compliance controls are associated with this Policy definition 'There should be more than one owner assigned to your subscription' (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1503 |
AU_ISM_1503 |
AU ISM 1503 |
Guidelines for Personnel Security - Access to systems and their resources |
Standard access to systems - 1503 |
|
n/a |
Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
6 |
| AU_ISM |
1508 |
AU_ISM_1508 |
AU ISM 1508 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1508 |
|
n/a |
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
7 |
| Azure_Security_Benchmark_v1.0 |
3.1 |
Azure_Security_Benchmark_v1.0_3.1 |
Azure Security Benchmark 3.1 |
Identity and Access Control |
Maintain an inventory of administrative accounts |
Customer |
Microsoft Entra ID has built-in roles that must be explicitly assigned and are queryable. Use the Microsoft Entra PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.
How to get a directory role in Microsoft Entra ID with PowerShell:
https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0
How to get members of a directory role in Microsoft Entra ID with PowerShell:
https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0 |
n/a |
link |
4 |
| Azure_Security_Benchmark_v1.0 |
3.3 |
Azure_Security_Benchmark_v1.0_3.3 |
Azure Security Benchmark 3.3 |
Identity and Access Control |
Use dedicated administrative accounts |
Customer |
Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Microsoft Entra Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ |
n/a |
link |
5 |
| Azure_Security_Benchmark_v2.0 |
PA-1 |
Azure_Security_Benchmark_v2.0_PA-1 |
Azure Security Benchmark PA-1 |
Privileged Access |
Protect and limit highly privileged users |
Customer |
Limit the number of highly privileged user accounts, and protect these accounts at an elevated level.
The most critical built-in roles in Microsoft Entra ID are Global Administrator and the Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Microsoft Entra ID, as well as services that use Microsoft Entra identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
Note: You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. And you may also want to apply similar controls to the administrator account of critical business assets.
You can enable just-in-time (JIT) privileged access to Azure resources and Microsoft Entra ID using Microsoft Entra Privileged Identity Management (PIM). JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Microsoft Entra organization.
Administrator role permissions in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Use Azure Privileged Identity Management security alerts: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts
Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure |
n/a |
link |
4 |
| Azure_Security_Benchmark_v3.0 |
PA-1 |
Azure_Security_Benchmark_v3.0_PA-1 |
Microsoft cloud security benchmark PA-1 |
Privileged Access |
Separate and limit highly privileged/administrative users |
Shared |
**Security Principle:**
Ensure you are identifying all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane.
**Azure Guidance:**
Microsoft Entra ID is Azure's default identity and access management service. The most critical built-in roles in Microsoft Entra ID are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Microsoft Entra ID, as well as services that use Microsoft Entra identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Microsoft Entra ID, as well as within Microsoft Entra Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
Outside of the Microsoft Entra ID, Azure has built-in roles that can be critical for privileged access at the resource level.
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
- User Access Administrator: Lets you manage user access to Azure resources.
Note: You may have other critical roles that need to be governed if you use custom roles in the Microsoft Entra ID level or resource level with certain privileged permissions assigned.
Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
**Implementation and additional context:**
Administrator role permissions in Microsoft Entra ID:
https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles
Use Azure Privileged Identity Management security alerts:
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts
Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID:
https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure |
n/a |
link |
4 |
|
B.10.2 - Security function |
B.10.2 - Security function |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
|
B.10.3 - Organisational position |
B.10.3 - Organisational position |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
|
B.10.4 - Tasks, responsibilities and powers |
B.10.4 - Tasks, responsibilities and powers |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CCCS |
AC-5 |
CCCS_AC-5 |
CCCS AC-5 |
Access Control |
Separation of Duties |
|
n/a |
(A) The organization:
(a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions;
(b) Documents separation of duties of individuals; and
(c) Defines information system access authorizations to support separation of duties. |
link |
7 |
| CCCS |
AC-6 |
CCCS_AC-6 |
CCCS AC-6 |
Access Control |
Least Privilege |
|
n/a |
(A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
link |
7 |
| CMMC_2.0_L2 |
AC.L2-3.1.4 |
CMMC_2.0_L2_AC.L2-3.1.4 |
404 not found |
|
|
|
n/a |
n/a |
|
1 |
| CMMC_L3 |
AC.3.017 |
CMMC_L3_AC.3.017 |
CMMC L3 AC.3.017 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
4 |
| CMMC_L3 |
SC.3.181 |
CMMC_L3_SC.3.181 |
CMMC L3 SC.3.181 |
System and Communications Protection |
Separate user functionality from system management functionality. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. |
link |
6 |
| FedRAMP_High_R4 |
AC-5 |
FedRAMP_High_R4_AC-5 |
FedRAMP High AC-5 |
Access Control |
Separation Of Duties |
Shared |
n/a |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
Control Enhancements: None.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
AC-5 |
FedRAMP_Moderate_R4_AC-5 |
FedRAMP Moderate AC-5 |
Access Control |
Separation Of Duties |
Shared |
n/a |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
Control Enhancements: None.
References: None. |
link |
4 |
| hipaa |
11208.01q1Organizational.8-01.q |
hipaa-11208.01q1Organizational.8-01.q |
11208.01q1Organizational.8 - 01.q |
User Identification and Authentication |
The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else. |
Customer |
n/a |
Azure does not implement identification codes and electronic signatures, per FDA CFR 21 Part 11. |
|
1 |
| hipaa |
1145.01c2System.1-01.c |
hipaa-1145.01c2System.1-01.c |
1145.01c2System.1-01.c |
11 Access Control |
1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. |
|
8 |
| hipaa |
1152.01c3System.2-01.c |
hipaa-1152.01c3System.2-01.c |
1152.01c3System.2-01.c |
11 Access Control |
1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. |
|
9 |
| IRS_1075_9.3 |
.1.5 |
IRS_1075_9.3.1.5 |
IRS 1075 9.3.1.5 |
Access Control |
Separation of Duties (AC-5) |
|
n/a |
The agency must:
a. Separate duties of individuals to prevent harmful activity without collusion
b. Document separation of duties of individuals
c. Define information system access authorizations to support separation of duties |
link |
7 |
| IRS_1075_9.3 |
.1.6 |
IRS_1075_9.3.1.6 |
IRS 1075 9.3.1.6 |
Access Control |
Least Privilege (AC-6) |
|
n/a |
The agency must:
a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions
b. Explicitly authorize access to FTI (CE1)
c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2)
d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5)
The information system must:
a. Audit the execution of privileged functions (CE9)
b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) |
link |
7 |
| ISO27001-2013 |
A.6.1.2 |
ISO27001-2013_A.6.1.2 |
ISO 27001:2013 A.6.1.2 |
Organization of Information Security |
Segregation of Duties |
Shared |
n/a |
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. |
link |
5 |
| New_Zealand_ISM |
16.4.30.C.01 |
New_Zealand_ISM_16.4.30.C.01 |
New_Zealand_ISM_16.4.30.C.01 |
16. Access Control and Passwords |
16.4.30.C.01 Policy Creation and Implementation |
|
n/a |
Agencies MUST establish a Privileged Access Management (PAM) policy. |
|
6 |
| NIST_SP_800-171_R2_3 |
.1.4 |
NIST_SP_800-171_R2_3.1.4 |
NIST SP 800-171 R2 3.1.4 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
6 |
| NIST_SP_800-53_R4 |
AC-5 |
NIST_SP_800-53_R4_AC-5 |
NIST SP 800-53 Rev. 4 AC-5 |
Access Control |
Separation Of Duties |
Shared |
n/a |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
Control Enhancements: None.
