Az Policy Advertizer

2.1

CIS_Azure_1.1.0_2.1

CIS Microsoft Azure Foundations Benchmark recommendation 2.1

2 Security Center

Ensure that standard pricing tier is selected

Shared

The customer is responsible for implementing this recommendation.

The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.5

CIS_Azure_1.1.0_2.5

CIS Microsoft Azure Foundations Benchmark recommendation 2.5

2 Security Center

Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"

Shared

The customer is responsible for implementing this recommendation.

Enable Endpoint protection recommendations for virtual machines.

4.4

CIS_Azure_1.1.0_4.4

CIS Microsoft Azure Foundations Benchmark recommendation 4.4

4 Database Services

Ensure that 'Advanced Data Security' on a SQL server is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Enable "Advanced Data Security" on critical SQL Servers.

4.5

CIS_Azure_1.1.0_4.5

CIS Microsoft Azure Foundations Benchmark recommendation 4.5

4 Database Services

Ensure that 'Threat Detection types' is set to 'All'

Shared

The customer is responsible for implementing this recommendation.

Enable all types of threat detection on SQL servers.

7.6

CIS_Azure_1.1.0_7.6

CIS Microsoft Azure Foundations Benchmark recommendation 7.6

7 Virtual Machines

Ensure that the endpoint protection for all Virtual Machines is installed

Shared

The customer is responsible for implementing this recommendation.

Install endpoint protection for all virtual machines.

2.1

CIS_Azure_1.3.0_2.1

CIS Microsoft Azure Foundations Benchmark recommendation 2.1

2 Security Center

Ensure that Azure Defender is set to On for Servers

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.10

CIS_Azure_1.3.0_2.10

CIS Microsoft Azure Foundations Benchmark recommendation 2.10

2 Security Center

Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected

Shared

The customer is responsible for implementing this recommendation.

This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center.

2.2

CIS_Azure_1.3.0_2.2

CIS Microsoft Azure Foundations Benchmark recommendation 2.2

2 Security Center

Ensure that Azure Defender is set to On for App Service

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.3

CIS_Azure_1.3.0_2.3

CIS Microsoft Azure Foundations Benchmark recommendation 2.3

2 Security Center

Ensure that Azure Defender is set to On for Azure SQL database servers

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.4

CIS_Azure_1.3.0_2.4

CIS Microsoft Azure Foundations Benchmark recommendation 2.4

2 Security Center

Ensure that Azure Defender is set to On for SQL servers on machines

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.5

CIS_Azure_1.3.0_2.5

CIS Microsoft Azure Foundations Benchmark recommendation 2.5

2 Security Center

Ensure that Azure Defender is set to On for Storage

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.6

CIS_Azure_1.3.0_2.6

CIS Microsoft Azure Foundations Benchmark recommendation 2.6

2 Security Center

Ensure that Azure Defender is set to On for Kubernetes

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.7

CIS_Azure_1.3.0_2.7

CIS Microsoft Azure Foundations Benchmark recommendation 2.7

2 Security Center

Ensure that Azure Defender is set to On for Container Registries

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.8

CIS_Azure_1.3.0_2.8

CIS Microsoft Azure Foundations Benchmark recommendation 2.8

2 Security Center

Ensure that Azure Defender is set to On for Key Vault

Shared

The customer is responsible for implementing this recommendation.

Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.

2.9

CIS_Azure_1.3.0_2.9

CIS Microsoft Azure Foundations Benchmark recommendation 2.9

2 Security Center

Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected

Shared

The customer is responsible for implementing this recommendation.

This setting enables Windows Defender ATP (WDATP) integration with Security Center.

4.2.1

CIS_Azure_1.3.0_4.2.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1

4 Database Services

Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'

Shared

The customer is responsible for implementing this recommendation.

Enable "Azure Defender for SQL" on critical SQL Servers.

