compliance controls are associated with this Policy definition 'Establish and document a configuration management plan' (526ed90e-890f-69e7-0386-ba5c0f1f784f)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.3.0 |
2.12 |
CIS_Azure_1.3.0_2.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.12 |
2 Security Center |
Ensure any of the ASC Default policy setting is not set to "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
None of the settings offered by ASC Default policy should be set to effect "Disabled". |
link |
6 |
| CIS_Azure_1.4.0 |
2.12 |
CIS_Azure_1.4.0_2.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.12 |
2 Microsoft Defender for Cloud |
Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' |
Shared |
The customer is responsible for implementing this recommendation. |
None of the settings offered by ASC Default policy should be set to effect "Disabled". |
link |
6 |
| CIS_Azure_2.0.0 |
2.1.14 |
CIS_Azure_2.0.0_2.1.14 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.14 |
2.1 |
Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' |
Shared |
n/a |
None of the settings offered by ASC Default policy should be set to effect `Disabled`.
A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements.
ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices.
Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations. |
link |
6 |
| FedRAMP_High_R4 |
CM-2 |
FedRAMP_High_R4_CM-2 |
FedRAMP High CM-2 |
Configuration Management |
Baseline Configuration |
Shared |
n/a |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7.
References: NIST Special Publication 800-128. |
link |
6 |
| FedRAMP_High_R4 |
CM-2(2) |
FedRAMP_High_R4_CM-2(2) |
FedRAMP High CM-2 (2) |
Configuration Management |
Automation Support For Accuracy / Currency |
Shared |
n/a |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
link |
6 |
| FedRAMP_High_R4 |
CM-9 |
FedRAMP_High_R4_CM-9 |
FedRAMP High CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10.
References: NIST Special Publication 800-128. |
link |
6 |
| FedRAMP_Moderate_R4 |
CM-2 |
FedRAMP_Moderate_R4_CM-2 |
FedRAMP Moderate CM-2 |
Configuration Management |
Baseline Configuration |
Shared |
n/a |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7.
References: NIST Special Publication 800-128. |
link |
6 |
| FedRAMP_Moderate_R4 |
CM-2(2) |
FedRAMP_Moderate_R4_CM-2(2) |
FedRAMP Moderate CM-2 (2) |
Configuration Management |
Automation Support For Accuracy / Currency |
Shared |
n/a |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
link |
6 |
| FedRAMP_Moderate_R4 |
CM-9 |
FedRAMP_Moderate_R4_CM-9 |
FedRAMP Moderate CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10.
References: NIST Special Publication 800-128. |
link |
6 |
| hipaa |
0627.10h1System.45-10.h |
hipaa-0627.10h1System.45-10.h |
0627.10h1System.45-10.h |
06 Configuration Management |
0627.10h1System.45-10.h 10.04 Security of System Files |
Shared |
n/a |
The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. |
|
11 |
| hipaa |
0636.10k2Organizational.1-10.k |
hipaa-0636.10k2Organizational.1-10.k |
0636.10k2Organizational.1-10.k |
06 Configuration Management |
0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). |
|
8 |
| hipaa |
0637.10k2Organizational.2-10.k |
hipaa-0637.10k2Organizational.2-10.k |
0637.10k2Organizational.2-10.k |
06 Configuration Management |
0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization has developed, documented, and implemented a configuration management plan for the information system. |
|
7 |
| hipaa |
0639.10k2Organizational.78-10.k |
hipaa-0639.10k2Organizational.78-10.k |
0639.10k2Organizational.78-10.k |
06 Configuration Management |
0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices, and appliances, and ensure the configuration meets minimum standards. |
|
8 |
| hipaa |
0642.10k3Organizational.12-10.k |
hipaa-0642.10k3Organizational.12-10.k |
0642.10k3Organizational.12-10.k |
06 Configuration Management |
0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. |
|
7 |
| hipaa |
0643.10k3Organizational.3-10.k |
hipaa-0643.10k3Organizational.3-10.k |
0643.10k3Organizational.3-10.k |
06 Configuration Management |
0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and, (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
|
17 |
| hipaa |
0669.10hCSPSystem.1-10.h |
hipaa-0669.10hCSPSystem.1-10.h |
0669.10hCSPSystem.1-10.h |
06 Configuration Management |
0669.10hCSPSystem.1-10.h 10.04 Security of System Files |
Shared |
n/a |
Open and published APIs are used by cloud service providers to ensure support for interoperability between components and to facilitate migrating applications. |
|
16 |
| hipaa |
0710.10m2Organizational.1-10.m |
hipaa-0710.10m2Organizational.1-10.m |
0710.10m2Organizational.1-10.m |
07 Vulnerability Management |
0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
A hardened configuration standard exists for all system and network components. |
|
9 |
| hipaa |
0821.09m2Organizational.2-09.m |
hipaa-0821.09m2Organizational.2-09.m |
0821.09m2Organizational.2-09.m |
08 Network Protection |
0821.09m2Organizational.2-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. |
|
18 |
| hipaa |
0863.09m2Organizational.910-09.m |
hipaa-0863.09m2Organizational.910-09.m |
0863.09m2Organizational.910-09.m |
08 Network Protection |
0863.09m2Organizational.910-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. |
|
25 |
| hipaa |
0869.09m3Organizational.19-09.m |
hipaa-0869.09m3Organizational.19-09.m |
0869.09m3Organizational.19-09.m |
08 Network Protection |
0869.09m3Organizational.19-09.m 09.06 Network Security Management |
Shared |
n/a |
The router configuration files are secured and synchronized. |
|
11 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| NIST_SP_800-171_R2_3 |
.4.1 |
NIST_SP_800-171_R2_3.4.1 |
NIST SP 800-171 R2 3.4.1 |
Configuration Management |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. |
link |
31 |
| NIST_SP_800-53_R4 |
CM-2 |
NIST_SP_800-53_R4_CM-2 |
NIST SP 800-53 Rev. 4 CM-2 |
Configuration Management |
Baseline Configuration |
Shared |
n/a |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7.
