compliance controls are associated with this Policy definition 'Design an access control model' (03b6427e-6072-4226-4bd9-a410ab65317e)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
1.12 |
CIS_Azure_1.1.0_1.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.12 |
1 Identity and Access Management |
Ensure that 'Guest user permissions are limited' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Limit guest user permissions. |
link |
8 |
CIS_Azure_1.1.0 |
1.13 |
CIS_Azure_1.1.0_1.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.13 |
1 Identity and Access Management |
Ensure that 'Members can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict invitations to administrators only. |
link |
8 |
CIS_Azure_1.1.0 |
1.14 |
CIS_Azure_1.1.0_1.14 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.14 |
1 Identity and Access Management |
Ensure that 'Guests can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict guest invitations. |
link |
8 |
CIS_Azure_1.1.0 |
1.23 |
CIS_Azure_1.1.0_1.23 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.23 |
1 Identity and Access Management |
Ensure that no custom subscription owner roles are created |
Shared |
The customer is responsible for implementing this recommendation. |
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. |
link |
6 |
CIS_Azure_1.3.0 |
1.12 |
CIS_Azure_1.3.0_1.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.12 |
1 Identity and Access Management |
Ensure that 'Guest user permissions are limited' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Limit guest user permissions. |
link |
8 |
CIS_Azure_1.3.0 |
1.13 |
CIS_Azure_1.3.0_1.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.13 |
1 Identity and Access Management |
Ensure that 'Members can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict invitations to administrators only. |
link |
8 |
CIS_Azure_1.3.0 |
1.14 |
CIS_Azure_1.3.0_1.14 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.14 |
1 Identity and Access Management |
Ensure that 'Guests can invite' is set to 'No' |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict guest being able to invite other guests to collaborate with your organization. |
link |
8 |
CIS_Azure_1.3.0 |
1.21 |
CIS_Azure_1.3.0_1.21 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.21 |
1 Identity and Access Management |
Ensure that no custom subscription owner roles are created |
Shared |
The customer is responsible for implementing this recommendation. |
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. |
link |
6 |
CIS_Azure_1.4.0 |
1.12 |
CIS_Azure_1.4.0_1.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.12 |
1 Identity and Access Management |
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' |
Shared |
The customer is responsible for implementing this recommendation. |
Limit guest user permissions. |
link |
8 |
CIS_Azure_1.4.0 |
1.13 |
CIS_Azure_1.4.0_1.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.13 |
1 Identity and Access Management |
Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" |
Shared |
The customer is responsible for implementing this recommendation. |
Restrict invitations to users with specific admin roles only. |
link |
8 |
CIS_Azure_1.4.0 |
1.20 |
CIS_Azure_1.4.0_1.20 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.20 |
1 Identity and Access Management |
Ensure That No Custom Subscription Owner Roles Are Created |
Shared |
The customer is responsible for implementing this recommendation. |
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. |
link |
6 |
CIS_Azure_2.0.0 |
1.15 |
CIS_Azure_2.0.0_1.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.15 |
1 |
Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' |
Shared |
This may create additional requests for permissions to access resources that administrators will need to approve. |
Limit guest user permissions.
Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.
1. Guest users have the same access as members (most inclusive),
2. Guest users have limited access to properties and memberships of directory objects (default value),
3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
The recommended option is the 3rd, most restrictive: "Guest user access is restricted to their own directory object". |
link |
8 |
CIS_Azure_2.0.0 |
1.16 |
CIS_Azure_2.0.0_1.16 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.16 |
1 |
Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" |
Shared |
With the option of `Only users assigned to specific admin roles can invite guest users` selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users. |
Restrict invitations to users with specific administrative roles only.
Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.
By default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk. |
link |
8 |
CIS_Azure_2.0.0 |
1.23 |
CIS_Azure_2.0.0_1.23 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.23 |
1 |
Ensure That No Custom Subscription Administrator Roles Exist |
Shared |
Subscriptions will need to be handled by Administrators with permissions. |
The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended. |
link |
7 |
FedRAMP_High_R4 |
AC-6 |
FedRAMP_High_R4_AC-6 |
FedRAMP High AC-6 |
Access Control |
Least Privilege |
Shared |
n/a |
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2.
References: None. |
link |
4 |
FedRAMP_Moderate_R4 |
AC-6 |
FedRAMP_Moderate_R4_AC-6 |
FedRAMP Moderate AC-6 |
Access Control |
Least Privilege |
Shared |
n/a |
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2.