7.6

CIS_Azure_1.3.0_7.6

CIS Microsoft Azure Foundations Benchmark recommendation 7.6

7 Virtual Machines

Ensure that the endpoint protection for all Virtual Machines is installed

Shared

The customer is responsible for implementing this recommendation.

Install endpoint protection for all virtual machines.

2.1

CIS_Azure_1.4.0_2.1

CIS Microsoft Azure Foundations Benchmark recommendation 2.1

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Servers is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

2.10

CIS_Azure_1.4.0_2.10

CIS Microsoft Azure Foundations Benchmark recommendation 2.10

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected

Shared

The customer is responsible for implementing this recommendation.

This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud.

2.2

CIS_Azure_1.4.0_2.2

CIS Microsoft Azure Foundations Benchmark recommendation 2.2

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for App Service is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

2.3

CIS_Azure_1.4.0_2.3

CIS Microsoft Azure Foundations Benchmark recommendation 2.3

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

2.4

CIS_Azure_1.4.0_2.4

CIS Microsoft Azure Foundations Benchmark recommendation 2.4

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for SQL servers on machines is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

2.5

CIS_Azure_1.4.0_2.5

CIS Microsoft Azure Foundations Benchmark recommendation 2.5

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Storage is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

2.6

CIS_Azure_1.4.0_2.6

CIS Microsoft Azure Foundations Benchmark recommendation 2.6

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Kubernetes is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

2.7

CIS_Azure_1.4.0_2.7

CIS Microsoft Azure Foundations Benchmark recommendation 2.7

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Container Registries is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

2.8

CIS_Azure_1.4.0_2.8

CIS Microsoft Azure Foundations Benchmark recommendation 2.8

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Key Vault is set to 'On'

Shared

The customer is responsible for implementing this recommendation.

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

2.9

CIS_Azure_1.4.0_2.9

CIS Microsoft Azure Foundations Benchmark recommendation 2.9

2 Microsoft Defender for Cloud

Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected

Shared

The customer is responsible for implementing this recommendation.

This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud.

4.2.1

CIS_Azure_1.4.0_4.2.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1

4 Database Services

Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled'

Shared

The customer is responsible for implementing this recommendation.

Enable "Azure Defender for SQL" on critical SQL Servers.

7.6

CIS_Azure_1.4.0_7.6

CIS Microsoft Azure Foundations Benchmark recommendation 7.6

7 Virtual Machines

Ensure that the endpoint protection for all Virtual Machines is installed

Shared

The customer is responsible for implementing this recommendation.

Install endpoint protection for all virtual machines.

2.1.1

CIS_Azure_2.0.0_2.1.1

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.1

2.1

Ensure That Microsoft Defender for Servers Is Set to 'On'

Shared

Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource.

Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

2.1.10

CIS_Azure_2.0.0_2.1.10

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.10

2.1

Ensure That Microsoft Defender for Key Vault Is Set To 'On'

Shared

Turning on Microsoft Defender for Key Vault incurs an additional cost per resource.

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

2.1.17

CIS_Azure_2.0.0_2.1.17

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.17

2.1

Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'

Shared

Microsoft Defender for Containers will require additional licensing.

Enable automatic provisioning of the Microsoft Defender for Containers components. As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.

2.1.2

CIS_Azure_2.0.0_2.1.2

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.2

2.1

Ensure That Microsoft Defender for App Services Is Set To 'On'

Shared

Turning on Microsoft Defender for App Service incurs an additional cost per resource.

Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

2.1.21

CIS_Azure_2.0.0_2.1.21

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.21

2.1

Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

Shared

Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud. Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.

2.1.22

CIS_Azure_2.0.0_2.1.22

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.22

2.1

Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

Shared

Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.

This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. **IMPORTANT:** When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 1. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned. Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.

2.1.4

CIS_Azure_2.0.0_2.1.4

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.4

2.1

Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'

Shared

Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per resource.

Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

2.1.5

CIS_Azure_2.0.0_2.1.5

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.5

2.1

Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

Shared

Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource.

Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

2.1.7

CIS_Azure_2.0.0_2.1.7

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.7

2.1

Ensure That Microsoft Defender for Storage Is Set To 'On'

Shared

Turning on Microsoft Defender for Storage incurs an additional cost per resource.

Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

2.1.8

CIS_Azure_2.0.0_2.1.8

CIS Microsoft Azure Foundations Benchmark recommendation 2.1.8

2.1

Ensure That Microsoft Defender for Containers Is Set To 'On'

Shared

Turning on Microsoft Defender for Containers incurs an additional cost per resource.

Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

4.2.1

CIS_Azure_2.0.0_4.2.1

CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1

4.2

Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

Shared

Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server.

Enable "Microsoft Defender for SQL" on critical SQL Servers. Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.

7.6

CIS_Azure_2.0.0_7.6

CIS Microsoft Azure Foundations Benchmark recommendation 7.6

Ensure that Endpoint Protection for all Virtual Machines is installed

Shared

Endpoint protection will incur an additional cost to you.

Install endpoint protection for all virtual machines. Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.

IR-4

FedRAMP_High_R4_IR-4

FedRAMP High IR-4

Incident Response

Incident Handling

Shared

n/a

The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. References: Executive Order 13587; NIST Special Publication 800-61.

IR-7(1)

FedRAMP_High_R4_IR-7(1)

FedRAMP High IR-7 (1)

Incident Response

Automation Support For Availability Of Information / Support

Shared

n/a

The organization employs automated mechanisms to increase the availability of incident response- related information and support. Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

RA-5(6)

FedRAMP_High_R4_RA-5(6)

FedRAMP High RA-5 (6)

Risk Assessment

Automated Trend Analyses

Shared

n/a

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. Supplemental Guidance: Related controls: IR-4, IR-5, SI-4.

SI-3

FedRAMP_High_R4_SI-3

FedRAMP High SI-3

System And Information Integrity

Malicious Code Protection

Shared

n/a

The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83.

SI-3(1)

FedRAMP_High_R4_SI-3(1)

FedRAMP High SI-3 (1)

System And Information Integrity

Central Management

Shared

n/a

The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8.

SI-3(2)

FedRAMP_High_R4_SI-3(2)

FedRAMP High SI-3 (2)

System And Information Integrity

Automatic Updates

Shared

n/a

The information system automatically updates malicious code protection mechanisms. Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8.

SI-3(7)

FedRAMP_High_R4_SI-3(7)

FedRAMP High SI-3 (7)

System And Information Integrity

Nonsignature-Based Detection

Shared

n/a

The information system implements nonsignature-based malicious code detection mechanisms. Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms.

SI-4

FedRAMP_High_R4_SI-4

FedRAMP High SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: or ganization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. Supplemental Guidance: Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. References: NIST Special Publications 800-61, 800-83, 800-92, 800-94, 800-137.

IR-4

FedRAMP_Moderate_R4_IR-4

FedRAMP Moderate IR-4

Incident Response

Incident Handling

Shared

n/a

FedRAMP_Moderate_R4_IR-7(1)

IR-7(1)

FedRAMP Moderate IR-7 (1)

Incident Response

Automation Support For Availability Of Information / Support

Shared

n/a

FedRAMP_Moderate_R4_RA-5(6)

RA-5(6)

FedRAMP Moderate RA-5 (6)

Risk Assessment

Automated Trend Analyses

Shared

n/a

SI-3

FedRAMP_Moderate_R4_SI-3

FedRAMP Moderate SI-3

System And Information Integrity

Malicious Code Protection

Shared

n/a

FedRAMP_Moderate_R4_SI-3(1)

SI-3(1)

FedRAMP Moderate SI-3 (1)

System And Information Integrity

Central Management

Shared

n/a

FedRAMP_Moderate_R4_SI-3(2)

SI-3(2)

FedRAMP Moderate SI-3 (2)

