Az Policy Advertizer

Azure_Security_Benchmark_v3.0

NS-2

Azure_Security_Benchmark_v3.0_NS-2

Microsoft cloud security benchmark NS-2

Network Security

Secure cloud services with network controls

Shared

**Security Principle:** Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. **Azure Guidance:** Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible. For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service. **Implementation and additional context:** Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview

n/a

Canada_Federal_PBMM_3-1-2020

AC_4(21)

Canada_Federal_PBMM_3-1-2020_AC_4(21)

Canada Federal PBMM 3-1-2020 AC 4(21)

Information Flow Enforcement

Information Flow Enforcement | Physical / Logical Separation of Information Flows

Shared

The information system separates information flows logically or physically using session encryption to accomplish separation of all sessions.

To enhance security measures and safeguard sensitive data from unauthorized access or interception.

Canada_Federal_PBMM_3-1-2020

SC_12

Canada_Federal_PBMM_3-1-2020_SC_12

Canada Federal PBMM 3-1-2020 SC 12

Cryptographic Key Establishment and Management

Shared

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography.

To enhance overall security posture and compliance with industry best practices.

Canada_Federal_PBMM_3-1-2020

SC_12(1)

Canada_Federal_PBMM_3-1-2020_SC_12(1)

Canada Federal PBMM 3-1-2020 SC 12(1)

Cryptographic Key Establishment and Management

Cryptographic Key Establishment and Management | Availability

Shared

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

To implement backup and recovery mechanisms.

CIS_Controls_v8.1

3.3

CIS_Controls_v8.1_3.3

CIS Controls v8.1 3.3

Data Protection

Configure data access control lists

Shared

1. Configure data access control lists based on a user’s need to know. 2. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.

To ensure that users have access only to the data necessary for their roles.

CIS_Controls_v8.1

6.8

CIS_Controls_v8.1_6.8

CIS Controls v8.1 6.8

Access Control Management

Define and maintain role-based access control.

Shared

1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. 2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

To implement a system of role-based access control.

AC.L2-3.1.3

CMMC_2.0_L2_AC.L2-3.1.3

404 not found

n/a

SC.L1-3.13.1

CMMC_2.0_L2_SC.L1-3.13.1

404 not found

n/a

SC.L1-3.13.5

CMMC_2.0_L2_SC.L1-3.13.5

404 not found

n/a

SC.L2-3.13.2

CMMC_2.0_L2_SC.L2-3.13.2

404 not found

n/a

SC.L2-3.13.6

CMMC_2.0_L2_SC.L2-3.13.6

404 not found

n/a

CMMC_L2_v1.9.0_AC.L1_3.1.1

AC.L1_3.1.1

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.1

Access Control

Authorized Access Control

Shared

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

To ensure security and integrity.

CMMC_L2_v1.9.0_AC.L1_3.1.20

AC.L1_3.1.20

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.20

Access Control

External Connections

Shared

Verify and control/limit connections to and use of external information systems.

To enhance security and minimise potential risks associated with external access.

CMMC_L2_v1.9.0_AC.L2_3.1.5

AC.L2_3.1.5

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.5

Access Control

Least Privilege

Shared

Employ the principle of least privilege, including for specific security functions and privileged accounts.

To restrict information system access.

CMMC_L2_v1.9.0_SC.L2_3.13.7

SC.L2_3.13.7

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.7

System and Communications Protection

Split Tunneling

Shared

Prevent remote devices from simultaneously establishing non remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

To mitigate security risks.

AC.1.001

CMMC_L3_AC.1.001

CMMC L3 AC.1.001

Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002.

AC.1.002

CMMC_L3_AC.1.002

CMMC L3 AC.1.002

Access Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

AC.2.016

CMMC_L3_AC.2.016

CMMC L3 AC.2.016

Access Control

Control the flow of CUI in accordance with approved authorizations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

CM.3.068

CMMC_L3_CM.3.068

CMMC L3 CM.3.068

Configuration Management

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.

