Az Policy Advertizer

Azure_Security_Benchmark_v2.0

PV-7

Azure_Security_Benchmark_v2.0_PV-7

Azure Security Benchmark PV-7

Posture and Vulnerability Management

Rapidly and automatically remediate software vulnerabilities

Customer

Rapidly deploy software updates to remediate software vulnerabilities in operating systems and applications. Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment, taking into account which applications present a high security risk and which ones require high uptime. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/automation-update-management Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/automation-tutorial-update-management

n/a

C.04.3 - Technical vulnerabilities

404 not found

n/a

C.04.3 - Timelines

404 not found

n/a

C.04.6 - Technical vulnerabilities

404 not found

n/a

C.04.6 - Timelines

404 not found

n/a

C.04.7 - Evaluated

404 not found

n/a

Canada_Federal_PBMM_3-1-2020_AC_2

AC_2

Canada Federal PBMM 3-1-2020 AC 2

Account Management

Shared

1. The organization identifies and selects which types of information system accounts support organizational missions/business functions. 2. The organization assigns account managers for information system accounts. 3. The organization establishes conditions for group and role membership. 4. The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. 5. The organization requires approvals by responsible managers for requests to create information system accounts. 6. The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. 7. The organization monitors the use of information system accounts. 8. The organization notifies account managers: a. When accounts are no longer required; b. When users are terminated or transferred; and c. When individual information system usage or need-to-know changes. 9. The organization authorizes access to the information system based on: a. A valid access authorization; b. Intended system usage; and c. Other attributes as required by the organization or associated missions/business functions. 10. The organization reviews accounts for compliance with account management requirements at least annually. 11. The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

To ensure the security, integrity, and efficiency of the information systems.

Canada_Federal_PBMM_3-1-2020_AC_2(1)

AC_2(1)

Canada Federal PBMM 3-1-2020 AC 2(1)

Account Management

Account Management | Automated System Account Management

Shared

The organization employs automated mechanisms to support the management of information system accounts.

To streamline and enhance information system account management processes.

Canada_Federal_PBMM_3-1-2020_AC_2(4)

AC_2(4)

Canada Federal PBMM 3-1-2020 AC 2(4)

Account Management

Account Management | Automated Audit Actions

Shared

1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12.

To ensure accountability and transparency within the information system.

Canada_Federal_PBMM_3-1-2020_CA_2

CA_2

Canada Federal PBMM 3-1-2020 CA 2

Security Assessments

Shared

1. The organization develops a security assessment plan that describes the scope of the assessment including: a. Security controls and control enhancements under assessment; b. Assessment procedures to be used to determine security control effectiveness; and c. Assessment environment, assessment team, and assessment roles and responsibilities. 2. The organization assesses the security controls in the information system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. 3. The organization produces a security assessment report that documents the results of the assessment. 4. The organization provides the results of the security control assessment to organization-defined individuals or roles.

To enhance the overall security posture of the organization.

Canada_Federal_PBMM_3-1-2020_CA_3

CA_3

Canada Federal PBMM 3-1-2020 CA 3

Information System Connections

System Interconnections

Shared

1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually.

To establish and maintain secure connections between information systems.

Canada_Federal_PBMM_3-1-2020_CA_3(3)

CA_3(3)

Canada Federal PBMM 3-1-2020 CA 3(3)

Information System Connections

System Interconnections | Classified Non-National Security System Connections

Shared

The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner.

To ensure the integrity and security of internal systems against external threats.

Canada_Federal_PBMM_3-1-2020_CA_3(5)

CA_3(5)

Canada Federal PBMM 3-1-2020 CA 3(5)

Information System Connections

System Interconnections | Restrictions on External Network Connections

Shared

The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems.

To enhance security posture against unauthorized access.

Canada_Federal_PBMM_3-1-2020_CA_7

CA_7

Canada Federal PBMM 3-1-2020 CA 7

Continuous Monitoring

Shared

1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency.