System And Information Integrity

Automatic Updates

Shared

n/a

FedRAMP_Moderate_R4_SI-3(7)

SI-3(7)

FedRAMP Moderate SI-3 (7)

System And Information Integrity

Nonsignature-Based Detection

Shared

n/a

SI-4

FedRAMP_Moderate_R4_SI-4

FedRAMP Moderate SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

hipaa-0201.09j1Organizational.124-09.j

0201.09j1Organizational.124-09.j

0201.09j1Organizational.124-09.j

02 Endpoint Protection

0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution.

hipaa-0204.09j2Organizational.1-09.j

0204.09j2Organizational.1-09.j

0204.09j2Organizational.1-09.j

02 Endpoint Protection

0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Scans for malicious software are performed on boot and every 12 hours.

hipaa-0205.09j2Organizational.2-09.j

0205.09j2Organizational.2-09.j

0205.09j2Organizational.2-09.j

02 Endpoint Protection

0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Malicious code that is identified is blocked, quarantined, and an alert is sent to the administrators.

hipaa-0206.09j2Organizational.34-09.j

0206.09j2Organizational.34-09.j

0206.09j2Organizational.34-09.j

02 Endpoint Protection

0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Anti-malware is centrally managed and cannot be disabled by the users.

hipaa-0207.09j2Organizational.56-09.j

0207.09j2Organizational.56-09.j

0207.09j2Organizational.56-09.j

02 Endpoint Protection

0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Centrally-managed, up-to-date anti-spam and anti-malware protection is implemented at information system entry/exit points for the network and on all devices.

hipaa-0214.09j1Organizational.6-09.j

0214.09j1Organizational.6-09.j

0214.09j1Organizational.6-09.j

02 Endpoint Protection

0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.

hipaa-0215.09j2Organizational.8-09.j

0215.09j2Organizational.8-09.j

0215.09j2Organizational.8-09.j

02 Endpoint Protection

0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.

hipaa-0217.09j2Organizational.10-09.j

0217.09j2Organizational.10-09.j

0217.09j2Organizational.10-09.j

02 Endpoint Protection

0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

The organization configures malicious code and spam protection mechanisms to (i) perform periodic scans of the information system according to organization guidelines; (ii) perform real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and, (iii) block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection.

hipaa-0219.09j2Organizational.12-09.j

0219.09j2Organizational.12-09.j

0219.09j2Organizational.12-09.j

02 Endpoint Protection

0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

The organization has implemented safeguards to protect its information system's memory from unauthorized code execution.

hipaa-0225.09k1Organizational.1-09.k

0225.09k1Organizational.1-09.k

0225.09k1Organizational.1-09.k

02 Endpoint Protection

0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

Automated controls (e.g., browser settings) are in place to authorize and restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations).

hipaa-0226.09k1Organizational.2-09.k

0226.09k1Organizational.2-09.k

0226.09k1Organizational.2-09.k

02 Endpoint Protection

0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

The organization has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware.

hipaa-0227.09k2Organizational.12-09.k

0227.09k2Organizational.12-09.k

0227.09k2Organizational.12-09.k

02 Endpoint Protection

0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code

Shared

n/a

The organization takes specific actions to protect against mobile code performing unauthorized actions.

hipaa-0635.10k1Organizational.12-10.k

0635.10k1Organizational.12-10.k

0635.10k1Organizational.12-10.k

06 Configuration Management

0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes

Shared

n/a

Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

hipaa-0663.10h1System.7-10.h

0663.10h1System.7-10.h

0663.10h1System.7-10.h

06 Configuration Management

0663.10h1System.7-10.h 10.04 Security of System Files

Shared

n/a

The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline.

hipaa-0711.10m2Organizational.23-10.m

0711.10m2Organizational.23-10.m

0711.10m2Organizational.23-10.m

07 Vulnerability Management

0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management

Shared

n/a

A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems.

hipaa-0714.10m2Organizational.7-10.m

0714.10m2Organizational.7-10.m

0714.10m2Organizational.7-10.m

07 Vulnerability Management

0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management

Shared

n/a

The technical vulnerability management program is evaluated on a quarterly basis.