References: None. |
link |
4 |
hipaa |
0214.09j1Organizational.6-09.j |
hipaa-0214.09j1Organizational.6-09.j |
0214.09j1Organizational.6-09.j |
02 Endpoint Protection |
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. |
|
13 |
hipaa |
11180.01c3System.6-01.c |
hipaa-11180.01c3System.6-01.c |
11180.01c3System.6-01.c |
11 Access Control |
11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. |
|
7 |
hipaa |
11219.01b1Organizational.10-01.b |
hipaa-11219.01b1Organizational.10-01.b |
11219.01b1Organizational.10-01.b |
11 Access Control |
11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization maintains a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to sensitive information (e.g., PII). |
|
5 |
hipaa |
1123.01q1System.2-01.q |
hipaa-1123.01q1System.2-01.q |
1123.01q1System.2-01.q |
11 Access Control |
1123.01q1System.2-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Users who perform privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. |
|
6 |
hipaa |
1129.01v1System.12-01.v |
hipaa-1129.01v1System.12-01.v |
1129.01v1System.12-01.v |
11 Access Control |
1129.01v1System.12-01.v 01.06 Application and Information Access Control |
Shared |
n/a |
Access rights to applications and application functions should be restricted in accordance with the access control policy. |
|
12 |
hipaa |
1143.01c1System.123-01.c |
hipaa-1143.01c1System.123-01.c |
1143.01c1System.123-01.c |
11 Access Control |
1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. |
|
10 |
hipaa |
1144.01c1System.4-01.c |
hipaa-1144.01c1System.4-01.c |
1144.01c1System.4-01.c |
11 Access Control |
1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. |
|
6 |
hipaa |
1146.01c2System.23-01.c |
hipaa-1146.01c2System.23-01.c |
1146.01c2System.23-01.c |
11 Access Control |
1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. |
|
8 |
hipaa |
1147.01c2System.456-01.c |
hipaa-1147.01c2System.456-01.c |
1147.01c2System.456-01.c |
11 Access Control |
1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. |
|
6 |
hipaa |
1148.01c2System.78-01.c |
hipaa-1148.01c2System.78-01.c |
1148.01c2System.78-01.c |
11 Access Control |
1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization restricts access to privileged functions and all security-relevant information. |
|
8 |
hipaa |
1152.01c3System.2-01.c |
hipaa-1152.01c3System.2-01.c |
1152.01c3System.2-01.c |
11 Access Control |
1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. |
|
9 |
hipaa |
1168.01e2System.2-01.e |
hipaa-1168.01e2System.2-01.e |
1168.01e2System.2-01.e |
11 Access Control |
1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization reviews critical system accounts and privileged access rights every 60 days; all other accounts, including user access and changes to access authorizations, are reviewed every 90 days. |
|
4 |
hipaa |
1232.09c3Organizational.12-09.c |
hipaa-1232.09c3Organizational.12-09.c |
1232.09c3Organizational.12-09.c |
12 Audit Logging & Monitoring |
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. |
|
21 |
hipaa |
1271.09ad1System.1-09.ad |
hipaa-1271.09ad1System.1-09.ad |
1271.09ad1System.1-09.ad |
12 Audit Logging & Monitoring |
1271.09ad1System.1-09.ad 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
8 |
hipaa |
1271.09ad2System.1 |
hipaa-1271.09ad2System.1 |
1271.09ad2System.1 |
12 Audit Logging & Monitoring |
1271.09ad2System.1 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
7 |
hipaa |
1276.09c2Organizational.2-09.c |
hipaa-1276.09c2Organizational.2-09.c |
1276.09c2Organizational.2-09.c |
12 Audit Logging & Monitoring |
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Security audit activities are independent. |
|
18 |
ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
ISO27001-2013 |
A.9.2.3 |
ISO27001-2013_A.9.2.3 |
ISO 27001:2013 A.9.2.3 |
Access Control |
Management of privileged access rights |
Shared |
n/a |
The allocation and use of privileged access rights shall be restricted and controlled. |
link |
33 |
ISO27001-2013 |
A.9.4.4 |
ISO27001-2013_A.9.4.4 |
ISO 27001:2013 A.9.4.4 |
Access Control |
Use of privileged utility programs |
Shared |
n/a |
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. |
link |
9 |
ISO27001-2013 |
A.9.4.5 |
ISO27001-2013_A.9.4.5 |
ISO 27001:2013 A.9.4.5 |
Access Control |
Access control to program source code |
Shared |
n/a |
Access to program source code shall be restricted. |
link |
10 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
NIST_SP_800-171_R2_3 |
.1.5 |
NIST_SP_800-171_R2_3.1.5 |
NIST SP 800-171 R2 3.1.5 |
Access Control |
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. |
link |
8 |
NIST_SP_800-53_R4 |
AC-6 |
NIST_SP_800-53_R4_AC-6 |
NIST SP 800-53 Rev. 4 AC-6 |
Access Control |
Least Privilege |
Shared |
n/a |
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2.