References: None. |
link |
4 |
| NIST_SP_800-53_R5 |
AC-5 |
NIST_SP_800-53_R5_AC-5 |
NIST SP 800-53 Rev. 5 AC-5 |
Access Control |
Separation of Duties |
Shared |
n/a |
a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
b. Define system access authorizations to support separation of duties. |
link |
4 |
| NL_BIO_Cloud_Theme |
B.10.2(2) |
NL_BIO_Cloud_Theme_B.10.2(2) |
NL_BIO_Cloud_Theme_B.10.2(2) |
B.10 Security Organization |
Security Function |
|
n/a |
The security feature provides proactive support for, cloud risk assessment activities; classifying information and systems; use of encryption; securing related projects; developing business continuity program and security audits. |
|
2 |
| NL_BIO_Cloud_Theme |
B.10.3(2) |
NL_BIO_Cloud_Theme_B.10.3(2) |
NL_BIO_Cloud_Theme_B.10.3(2) |
B.10 Security Organization |
Organizational Position |
|
n/a |
The CSP has given the information security organization a formal position within the entire organization. |
|
2 |
| NL_BIO_Cloud_Theme |
B.10.4(2) |
NL_BIO_Cloud_Theme_B.10.4(2) |
NL_BIO_Cloud_Theme_B.10.4(2) |
B.10 Security Organization |
Tasks, responsibilities and powers |
|
n/a |
The CSP has described and assigned information security responsibilities for defining, coordinating and evaluating to specific officers. |
|
2 |
| NL_BIO_Cloud_Theme |
U.10.2(2) |
NL_BIO_Cloud_Theme_U.10.2(2) |
NL_BIO_Cloud_Theme_U.10.2(2) |
U.10 Access to IT services and data |
Users |
|
n/a |
Under the responsibility of the CSP, administrators shall be granted access: to data with the least privilege principle; to data with the need-to-know principle; with multi-factor authentication; to data and application functions via technical measures. |
|
25 |
| NL_BIO_Cloud_Theme |
U.17.1(2) |
NL_BIO_Cloud_Theme_U.17.1(2) |
NL_BIO_Cloud_Theme_U.17.1(2) |
U.17 Multi-tenant architecture |
Encrypted |
|
n/a |
CSC data on transport and at rest is encrypted. |
|
5 |
| NZ_ISM_v3.5 |
AC-11 |
NZ_ISM_v3.5_AC-11 |
NZISM Security Benchmark AC-11 |
Access Control and Passwords |
16.4.30 Privileged Access Management |
Customer |
n/a |
A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency???s security policy. A PAM policy is a fundamental component of an agency???s IT Governance. |
link |
7 |
| NZISM_Security_Benchmark_v1.1 |
AC-11 |
NZISM_Security_Benchmark_v1.1_AC-11 |
NZISM Security Benchmark AC-11 |
Access Control and Passwords |
16.4.30 Privileged Access Management |
Customer |
Agencies MUST establish a Privileged Access Management (PAM) policy.
Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
privileged access.
Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy. |
A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance. |
link |
9 |
| PCI_DSS_V3.2.1 |
7.1.1 |
PCI_DSS_v3.2.1_7.1.1 |
PCI DSS v3.2.1 7.1.1 |
Requirement 7 |
PCI DSS requirement 7.1.1 |
customer |
n/a |
n/a |
link |
2 |
| PCI_DSS_V3.2.1 |
7.1.2 |
PCI_DSS_v3.2.1_7.1.2 |
PCI DSS v3.2.1 7.1.2 |
Requirement 7 |
PCI DSS requirement 7.1.2 |
shared |
n/a |
n/a |
link |
2 |
| PCI_DSS_V3.2.1 |
7.1.3 |
PCI_DSS_v3.2.1_7.1.3 |
PCI DSS v3.2.1 7.1.3 |
Requirement 7 |
PCI DSS requirement 7.1.3 |
customer |
n/a |
n/a |
link |
2 |
| PCI_DSS_v4.0 |
7.2.1 |
PCI_DSS_v4.0_7.2.1 |
PCI DSS v4.0 7.2.1 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
An access control model is defined and includes granting access as follows:
• Appropriate access depending on the entity’s business and access needs.