A.12.2.1

ISO27001-2013_A.12.2.1

ISO 27001:2013 A.12.2.1

Operations Security

Controls against malware

Shared

n/a

Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

A.12.4.1

ISO27001-2013_A.12.4.1

ISO 27001:2013 A.12.4.1

Operations Security

Event Logging

Shared

n/a

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

A.16.1.4

ISO27001-2013_A.16.1.4

ISO 27001:2013 A.16.1.4

Information Security Incident Management

Assessment of and decision on information security events

Shared

n/a

Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

A.16.1.5

ISO27001-2013_A.16.1.5

ISO 27001:2013 A.16.1.5

Information Security Incident Management

Response to information security incidents

Shared

n/a

Information security incidents shall be responded to in accordance with the documented procedures.

A.16.1.6

ISO27001-2013_A.16.1.6

ISO 27001:2013 A.16.1.6

Information Security Incident Management

Learning from information security incidents

Shared

n/a

Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

mp.eq.3 Protection of portable devices

404 not found

n/a

NIST_SP_800-171_R2_3.14.2

.14.2

NIST SP 800-171 R2 3.14.2

System and Information Integrity

Provide protection from malicious code at designated locations within organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention.

NIST_SP_800-171_R2_3.14.4

.14.4

NIST SP 800-171 R2 3.14.4

System and Information Integrity

Update malicious code protection mechanisms when new releases are available.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.

NIST_SP_800-171_R2_3.14.6

.14.6

NIST SP 800-171 R2 3.14.6

System and Information Integrity

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.

NIST_SP_800-171_R2_3.14.7

.14.7

NIST SP 800-171 R2 3.14.7

System and Information Integrity

Identify unauthorized use of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.

.6.1

NIST_SP_800-171_R2_3.6.1

NIST SP 800-171 R2 3.6.1

Incident response

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-161] provides guidance on supply chain risk management.

IR-4

NIST_SP_800-53_R4_IR-4

NIST SP 800-53 Rev. 4 IR-4

Incident Response

Incident Handling

Shared

n/a

NIST_SP_800-53_R4_IR-7(1)

IR-7(1)

NIST SP 800-53 Rev. 4 IR-7 (1)

Incident Response

Automation Support For Availability Of Information / Support

Shared

n/a

NIST_SP_800-53_R4_RA-5(6)

RA-5(6)

NIST SP 800-53 Rev. 4 RA-5 (6)

Risk Assessment

Automated Trend Analyses

Shared

n/a

SI-3

NIST_SP_800-53_R4_SI-3

NIST SP 800-53 Rev. 4 SI-3

System And Information Integrity

Malicious Code Protection

Shared

n/a

NIST_SP_800-53_R4_SI-3(1)

SI-3(1)

NIST SP 800-53 Rev. 4 SI-3 (1)

System And Information Integrity

Central Management

Shared

n/a

NIST_SP_800-53_R4_SI-3(2)

SI-3(2)

NIST SP 800-53 Rev. 4 SI-3 (2)

System And Information Integrity

Automatic Updates

Shared

n/a

NIST_SP_800-53_R4_SI-3(7)

SI-3(7)

NIST SP 800-53 Rev. 4 SI-3 (7)

System And Information Integrity

Nonsignature-Based Detection

Shared

n/a

SI-4

NIST_SP_800-53_R4_SI-4

NIST SP 800-53 Rev. 4 SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

IR-4

NIST_SP_800-53_R5_IR-4

NIST SP 800-53 Rev. 5 IR-4

Incident Response

Incident Handling

Shared

n/a

a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

NIST_SP_800-53_R5_IR-7(1)

IR-7(1)

NIST SP 800-53 Rev. 5 IR-7 (1)

Incident Response

Automation Support for Availability of Information and Support

Shared

n/a

Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].