To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements.

120

Canada_Federal_PBMM_3-1-2020_CM_2

CM_2

Canada Federal PBMM 3-1-2020 CM 2

Baseline Configuration

Shared

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

To support effective management and security practices.

Canada_Federal_PBMM_3-1-2020_CM_2(1)

CM_2(1)

Canada Federal PBMM 3-1-2020 CM 2(1)

Baseline Configuration

Baseline Configuration | Reviews and Updates

Shared

The organization reviews and updates the baseline configuration of the information system: 1. at least annually; or 2. When required due to significant changes as defined in NIST SP 800-37 rev1; and 3. As an integral part of information system component installations and upgrades.

To ensure alignment with current security standards and operational requirements.

Canada_Federal_PBMM_3-1-2020_CP_10(2)

CP_10(2)

Canada Federal PBMM 3-1-2020 CP 10(2)

Information System Recovery and Reconstitution

Information System Recovery and Reconstitution | Transaction Recovery

Shared

The information system implements transaction recovery for systems that are transaction-based.

To minimise the impact on business operations and preventing data loss or corruption.

Canada_Federal_PBMM_3-1-2020_CP_10(4)

CP_10(4)

Canada Federal PBMM 3-1-2020 CP 10(4)

Information System Recovery and Reconstitution

Information System Recovery and Reconstitution | Restore within Time Period

Shared

The organization provides the capability to restore information system components within organization-defined restoration time-periods from configuration-controlled and integrity-protected information representing a known, operational state for the components.

To minimise downtime and ensuring business continuity.

Canada_Federal_PBMM_3-1-2020_CP_2(3)

CP_2(3)

Canada Federal PBMM 3-1-2020 CP 2(3)

Contingency Plan

Contingency Plan | Resume Essential Missions / Business Functions

Shared

The organization plans for the resumption of essential missions and business functions within 24 hours of contingency plan activation.

To ensure that the organization plans for the resumption of essential missions and business functions within 24 hours of activating the contingency plan.

Canada_Federal_PBMM_3-1-2020_CP_2(4)

CP_2(4)

Canada Federal PBMM 3-1-2020 CP 2(4)

Contingency Plan

Contingency Plan | Resume All Missions / Business Functions

Shared

The organization plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation.

To ensure that the organization plans for the resumption of all missions and business functions within an organization-defined time period of contingency plan activation.

Canada_Federal_PBMM_3-1-2020_CP_2(5)

CP_2(5)

Canada Federal PBMM 3-1-2020 CP 2(5)

Contingency Plan

Contingency Plan | Continue Essential Missions / Business Functions

Shared

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

To minimise downtime, mitigate potential financial losses, maintain customer trust, and uphold critical services or functions.

Canada_Federal_PBMM_3-1-2020_CP_2(6)

CP_2(6)

Canada Federal PBMM 3-1-2020 CP 2(6)

Contingency Plan

Contingency Plan | Alternate Processing / Storage Site

Shared

The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.

To minimise downtime and ensure that critical services can continue uninterrupted until full restoration is achieved.

10.7

CIS_Controls_v8.1_10.7

CIS Controls v8.1 10.7

Malware Defenses

Use behaviour based anti-malware software

Shared

Use behaviour based anti-malware software

To ensure that a generic anti-malware software is not used.

12.1

CIS_Controls_v8.1_12.1

CIS Controls v8.1 12.1

Network Infrastructure Management

Ensure network infrastructure is up to date

Shared

1. Ensure network infrastructure is kept up-to-date. 2. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. 3. Review software versions monthly, or more frequently, to verify software support.

To prevent any unauthorized or malicious activity on network systems.

12.3

CIS_Controls_v8.1_12.3

CIS Controls v8.1 12.3

Network Infrastructure Management

Securely manage network infrastructure

Shared

1. Securely manage network infrastructure. 2. Example implementations include version-controlled-infrastructure-ascode, and the use of secure network protocols, such as SSH and HTTPS.

