

NZISM_v3.7_6.3.7.C.02.

NZISM v3.7 6.3.7.C.02.

Change Management

6.3.7.C.02. - facilitate structured management of critical alterations.

Shared

n/a

An agency's change management process SHOULD define appropriate actions to be followed before and after urgent changes are implemented.

6.3.7.C.03.

NZISM_v3.7_6.3.7.C.03.

NZISM v3.7 6.3.7.C.03.

Change Management

6.3.7.C.03. - ensure systematic and effective management of changes.

Shared

n/a

Agencies SHOULD follow this change management process outline: 1. produce a written change request; 2. submit the change request to all stakeholders for approval; 3. document the changes to be implemented; 4. test the approved changes; 5. notification to user of the change schedule and likely effect or outage; 6. implement the approved changes after successful testing; 7. update the relevant information security documentation including the SRMP, SSP and SOPs 8. notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and 9. continually educate system users in regards to changes.

Sarbanes_Oxley_Act_(1)_2022_1

9.1.4.C.01.

NZISM_v3.7_9.1.4.C.01.

NZISM v3.7 9.1.4.C.01.

Information Security Awareness and Training

9.1.4.C.01. - enhance the capability to safeguard sensitive information and mitigate security risks effectively.

Shared

n/a

Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness.

PCI_DSS_v4.0.1

2.2.1

PCI_DSS_v4.0.1_2.2.1

PCI DSS v4.0.1 2.2.1

Apply Secure Configurations to All System Components

Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment

Shared

n/a

Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment

PCI_DSS_v4.0.1

6.3.3

PCI_DSS_v4.0.1_6.3.3

PCI DSS v4.0.1 6.3.3

Develop and Maintain Secure Systems and Software

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1

Shared

n/a

Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement

PCI_DSS_v4.0.1

6.5.1

PCI_DSS_v4.0.1_6.5.1

PCI DSS v4.0.1 6.5.1

Develop and Maintain Secure Systems and Software

Changes to all system components in the production environment are made according to established procedures that include: Reason for, and description of, the change. Documentation of security impact. Documented change approval by authorized parties. Testing to verify that the change does not adversely impact system security. For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production. Procedures to address failures and return to a secure state

Shared

n/a

Examine documented change control procedures to verify procedures are defined for changes to all system components in the production environment to include all elements specified in this requirement. Examine recent changes to system components and trace those changes back to related change control documentation. For each change examined, verify the change is implemented in accordance with all elements specified in this requirement

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

CC1.3

SOC_2023_CC1.3

SOC 2023 CC1.3

Control Environment

Enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives.

Shared

n/a

1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

128

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

213