NIST_SP_800-53_R5_RA-5(6)

RA-5(6)

NIST SP 800-53 Rev. 5 RA-5 (6)

Risk Assessment

Automated Trend Analyses

Shared

n/a

Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms].

SI-3

NIST_SP_800-53_R5_SI-3

NIST SP 800-53 Rev. 5 SI-3

System and Information Integrity

Malicious Code Protection

Shared

n/a

a. Implement [Selection (OneOrMore): signature based;non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (OneOrMore): endpoint;network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (OneOrMore): block malicious code;quarantine malicious code;take [Assignment: organization-defined action] ] ; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

SI-4

NIST_SP_800-53_R5_SI-4

NIST SP 800-53 Rev. 5 SI-4

System and Information Integrity

System Monitoring

Shared

n/a

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (OneOrMore): as needed; [Assignment: organization-defined frequency] ] .

op.exp.6 Protection against harmful code

404 not found

n/a

op.exp.7 Incident management

404 not found

n/a

103

op.exp.8 Recording of the activity

404 not found

n/a

op.exp.9 Incident management record

404 not found

n/a

org.2 Security regulations

404 not found

n/a

100

11.5.1

PCI_DSS_v4.0_11.5.1

PCI DSS v4.0 11.5.1

Requirement 11: Test Security of Systems and Networks Regularly

Network intrusions and unexpected file changes are detected and responded to

Shared

n/a

Intrusion-detection and/or intrusionprevention techniques are used to detect and/or prevent intrusions into the network as follows: • All traffic is monitored at the perimeter of the CDE. • All traffic is monitored at critical points in the CDE. • Personnel are alerted to suspected compromises. • All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.

12.10.7

PCI_DSS_v4.0_12.10.7

PCI DSS v4.0 12.10.7

Requirement 12: Support Information Security with Organizational Policies and Programs

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

Shared

n/a

Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include: • Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable. • Identifying whether sensitive authentication data is stored with PAN. • Determining where the account data came from and how it ended up where it was not expected. • Remediating data leaks or process gaps that resulted in the account data being where it was not expected.

5.2.1

PCI_DSS_v4.0_5.2.1

PCI DSS v4.0 5.2.1

Requirement 05: Protect All Systems and Networks from Malicious Software

Malicious software (malware) is prevented, or detected and addressed

Shared

n/a

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

5.2.2

PCI_DSS_v4.0_5.2.2

PCI DSS v4.0 5.2.2

Requirement 05: Protect All Systems and Networks from Malicious Software

Malicious software (malware) is prevented, or detected and addressed

Shared

n/a

The deployed anti-malware solution(s): • Detects all known types of malware. • Removes, blocks, or contains all known types of malware.

5.2.3

PCI_DSS_v4.0_5.2.3

PCI DSS v4.0 5.2.3

Requirement 05: Protect All Systems and Networks from Malicious Software

Malicious software (malware) is prevented, or detected and addressed

Shared

n/a

Any system components that are not at risk for malware are evaluated periodically to include the following: • A documented list of all system components not at risk for malware. • Identification and evaluation of evolving malware threats for those system components. • Confirmation whether such system components continue to not require anti-malware protection.

5.3.1

PCI_DSS_v4.0_5.3.1

PCI DSS v4.0 5.3.1

Requirement 05: Protect All Systems and Networks from Malicious Software

Anti-malware mechanisms and processes are active, maintained, and monitored

Shared

n/a

The anti-malware solution(s) is kept current via automatic updates.

5.3.3

PCI_DSS_v4.0_5.3.3

PCI DSS v4.0 5.3.3

Requirement 05: Protect All Systems and Networks from Malicious Software

Anti-malware mechanisms and processes are active, maintained, and monitored

Shared

n/a

For removable electronic media, the antimalware solution: • Performs automatic scans of when the media is inserted, connected, or logically mounted, OR • Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.