To ensure proper management of network infrastructure.

13.1

CIS_Controls_v8.1_13.1

CIS Controls v8.1 13.1

Network Monitoring and Defense

Centralize security event alerting

Shared

1. Centralize security event alerting across enterprise assets for log correlation and analysis. 2. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. 3.A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

To ensure that any security event is immediately alerted enterprise-wide.

13.3

CIS_Controls_v8.1_13.3

CIS Controls v8.1 13.3

Network Monitoring and Defense

Deploy a network intrusion detection solution

Shared

1. Deploy a network intrusion detection solution on enterprise assets, where appropriate. 2. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

To enhance the organization's cybersecurity.

16.12

CIS_Controls_v8.1_16.12

CIS Controls v8.1 16.12

Application Software Security

Implement code-level security checks

Shared

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

To help identify and address potential security issues early in the development process, enhancing the overall security posture of the application.

16.13

CIS_Controls_v8.1_16.13

CIS Controls v8.1 16.13

Application Software Security

Conduct application penetration testing

Shared

1. Conduct application penetration testing. 2. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. 3. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

To identify potential security weaknesses and assess the overall security posture of the application.

16.2

CIS_Controls_v8.1_16.2

CIS Controls v8.1 16.2

Application Software Security

Establish and maintain a process to accept and address software vulnerabilities

Shared

1. Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. 2. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. 3. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. 4. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. 5. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.

To serve as an externally-facing document that establishes expectations for external stakeholders regarding vulnerability reporting and remediation procedures.

16.5

CIS_Controls_v8.1_16.5

CIS Controls v8.1 16.5

Application Software Security

Use up-to-date and trusted third-party software components

Shared

1. Use up-to-date and trusted third-party software components. 2. When possible, choose established and proven frameworks and libraries that provide adequate security. 3. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.

To utilize up-to-date and trusted third-party software components in application development.

16.6

CIS_Controls_v8.1_16.6

CIS Controls v8.1 16.6

Application Software Security

Establish and maintain a severity rating system and process for application vulnerabilities

Shared

1. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. 2. This process includes setting a minimum level of security acceptability for releasing code or applications. 3. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. 4. Review and update the system and process annually.

To establish and maintain a severity rating system and corresponding process for addressing application vulnerabilities, enabling prioritization of fixes based on severity levels, adapt to evolving threat landscapes and maintain effectiveness in mitigating risks.

16.7

CIS_Controls_v8.1_16.7

CIS Controls v8.1 16.7

Application Software Security

Use standard hardening configuration templates for application infrastructure

Shared

1. Use standard, industry-recommended hardening configuration templates for application infrastructure components. 2. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. 3. Do not allow in-house developed software to weaken configuration hardening.

To ensure that in-house developed software does not compromise the established configuration hardening standards.

18.1

CIS_Controls_v8.1_18.1

CIS Controls v8.1 18.1

Penetration Testing

Establish and maintain a penetration testing program

Shared

1. Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. 2. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

To establish and maintain a penetration testing program tailored to the size, complexity, and maturity of the enterprise.

18.2

CIS_Controls_v8.1_18.2

CIS Controls v8.1 18.2

Penetration Testing

Perform periodic external penetration tests

Shared

1. Perform periodic external penetration tests based on program requirements, no less than annually. 2. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. 3. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. 4. The testing may be clear box or opaque box.

To ensure thorough assessment and mitigation of potential vulnerabilities.

18.3

CIS_Controls_v8.1_18.3

CIS Controls v8.1 18.3

Penetration Testing

Remediate penetration test findings

Shared

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

To mitigate security risks effectively.

18.4

CIS_Controls_v8.1_18.4

CIS Controls v8.1 18.4

Penetration Testing

Validate security measures

Shared

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

To ensure ongoing alignment with evolving threat landscapes and bolstering the overall security posture of the enterprise.