SC.1.175

CMMC_L3_SC.1.175

CMMC L3 SC.1.175

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

SC.3.183

CMMC_L3_SC.3.183

CMMC L3 SC.3.183

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

CSA_v4.0.12

IAM_05

CSA_v4.0.12_IAM_05

CSA Cloud Controls Matrix v4.0.12 IAM 05

Identity & Access Management

Least Privilege

Shared

n/a

Employ the least privilege principle when implementing information system access.

CSA_v4.0.12

IAM_10

CSA_v4.0.12_IAM_10

CSA Cloud Controls Matrix v4.0.12 IAM 10

Identity & Access Management

Management of Privileged Access Roles

Shared

n/a

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_2

Cyber Essentials v3.1 2

Cyber Essentials

Secure Configuration

Shared

n/a

Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role.

Cyber_Essentials_v3.1

Cyber_Essentials_v3.1_4

Cyber Essentials v3.1 4

Cyber Essentials

User Access Control

Shared

n/a

Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

189

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.5

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5

Policy and Implementation - Access Control

Access Control

Shared

Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI.

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information.

FedRAMP_High_R4

AC-4

FedRAMP_High_R4_AC-4

FedRAMP High AC-4

Access Control

Information Flow Enforcement

Shared

n/a

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None.

FedRAMP_High_R4

SC-7

FedRAMP_High_R4_SC-7

FedRAMP High SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. References: FIPS Publication 199; NIST Special Publications 800-41, 800-77.

FedRAMP_High_R4

SC-7(3)

FedRAMP_High_R4_SC-7(3)

FedRAMP High SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

FedRAMP_Moderate_R4

AC-4

FedRAMP_Moderate_R4_AC-4

FedRAMP Moderate AC-4

Access Control

Information Flow Enforcement

Shared

n/a

FedRAMP_Moderate_R4

SC-7

FedRAMP_Moderate_R4_SC-7

FedRAMP Moderate SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

FedRAMP_Moderate_R4_SC-7(3)

FedRAMP_Moderate_R4

SC-7(3)

FedRAMP Moderate SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

ISO_IEC_27017_2015_12.4.3

FFIEC_CAT_2017

3.1.2

FFIEC_CAT_2017_3.1.2

FFIEC CAT 2017 3.1.2

Cybersecurity Controls

Access and Data Management

Shared

n/a

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames.

HITRUST_CSF_v11.3

01.n

HITRUST_CSF_v11.3_01.n

HITRUST CSF v11.3 01.n

Network Access Control

Prevent unauthorised access to shared networks.

Shared

Default deny policy at managed interfaces, restricted user connections through network gateways, comprehensive access controls, time-based restrictions, and encryption of sensitive information transmitted over public networks for is to be implemented for enhanced security.

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.

HITRUST_CSF_v11.3

01.o

HITRUST_CSF_v11.3_01.o

HITRUST CSF v11.3 01.o

Network Access Control

Implement network routing controls to prevent breach of the access control policy of business applications.

Shared

Security gateways are to be leveraged, application-layer filtering proxy is to be employed, outbound traffic is to be directed through authenticated proxy servers, and internal directory services to fortify network access controls and protect against external threats are to be secured.

Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

ISO_IEC_27002_2022

8.2

ISO_IEC_27002_2022_8.2

ISO IEC 27002 2022 8.2

Protection, Preventive, Control

Privileged access rights

Shared

The allocation and use of privileged access rights should be restricted and managed.

To ensure only authorized users, software components and services are provided with privileged access rights.

ISO_IEC_27017_2015

12.4.3

ISO IEC 27017 2015 12.4.3

Operations Security

Administrator and Operation Logs

Shared

For Cloud Service Customer: If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. The cloud service customer should determine whether logging capabilities provided by the cloud service provider are appropriate or whether the cloud service customer should implement additional logging capabilities.

To log operation and performance of those operations wherein rivileged operation is delegated to the cloud service customer.

K_ISMS_P_2018

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

455

K_ISMS_P_2018

2.10.2

K_ISMS_P_2018_2.10.2

K ISMS P 2018 2.10.2

2.10

Establish Protective Measures for Administrator Privileges and Security Configurations

Shared

n/a

Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.