• Access to system components and data resources that is based on users’ job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function. |
link |
10 |
| PCI_DSS_v4.0 |
7.2.2 |
PCI_DSS_v4.0_7.2.2 |
PCI DSS v4.0 7.2.2 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access to system components and data is appropriately defined and assigned |
Shared |
n/a |
Access is assigned to users, including privileged users, based on:
• Job classification and function.
• Least privileges necessary to perform job responsibilities. |
link |
7 |
| RBI_CSF_Banks_v2016 |
8.3 |
RBI_CSF_Banks_v2016_8.3 |
|
User Access Control / Management |
User Access Control / Management-8.3 |
|
n/a |
Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process. |
|
5 |
| RBI_CSF_Banks_v2016 |
8.5 |
RBI_CSF_Banks_v2016_8.5 |
|
User Access Control / Management |
User Access Control / Management-8.5 |
|
n/a |
Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/superuser/administrative access to critical systems (Servers/OS/DB, applications, network devices etc.). |
|
12 |
| RBI_ITF_NBFC_v2017 |
3.1.c |
RBI_ITF_NBFC_v2017_3.1.c |
RBI IT Framework 3.1.c |
Information and Cyber Security |
Role based Access Control-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Role based Access Control ??? Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented. |
link |
15 |
| SOC_2 |
CC5.2 |
SOC_2_CC5.2 |
SOC 2 Type 2 CC5.2 |
Control Activities |
COSO Principle 11 |
Shared |
The customer is responsible for implementing this recommendation. |
• Determines Dependency Between the Use of Technology in Business Processes and
Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. |
|
18 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
| SOC_2 |
CC6.3 |
SOC_2_CC6.3 |
SOC 2 Type 2 CC6.3 |
Logical and Physical Access Controls |
Rol based access and least privilege |
Shared |
The customer is responsible for implementing this recommendation. |
• Creates or Modifies Access to Protected Information Assets — Processes are in
place to create or modify access to protected information assets based on authorization from the asset’s owner.
• Removes Access to Protected Information Assets — Processes are in place to remove access to protected information assets when an individual no longer requires
access.
• Uses Role-Based Access Controls — Role-based access control is utilized to support segregation of incompatible functions.
• Reviews Access Roles and Rules — The appropriateness of access roles and access
rules is reviewed on a periodic basis for unnecessary and inappropriate individuals
with access and access rules are modified as appropriate |
|
20 |
| SWIFT_CSCF_v2021 |
1.2 |
SWIFT_CSCF_v2021_1.2 |
SWIFT CSCF v2021 1.2 |
SWIFT Environment Protection |
Operating System Privileged Account Control |
|
n/a |
Restrict and control the allocation and usage of administrator-level operating system accounts. |
link |
12 |
| SWIFT_CSCF_v2021 |
5.1 |
SWIFT_CSCF_v2021_5.1 |
SWIFT CSCF v2021 5.1 |
Manage Identities and Segregate Privileges |
Logical Access Control |
|
n/a |
Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts. |
link |
7 |
| SWIFT_CSCF_v2022 |
1.2 |
SWIFT_CSCF_v2022_1.2 |
SWIFT CSCF v2022 1.2 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Restrict and control the allocation and usage of administrator-level operating system accounts. |
Shared |
n/a |
Access to administrator-level operating system accounts is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, an account with the least privilege access is used. |
link |
22 |
| SWIFT_CSCF_v2022 |
5.1 |
SWIFT_CSCF_v2022_5.1 |
SWIFT CSCF v2022 5.1 |
5. Manage Identities and Segregate Privileges |
Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
Shared |
n/a |
Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. |
link |
35 |
|
U.10.2 - Users |
U.10.2 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
25 |
|
U.17.1 - Encrypted |
U.17.1 - Encrypted |
404 not found |
|
|
|
n/a |
n/a |
|
5 |