CMMC_L2_v1.9.0_CM.L2_3.4.8

18.5

CIS_Controls_v8.1_18.5

404 not found

n/a

CMMC_2.0_L2

SI.L1-3.14.1

CMMC_2.0_L2_SI.L1-3.14.1

404 not found

n/a

CMMC_L2_v1.9.0

CM.L2_3.4.8

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.8

Configuration Management

Application Execution Policy

Shared

Apply deny by exception (blacklisting) policy to prevent the use of unauthorized software or deny all, permit by exception (whitelisting) policy to allow the execution of authorized software.

To reduce the risk of malware infections or unauthorized access.

CMMC_L2_v1.9.0

SI.L1_3.14.1

CMMC_L2_v1.9.0_SI.L1_3.14.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SI.L1 3.14.1

System and Information Integrity

Flaw Remediation

Shared

Identify, report, and correct information and information system flaws in a timely manner.

To safeguard assets and maintain operational continuity.

CMMC_L3

RM.2.143

CMMC_L3_RM.2.143

CMMC L3 RM.2.143

Risk Assessment

Remediate vulnerabilities in accordance with risk assessments.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

CMMC_L3

SI.1.210

CMMC_L3_SI.1.210

CMMC L3 SI.1.210

System and Information Integrity

Identify, report, and correct information and information system flaws in a timely manner.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

AIS_07

CSA_v4.0.12_AIS_07

CSA Cloud Controls Matrix v4.0.12 AIS 07

Application & Interface Security

Application Vulnerability Remediation

Shared

n/a

Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.

CCC_07

CSA_v4.0.12_CCC_07

CSA Cloud Controls Matrix v4.0.12 CCC 07

Change Control and Configuration Management

Detection of Baseline Deviation

Shared

n/a

Implement detection measures with proactive notification in case of changes deviating from the established baseline.

TVM_04

CSA_v4.0.12_TVM_04

CSA Cloud Controls Matrix v4.0.12 TVM 04

Threat & Vulnerability Management

Detection Updates

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

TVM_08

CSA_v4.0.12_TVM_08

CSA Cloud Controls Matrix v4.0.12 TVM 08

Threat & Vulnerability Management

Vulnerability Prioritization

Shared

n/a

Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.

EU_2555_(NIS2)_2022_11

EU 2022/2555 (NIS2) 2022 11

Requirements, technical capabilities and tasks of CSIRTs

Shared

n/a

Outlines the requirements, technical capabilities, and tasks of CSIRTs.

EU_2555_(NIS2)_2022_12

EU 2022/2555 (NIS2) 2022 12

Coordinated vulnerability disclosure and a European vulnerability database

Shared

n/a

Establishes a coordinated vulnerability disclosure process and a European vulnerability database.

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

189

EU_2555_(NIS2)_2022_29

EU 2022/2555 (NIS2) 2022 29

Cybersecurity information-sharing arrangements

Shared

n/a

Allows entities to exchange relevant cybersecurity information on a voluntary basis.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

.11

FBI_Criminal_Justice_Information_Services_v5.9.5_5.11

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11

Policy and Implementation - Formal Audits

Policy Area 11: Formal Audits

Shared

Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

FedRAMP_High_R4

SI-2

FedRAMP_High_R4_SI-2

FedRAMP High SI-2

System And Information Integrity

Flaw Remediation

Shared

n/a

The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within [Assignment: organization- defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process. Supplemental Guidance: Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11.

FedRAMP_Moderate_R4

SI-2

FedRAMP_Moderate_R4_SI-2

FedRAMP Moderate SI-2

System And Information Integrity

Flaw Remediation

Shared

n/a

NIST_SP_800-171_R2_3.14.1

HITRUST_CSF_v11.3

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

HITRUST_CSF_v11.3

10.c

HITRUST_CSF_v11.3_10.c

HITRUST CSF v11.3 10.c

Correct Processing in Applications

Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts.