431

K_ISMS_P_2018

2.6.6

K_ISMS_P_2018_2.6.6

K ISMS P 2018 2.6.6

2.6

Prohibit Information Use and Processing Outside of Protected Areas

Shared

n/a

Prohibit the use of information systems and the processing of personal information outside protected areas. If remote access is permitted, establish and implement appropriate protective measures.

mp.com.1 Secure perimeter

404 not found

n/a

New_Zealand_ISM

18.1.13.C.02

New_Zealand_ISM_18.1.13.C.02

18. Network security

18.1.13.C.02 Limiting network access

n/a

Agencies SHOULD implement network access controls on all networks.

NIST_CSF_v2.0

PR.AA_05

NIST_CSF_v2.0_PR.AA_05

NIST CSF v2.0 PR.AA 05

PROTECT- Identity Management, Authentication, and Access

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

Shared

n/a

To implement safeguards for managing organization’s cybersecurity risks.

.1.3

NIST_SP_800-171_R2_3.1.3

NIST SP 800-171 R2 3.1.3

Access Control

Control the flow of CUI in accordance with approved authorizations.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

NIST_SP_800-171_R2_3.13.1

.13.1

NIST SP 800-171 R2 3.13.1

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R2_3.13.2

.13.2

NIST SP 800-171 R2 3.13.2

System and Communications Protection

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.

NIST_SP_800-171_R2_3.13.5

.13.5

NIST SP 800-171 R2 3.13.5

System and Communications Protection

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies

NIST_SP_800-171_R2_3.13.6

.13.6

NIST SP 800-171 R2 3.13.6

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R3_3.1.18

NIST_SP_800-171_R3_3

.1.18

NIST 800-171 R3 3.1.18

Access Control

Access Control for Mobile Devices

Shared

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices is behavior- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting CUI. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices. Container-based encryption provides a fine-grained approach to the encryption of data and information, including encrypting selected data structures (e.g., files, records, or fields).

a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices. b. Authorize the connection of mobile devices to the system. c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices.

NIST_SP_800-171_R3_3

.12.5

NIST_SP_800-171_R3_3.12.5

NIST 800-171 R3 3.12.5

Security Assessment Control

Information Exchange

Shared

The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. Types of agreements can include interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service-level agreements, or other types of agreements. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (e.g., service providers, contractors, system developers, and system integrators). Examples of the types of information contained in exchange agreements include the interface characteristics, security requirements, controls, and responsibilities for each system.

a. Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements]. b. Document, as part of the exchange agreements, interface characteristics, security requirements, and responsibilities for each system. c. Review and update the exchange agreements periodically.

NIST_SP_800-171_R3_3

.13.9

NIST_SP_800-171_R3_3.13.9

NIST 800-171 R3 3.13.9

System and Communications Protection Control

Network Disconnect

Shared

This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

Terminate network connections associated with communications sessions at the end of the sessions or after periods of inactivity.

NIST_SP_800-53_R4

AC-4

NIST_SP_800-53_R4_AC-4

NIST SP 800-53 Rev. 4 AC-4

Access Control

Information Flow Enforcement

Shared

n/a

NIST_SP_800-53_R4

SC-7

NIST_SP_800-53_R4_SC-7

NIST SP 800-53 Rev. 4 SC-7

System And Communications Protection

Boundary Protection

Shared

n/a

NIST_SP_800-53_R4_SC-7(3)

NIST_SP_800-53_R4

SC-7(3)

NIST SP 800-53 Rev. 4 SC-7 (3)

System And Communications Protection

Access Points

Shared

n/a

NIST_SP_800-53_R5.1.1_AC.6

NIST_SP_800-53_R5.1.1

AC.6

NIST SP 800-53 R5.1.1 AC.6

Access Control

Least Privilege

Shared

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

NIST_SP_800-53_R5.1.1

SC.7.3

NIST_SP_800-53_R5.1.1_SC.7.3

NIST SP 800-53 R5.1.1 SC.7.3

System and Communications Protection

Boundary Protection | Access Points

Shared

Limit the number of external network connections to the system.