References: None. |
link |
4 |
NIST_SP_800-53_R5 |
AC-6 |
NIST_SP_800-53_R5_AC-6 |
NIST SP 800-53 Rev. 5 AC-6 |
Access Control |
Least Privilege |
Shared |
n/a |
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
link |
4 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.3 Segregation of functions and tasks |
op.acc.3 Segregation of functions and tasks |
404 not found |
|
|
|
n/a |
n/a |
|
43 |
|
op.acc.4 Access rights management process |
op.acc.4 Access rights management process |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
PCI_DSS_v4.0 |
7.2.1 |
PCI_DSS_v4.0_7.2.1 |
PCI DSS v4.0 7.2.1 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
An access control model is defined and includes granting access as follows:
• Appropriate access depending on the entity’s business and access needs.
• Access to system components and data resources that is based on users’ job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function. |
link |
10 |
PCI_DSS_v4.0 |
7.2.2 |
PCI_DSS_v4.0_7.2.2 |
PCI DSS v4.0 7.2.2 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
Access is assigned to users, including privileged users, based on:
• Job classification and function.
• Least privileges necessary to perform job responsibilities. |
link |
7 |
PCI_DSS_v4.0 |
7.2.3 |
PCI_DSS_v4.0_7.2.3 |
PCI DSS v4.0 7.2.3 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
Required privileges are approved by authorized personnel. |
link |
8 |
PCI_DSS_v4.0 |
7.2.6 |
PCI_DSS_v4.0_7.2.6 |
PCI DSS v4.0 7.2.6 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
All user access to query repositories of stored cardholder data is restricted as follows:
• Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
• Only the responsible administrator(s) can directly access or query repositories of stored CHD. |
link |
8 |
SOC_2 |
CC5.2 |
SOC_2_CC5.2 |
SOC 2 Type 2 CC5.2 |
Control Activities |
COSO Principle 11 |
Shared |
The customer is responsible for implementing this recommendation. |
• Determines Dependency Between the Use of Technology in Business Processes and
Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. |
|
18 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SOC_2 |
CC6.3 |
SOC_2_CC6.3 |
SOC 2 Type 2 CC6.3 |
Logical and Physical Access Controls |
Rol based access and least privilege |
Shared |
The customer is responsible for implementing this recommendation. |
• Creates or Modifies Access to Protected Information Assets — Processes are in
place to create or modify access to protected information assets based on authorization from the asset’s owner.
• Removes Access to Protected Information Assets — Processes are in place to remove access to protected information assets when an individual no longer requires
access.
• Uses Role-Based Access Controls — Role-based access control is utilized to support segregation of incompatible functions.
• Reviews Access Roles and Rules — The appropriateness of access roles and access
rules is reviewed on a periodic basis for unnecessary and inappropriate individuals
with access and access rules are modified as appropriate |
|
20 |
SWIFT_CSCF_v2022 |
1.2 |
SWIFT_CSCF_v2022_1.2 |
SWIFT CSCF v2022 1.2 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Restrict and control the allocation and usage of administrator-level operating system accounts. |
Shared |
n/a |
Access to administrator-level operating system accounts is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, an account with the least privilege access is used. |
link |
22 |
SWIFT_CSCF_v2022 |
2.11A |
SWIFT_CSCF_v2022_2.11A |
SWIFT CSCF v2022 2.11A |
2. Reduce Attack Surface and Vulnerabilities |
Restrict transaction activity to validated and approved business counterparties. |
Shared |
n/a |
Implement RMA controls to restrict transaction activity with effective business counterparties. |
link |
10 |
SWIFT_CSCF_v2022 |
5.1 |
SWIFT_CSCF_v2022_5.1 |
SWIFT CSCF v2022 5.1 |
5. Manage Identities and Segregate Privileges |
Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
Shared |
n/a |
Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. |
link |
35 |