Shared

Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented.

Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

HITRUST_CSF_v11.3

10.m

HITRUST_CSF_v11.3_10.m

HITRUST CSF v11.3 10.m

Technical Vulnerability Management

Reduce the risks resulting from exploitation of published technical vulnerabilities, technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

Shared

1. The necessary secure services, protocols required for the function of the system are to be enabled. 2. Security features to be implemented for any required services that are considered to be insecure. 3. Laptops, workstations, and servers to be configured so they will not auto-run content from removable media. 4. Configuration standards to be consistent with industry-accepted system hardening standards. 5. An enterprise security posture review within every 365 days is to be conducted. 6. Vulnerability scanning tools to be regularly updated with all relevant information system vulnerabilities.

Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

K_ISMS_P_2018

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

455

K_ISMS_P_2018

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

431

K_ISMS_P_2018

2.11.2

K_ISMS_P_2018_2.11.2

K ISMS P 2018 2.11.2

2.11

Perform Periodic Inspections of the Information System to Identify and Address Vulnerabilities

Shared

n/a

Perform periodic inspections of the information system to identify and address vulnerabilities in a timely manner. Continuous monitoring for new security vulnerabilities with analysis of its potential impacts to the information system must also be performed.

NIST_CSF_v2.0

DE.CM_09

NIST_CSF_v2.0_DE.CM_09

NIST CSF v2.0 DE.CM 09

DETECT- Continuous Monitoring

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Shared

n/a

To identify and analyze the cybersecurity attacks and compromises.

NIST_SP_800-171_R2_3

.14.1

NIST SP 800-171 R2 3.14.1

System and Information Integrity

Identify, report, and correct system flaws in a timely manner.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R3_3.14.1

NIST_SP_800-171_R3_3

.14.1

NIST 800-171 R3 3.14.1

System and Information Integrity Control

Flaw Remediation

Shared

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources, such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases, in remediating the flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

a. Identify, report, and correct system flaws. b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

NIST_SP_800-171_R3_3

.4.8

NIST_SP_800-171_R3_3.4.8

404 not found

n/a

NIST_SP_800-53_R4

SI-2

NIST_SP_800-53_R4_SI-2

NIST SP 800-53 Rev. 4 SI-2

System And Information Integrity

Flaw Remediation

Shared

n/a

NIST_SP_800-53_R4_SI-2(6)

NIST_SP_800-53_R4

SI-2(6)

NIST SP 800-53 Rev. 4 SI-2 (6)

System and Information Integrity

Removal of Previous Versions of Software / Firmware

Customer

n/a

The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.

NIST_SP_800-53_R5.1.1_CM.7.5

NIST_SP_800-53_R5.1.1

CM.7.5

NIST SP 800-53 R5.1.1 CM.7.5

Configuration Management Control

Least Functionality | Authorized Software

Shared

(a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency].

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

NIST_SP_800-53_R5.1.1

SI.2

NIST_SP_800-53_R5.1.1_SI.2

NIST SP 800-53 R5.1.1 SI.2

System and Information Integrity Control

Flaw Remediation

Shared

a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process.

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

NIST_SP_800-53_R5

SI-2

NIST_SP_800-53_R5_SI-2

NIST SP 800-53 Rev. 5 SI-2

System and Information Integrity

Flaw Remediation

Shared

n/a

NIST_SP_800-53_R5_SI-2(6)

NIST_SP_800-53_R5

SI-2(6)

NIST SP 800-53 Rev. 5 SI-2 (6)

System and Information Integrity

Removal of Previous Versions of Software and Firmware

Customer

n/a

Remove previous versions of [Assignment: organization-defined software and firmware components] after updated versions have been installed.

12.4.4.C.01.

NZISM_v3.7_12.4.4.C.01.