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

NIST_SP_800-53_R5

AC-4

NIST_SP_800-53_R5_AC-4

NIST SP 800-53 Rev. 5 AC-4

Access Control

Information Flow Enforcement

Shared

n/a

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

NIST_SP_800-53_R5

SC-7

NIST_SP_800-53_R5_SC-7

NIST SP 800-53 Rev. 5 SC-7

System and Communications Protection

Boundary Protection

Shared

n/a

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

NIST_SP_800-53_R5_SC-7(3)

NIST_SP_800-53_R5

SC-7(3)

NIST SP 800-53 Rev. 5 SC-7 (3)

System and Communications Protection

Access Points

Shared

n/a

Limit the number of external network connections to the system.

NZ_ISM_v3.5

GS-2

NZ_ISM_v3.5_GS-2

NZISM Security Benchmark GS-2

Gateway security

19.1.11 Using Gateways

Customer

n/a

Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks

NZISM_Security_Benchmark_v1.1

GS-2

NZISM_Security_Benchmark_v1.1_GS-2

NZISM Security Benchmark GS-2

Gateway security

19.1.11 Using Gateways

Customer

Agencies MUST ensure that: all agency networks are protected from networks in other security domains by one or more gateways; all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and all gateway components, discrete and virtual, are physically located within an appropriately secured server room.

Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks

16.1.33.C.01.

NZISM_v3.7_16.1.33.C.01.

NZISM v3.7 16.1.33.C.01.

Identification, Authentication and Passwords

16.1.33.C.01. - promote security and accountability within the agency's systems.

Shared

n/a

Agencies MUST NOT use shared credentials to access accounts.

16.1.33.C.02.

NZISM_v3.7_16.1.33.C.02.

NZISM v3.7 16.1.33.C.02.

Identification, Authentication and Passwords

16.1.33.C.02. - promote security and accountability within the agency's systems.

Shared

n/a

Agencies SHOULD NOT use shared credentials to access accounts.

16.1.34.C.01.

NZISM_v3.7_16.1.34.C.01.

NZISM v3.7 16.1.34.C.01.

Identification, Authentication and Passwords

16.1.34.C.01. - promote security and accountability within the agency's systems.

Shared

n/a

If agencies choose to allow shared, non user-specific accounts they MUST ensure that an independent means of determining the identification of the system user is implemented.

16.1.35.C.02.

NZISM_v3.7_16.1.35.C.02.

NZISM v3.7 16.1.35.C.02.

Identification, Authentication and Passwords

16.1.35.C.02. - implement additional authentication factors to enhance security.

Shared

n/a

Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users.

16.1.36.C.01.

NZISM_v3.7_16.1.36.C.01.

NZISM v3.7 16.1.36.C.01.

Identification, Authentication and Passwords

16.1.36.C.01. - enhance overall security posture.

Shared

n/a

Agencies MUST NOT allow storage of unprotected authentication information that grants system access, or decrypts an encrypted device, to be located on, or with the system or device, to which the authentication information grants access.

16.1.37.C.01.

NZISM_v3.7_16.1.37.C.01.

NZISM v3.7 16.1.37.C.01.

Identification, Authentication and Passwords

16.1.37.C.01. - enhance overall security posture.

Shared

n/a

Agencies MUST ensure that system authentication data is protected when in transit on agency networks or All-of-Government systems.

16.1.39.C.01.

NZISM_v3.7_16.1.39.C.01.

NZISM v3.7 16.1.39.C.01.

Identification, Authentication and Passwords

16.1.39.C.01. - enhance overall security posture.

Shared

n/a

Where systems contain NZEO or other nationalities releasability marked or protectively marked information, agencies MUST provide a mechanism that allows system users and processes to identify users who are foreign nationals, including seconded foreign nationals.

16.1.39.C.02.

NZISM_v3.7_16.1.39.C.02.

NZISM v3.7 16.1.39.C.02.