5.4.1

PCI_DSS_v4.0_5.4.1

PCI DSS v4.0 5.4.1

Requirement 05: Protect All Systems and Networks from Malicious Software

Anti-phishing mechanisms protect users against phishing attacks

Shared

n/a

Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

CC6.8

SOC_2_CC6.8

SOC 2 Type 2 CC6.8

Logical and Physical Access Controls

Prevent or detect against unauthorized or malicious software

Shared

The customer is responsible for implementing this recommendation.

Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.

CC7.2

SOC_2_CC7.2

SOC 2 Type 2 CC7.2

System Operations

Monitor system components for anomalous behavior

Shared

The customer is responsible for implementing this recommendation.

• Implements Detection Policies, Procedures, and Tools — Detection policies and procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. • Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. • Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events. • Monitors Detection Tools for Effective Operation — Management has implemented processes to monitor the effectiveness of detection tools

CC7.4

SOC_2_CC7.4

SOC 2 Type 2 CC7.4

System Operations

Security incidents response

Shared

The customer is responsible for implementing this recommendation.

Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. • Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. • Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents. • Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. • Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. • Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. • Obtains Understanding of Nature of Incident and Determines Containment Strategy — An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. • Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. • Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident-response program. • Evaluates the Effectiveness of Incident Response — The design of incident-response activities is evaluated for effectiveness on a periodic basis. • Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. • Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements

CC7.5

SOC_2_CC7.5

SOC 2 Type 2 CC7.5

System Operations

Recovery from identified security incidents

Shared

The customer is responsible for implementing this recommendation.

• Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results

11.1

SWIFT_CSCF_v2022_11.1

SWIFT CSCF v2022 11.1

11. Monitor in case of Major Disaster

Ensure a consistent and effective approach for the event monitoring and escalation.

Shared

n/a

Ensure a consistent and effective approach for the event monitoring and escalation.

11.2

SWIFT_CSCF_v2022_11.2

SWIFT CSCF v2022 11.2

11. Monitor in case of Major Disaster

Ensure a consistent and effective approach for the management of incidents (Problem Management).

Shared

n/a

Ensure a consistent and effective approach for the management of incidents (Problem Management).

11.4

SWIFT_CSCF_v2022_11.4

SWIFT CSCF v2022 11.4

11. Monitor in case of Major Disaster

Ensure an adequate escalation of operational malfunctions in case of customer impact.

Shared

n/a

Ensure an adequate escalation of operational malfunctions in case of customer impact.

11.5

SWIFT_CSCF_v2022_11.5

SWIFT CSCF v2022 11.5

11. Monitor in case of Major Disaster

Effective support is offered to customers in case they face problems during their business hours.

Shared

n/a

Effective support is offered to customers in case they face problems during their business hours.

2.7

SWIFT_CSCF_v2022_2.7

SWIFT CSCF v2022 2.7

2. Reduce Attack Surface and Vulnerabilities

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.

Shared

n/a

Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions.

2.9

SWIFT_CSCF_v2022_2.9

SWIFT CSCF v2022 2.9

2. Reduce Attack Surface and Vulnerabilities

Ensure outbound transaction activity within the expected bounds of normal business.

Shared

n/a

Implement transaction detection, prevention, and validation controls to ensure outbound transaction activity within the expected bounds of normal business.

6.1

SWIFT_CSCF_v2022_6.1

SWIFT CSCF v2022 6.1

6. Detect Anomalous Activity to Systems or Transaction Records

Ensure that local SWIFT infrastructure is protected against malware and act upon results.

Shared

n/a

Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions.

8.1

SWIFT_CSCF_v2022_8.1

SWIFT CSCF v2022 8.1

8. Set and Monitor Performance

Ensure availability by formally setting and monitoring the objectives to be achieved

Shared

n/a

Ensure availability by formally setting and monitoring the objectives to be achieved