References: NIST Special Publication 800-128. |
link |
6 |
| NIST_SP_800-53_R4 |
CM-2(2) |
NIST_SP_800-53_R4_CM-2(2) |
NIST SP 800-53 Rev. 4 CM-2 (2) |
Configuration Management |
Automation Support For Accuracy / Currency |
Shared |
n/a |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
link |
6 |
| NIST_SP_800-53_R4 |
CM-9 |
NIST_SP_800-53_R4_CM-9 |
NIST SP 800-53 Rev. 4 CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10.
References: NIST Special Publication 800-128. |
link |
6 |
| NIST_SP_800-53_R5 |
CM-2 |
NIST_SP_800-53_R5_CM-2 |
NIST SP 800-53 Rev. 5 CM-2 |
Configuration Management |
Baseline Configuration |
Shared |
n/a |
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system:
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: organization-defined circumstances]; and
3. When system components are installed or upgraded. |
link |
6 |
| NIST_SP_800-53_R5 |
CM-2(2) |
NIST_SP_800-53_R5_CM-2(2) |
NIST SP 800-53 Rev. 5 CM-2 (2) |
Configuration Management |
Automation Support for Accuracy and Currency |
Shared |
n/a |
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. |
link |
6 |
| NIST_SP_800-53_R5 |
CM-9 |
NIST_SP_800-53_R5_CM-9 |
NIST SP 800-53 Rev. 5 CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration management;
d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
e. Protects the configuration management plan from unauthorized disclosure and modification. |
link |
6 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
op.mon.3 Monitoring |
op.mon.3 Monitoring |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| PCI_DSS_v4.0 |
1.2.1 |
PCI_DSS_v4.0_1.2.1 |
PCI DSS v4.0 1.2.1 |
Requirement 01: Install and Maintain Network Security Controls |
Network security controls (NSCs) are configured and maintained |
Shared |
n/a |
Configuration standards for NSC rulesets are:
• Defined.
• Implemented.
• Maintained. |
link |
6 |
| PCI_DSS_v4.0 |
2.2.1 |
PCI_DSS_v4.0_2.2.1 |
PCI DSS v4.0 2.2.1 |
Requirement 02: Apply Secure Configurations to All System Components |
System components are configured and managed securely |
Shared |
n/a |
Configuration standards are developed, implemented, and maintained to:
• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. |
link |
6 |
| SOC_2 |
CC7.1 |
SOC_2_CC7.1 |
SOC 2 Type 2 CC7.1 |
System Operations |
Detection and monitoring of new vulnerabilities |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Defined Configuration Standards — Management has defined configuration
standards.
• Monitors Infrastructure and Software — The entity monitors infrastructure and
software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.
• Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel
to unauthorized modifications of critical system files, configuration files, or content
files.
• Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components.
• Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to
identify potential vulnerabilities or misconfigurations on a periodic basis and after
any significant change in the environment and takes action to remediate identified
deficiencies on a timely basis |
|
15 |
| SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
| SWIFT_CSCF_v2022 |
2.3 |
SWIFT_CSCF_v2022_2.3 |
SWIFT CSCF v2022 2.3 |
2. Reduce Attack Surface and Vulnerabilities |
Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. |
Shared |
n/a |
Security hardening is conducted and maintained on all in-scope components. |
link |
25 |