Identification, Authentication and Passwords

16.1.39.C.02. - enhance overall security posture.

Shared

n/a

Agencies using NZEO systems SHOULD ensure that identification includes specific nationality for all foreign nationals, including seconded foreign nationals.

16.1.41.C.02.

NZISM_v3.7_16.1.41.C.02.

NZISM v3.7 16.1.41.C.02.

Identification, Authentication and Passwords

16.1.41.C.02. - enhance overall security posture.

Shared

n/a

Agencies MUST NOT: 1. allow predictable reset passwords; 2. reuse passwords when resetting multiple accounts; 3. store passwords in the clear on the system; 4. allow passwords to be reused within eight password changes; and 5. allow system users to use sequential passwords.

16.1.43.C.01.

NZISM_v3.7_16.1.43.C.01.

NZISM v3.7 16.1.43.C.01.

Identification, Authentication and Passwords

16.1.43.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD disable LAN Manager for password authentication on workstations and servers.

16.1.48.C.02.

NZISM_v3.7_16.1.48.C.02.

NZISM v3.7 16.1.48.C.02.

Identification, Authentication and Passwords

16.1.48.C.02. - enhance overall security posture.

Shared

n/a

Agencies SHOULD seek legal advice on the exact wording of logon banners.

16.1.49.C.01.

NZISM_v3.7_16.1.49.C.01.

NZISM v3.7 16.1.49.C.01.

Identification, Authentication and Passwords

16.1.49.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD configure systems to display the date and time of the system user's previous login during the login process.

16.1.50.C.01.

NZISM_v3.7_16.1.50.C.01.

NZISM v3.7 16.1.50.C.01.

Identification, Authentication and Passwords

16.1.50.C.01. - enhance overall security posture.

Shared

n/a

Agencies SHOULD NOT permit the display of last logged on username, credentials or other identifying details.

16.1.50.C.02.

NZISM_v3.7_16.1.50.C.02.

NZISM v3.7 16.1.50.C.02.

Identification, Authentication and Passwords

16.1.50.C.02. - enhance overall security posture.

Shared

n/a

Agencies SHOULD NOT permit the caching of credentials unless specifically required.

16.2.3.C.01.

NZISM_v3.7_16.2.3.C.01.

NZISM v3.7 16.2.3.C.01.

System Access and Passwords

16.2.3.C.01. - enhance overall security posture.

Shared

n/a

Agencies MUST NOT allow access to NZEO information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens.

16.2.3.C.02.

NZISM_v3.7_16.2.3.C.02.

NZISM v3.7 16.2.3.C.02.

System Access and Passwords

16.2.3.C.02. - enhance overall security posture.

Shared

n/a

Unless a multilateral or bilateral security agreement is in place, agencies SHOULD NOT allow access to classified information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens.

7.2.1

PCI_DSS_v4.0.1_7.2.1

PCI DSS v4.0.1 7.2.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function

Shared

n/a

Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement

7.2.2

PCI_DSS_v4.0.1_7.2.2

PCI DSS v4.0.1 7.2.2

Restrict Access to System Components and Cardholder Data by Business Need to Know

Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities

Shared

n/a

Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement

7.2.5

PCI_DSS_v4.0.1_7.2.5

PCI DSS v4.0.1 7.2.5

Restrict Access to System Components and Cardholder Data by Business Need to Know

All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use

Shared

n/a

Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement

7.2.6

PCI_DSS_v4.0.1_7.2.6

PCI DSS v4.0.1 7.2.6

Restrict Access to System Components and Cardholder Data by Business Need to Know

All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD

Shared

n/a

Examine policies and procedures and interview personnel to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with all elements specified in this requirement. Examine configuration settings for querying repositories of stored cardholder data to verify they are in accordance with all elements specified in this requirement

7.3.1

PCI_DSS_v4.0.1_7.3.1

PCI DSS v4.0.1 7.3.1

Restrict Access to System Components and Cardholder Data by Business Need to Know

An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components

Shared

n/a

Examine vendor documentation and system settings to verify that access is managed for each system component via an access control system(s) that restricts access based on a user’s need to know and covers all system components

RBI_CSF_Banks_v2016

14.1

RBI_CSF_Banks_v2016_14.1

Anti-Phishing

Anti-Phishing-14.1

n/a

Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications.