NZISM v3.7 12.4.4.C.01.

Product Patching and Updating

12.4.4.C.01. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies MUST apply all critical security patches as soon as possible and within two (2) days of the release of the patch or update.

12.4.4.C.02.

NZISM_v3.7_12.4.4.C.02.

NZISM v3.7 12.4.4.C.02.

Product Patching and Updating

12.4.4.C.02. - minimise the risk of disruptions or vulnerabilities introduced by the patches.

Shared

n/a

Agencies MUST implement a patch management strategy, including an evaluation or testing process.

12.4.4.C.04.

NZISM_v3.7_12.4.4.C.04.

NZISM v3.7 12.4.4.C.04.

Product Patching and Updating

12.4.4.C.04. - mitigate the risk of exploitation by malicious actors and to ensure the ongoing security and integrity of the agency's IT systems and data.

Shared

n/a

Agencies SHOULD apply all critical security patches as soon as possible and preferably within two (2) days of the release of the patch or update.

12.4.4.C.05.

NZISM_v3.7_12.4.4.C.05.

NZISM v3.7 12.4.4.C.05.

Product Patching and Updating

12.4.4.C.05. - reduce the potential attack surface for malicious actors.

Shared

n/a

Agencies SHOULD apply all non-critical security patches as soon as possible.

12.4.4.C.06.

NZISM_v3.7_12.4.4.C.06.

NZISM v3.7 12.4.4.C.06.

Product Patching and Updating

12.4.4.C.06. - maintain the integrity and effectiveness of the patching process.

Shared

n/a

Agencies SHOULD ensure that security patches are applied through a vendor recommended patch or upgrade process.

14.3.12.C.01.

NZISM_v3.7_14.3.12.C.01.

NZISM v3.7 14.3.12.C.01.

Web Applications

14.3.12.C.01. - strengthening the overall security posture of the agency's network environment.

Shared

n/a

Agencies SHOULD use the Web proxy to filter content that is potentially harmful to system users and their workstations.

22.1.26.C.01.

NZISM_v3.7_22.1.26.C.01.

NZISM v3.7 22.1.26.C.01.

Cloud Computing

22.1.26.C.01. - ensure safety of data.

Shared

n/a

Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures.

6.4.6.C.01.

NZISM_v3.7_6.4.6.C.01.

NZISM v3.7 6.4.6.C.01.

Business Continuity and Disaster Recovery

6.4.6.C.01. - enhance operational resilience.

Shared

n/a

Agencies SHOULD: 1.Identify vital records; 2. backup all vital records; 3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4. 4. classification of the information; and 5. test backup and restoration processes regularly to confirm their effectiveness.

PCI_DSS_v4.0.1

6.3.3

PCI_DSS_v4.0.1_6.3.3

PCI DSS v4.0.1 6.3.3

Develop and Maintain Secure Systems and Software

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1

Shared

n/a

Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement

RBI_ITF_NBFC_v2017

RBI_ITF_NBFC_v2017_1

RBI IT Framework 1

IT Governance

IT Governance-1

n/a

IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC???s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry.

RBI_ITF_NBFC_v2017

3.3

RBI_ITF_NBFC_v2017_3.3

RBI IT Framework 3.3

Information and Cyber Security

Vulnerability Management-3.3

n/a

A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy

RMiT_v1.0

10.65

RMiT_v1.0_10.65

RMiT 10.65

Patch and End-of-Life System Management

Patch and End-of-Life System Management - 10.65

Shared

n/a

A financial institution must establish a patch and EOL management framework which addresses among others the following requirements: (a) identification and risk assessment of all technology assets for potential vulnerabilities arising from undeployed patches or EOL systems; (b) conduct of compatibility testing for critical patches; (c) specification of turnaround time for deploying patches according to the severity of the patches; and (d) adherence to the workflow for end-to-end patch deployment processes including approval, monitoring and tracking of activities.