RBI_CSF_Banks_v2016

15.2

RBI_CSF_Banks_v2016_15.2

Data Leak Prevention Strategy

Data Leak Prevention Strategy-15.2

n/a

This shall includeprotecting data processed in end point devices, data in transmission, as well as data stored in servers and other digital stores, whether online or offline.

RBI_CSF_Banks_v2016

7.7

RBI_CSF_Banks_v2016_7.7

Patch/Vulnerability & Change Management

Patch/Vulnerability & Change Management-7.7

n/a

Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between (i) different VLANs in the Data Centre (ii) LAN/WAN interfaces (iii) bank???s network to external network and interconnections with partner, vendor and service provider networks are to be securely configured.

RMiT_v1.0

Appendix_5.6

RMiT_v1.0_Appendix_5.6

RMiT Appendix 5.6

Control Measures on Cybersecurity

Control Measures on Cybersecurity - Appendix 5.6

Customer

n/a

Ensure security controls for remote access to server include the following: (a) restrict access to only hardened and locked down end-point devices; (b) use secure tunnels such as TLS and VPN IPSec; (c) deploy ‘gateway’ server with adequate perimeter defences and protection such as firewall, IPS and antivirus; and (d) close relevant ports immediately upon expiry of remote access.

Sarbanes_Oxley_Act_(1)_2022_1

Sarbanes Oxley Act 2022 1

PUBLIC LAW

Sarbanes Oxley Act 2022 (SOX)

Shared

n/a

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

214

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

225

CC6.1

SOC_2023_CC6.1

SOC 2023 CC6.1

Logical and Physical Access Controls

Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets.

Shared

n/a

Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys.

127

CC6.2

SOC_2023_CC6.2

SOC 2023 CC6.2

Logical and Physical Access Controls

Ensure effective access control and ensuring the security of the organization's systems and data.

Shared

n/a

1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3

SOC_2023_CC6.3

404 not found

n/a

CC6.7

SOC_2023_CC6.7

404 not found

n/a

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

163

CC7.4

SOC_2023_CC7.4

SOC 2023 CC7.4

Systems Operations

Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation.

Shared

n/a

The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations.

209

CC8.1

SOC_2023_CC8.1

SOC 2023 CC8.1

Change Management

Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change.

Shared

n/a

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations.

143

1.1

SWIFT_CSCF_2024_1.1

SWIFT Customer Security Controls Framework 2024 1.1

Physical and Environmental Security

Swift Environment Protection

Shared

1. Segmentation between the user's Swift infrastructure and the larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve a compromise of the general enterprise IT environment. 2. Effective segmentation includes network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the user’s Swift infrastructure from potentially compromised elements of the general IT environment and external environment.

1.2

SWIFT_CSCF_2024_1.2

SWIFT Customer Security Controls Framework 2024 1.2

Privileged Account Control

Operating System Privileged Account Control

Shared

Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence).

To restrict and control the allocation and usage of administrator-level operating system accounts.

1.5

SWIFT_CSCF_2024_1.5

SWIFT Customer Security Controls Framework 2024 1.5

Physical and Environmental Security

Customer Environment Protection

Shared

1. Segmentation between the customer’s connectivity infrastructure and its larger enterprise network reduces the attack surface and has shown to be an effective way to defend against cyber-attacks that commonly involve compromise of the general enterprise IT environment. 2. Effective segmentation will include network-level separation, access restrictions, and connectivity restrictions.

To ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

9.1

SWIFT_CSCF_2024_9.1

404 not found

n/a

SWIFT_CSCF_v2021

6.3

SWIFT_CSCF_v2021_6.3

SWIFT CSCF v2021 6.3

Detect Anomalous Activity to Systems or Transaction Records

Database Integrity

n/a

Ensure the integrity of the database records for the SWIFT messaging interface and act upon results