AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Perform a risk assessment | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Perform a risk assessment
Id 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0388 - Perform a risk assessment
Additional metadata Name/Id: CMA_0388 / CMA_0388
Category: Operational
Title: Perform a risk assessment
Ownership: Customer
Description: Microsoft recommends that your organization perform a risk assessment at least annually and upon significant changes to the environment to address applicable security and privacy risks. We recommend performing these risk assessments to identify and address the key risks from existing and planned controls, critical assets and related consequences, threats and their sources, vulnerabilities, and technology projects. It is recommended that your organization document and distribute results of the risk assessment to key stakeholders and in a risk register. It is recommended that your organization review your risk assessment results through analyzing the identified qualitative and/or quantitative risks, assessing the impacts resulting from information security incidents, evaluating the incidents based on risk level against a defined risk evaluation and acceptance criteria, measuring the likelihood of the identified threats occurring, and determining the impact on the organization. We recommend using all-source intelligence when analyzing risk within your organization. All-source intelligence uses information from any available source, such as publicly available information and human, signals, imagery, and measurement and signature intelligence. This can enable your organization to analyze vulnerability risks that arise from different processes, people and the environment. Your organization can perform this analysis throughout the supply chain and make more informed cross-organization decisions. Your organization should update the risk assessment at a predetermined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. It is also recommended that your organization understand the inherent risk of adopting cloud services and conduct a comprehensive risk assessment prior to cloud adoption. The assessment helps address risks associated with the location of cloud infrastructure, vendor lock-in and application portability, exposure to cyber-attacks via cloud service providers, termination, limitations, and liabilities of cloud service providers. Microsoft recommends that your organization inform other relevant parties, such as end users, about potential impacts resulting from risks and associated measures. Your organization may consider performing a Business Impact Analysis (BIA) prior to or in parallel with a risk assessment. Your organization may also consider creating a vulnerability and threat matrix to determine potential impact for a particular asset. Additionally, consider performing appropriate regular and ad hoc stress tests in respect of the material risks, based on the nature, scale, complexity and riskiness of the business activities, and include the results of stress tests and their potential impact on the risk situation and the available financial resources in the risk report.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 70 compliance controls are associated with this Policy definition 'Perform a risk assessment' (8c5d3d8d-5cba-0def-257c-5ab9ea9644dc)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-3 FedRAMP_High_R4_CM-3 FedRAMP High CM-3 Configuration Management Configuration Change Control Shared n/a The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. References: NIST Special Publication 800-128. link 8
FedRAMP_High_R4 CM-4 FedRAMP_High_R4_CM-4 FedRAMP High CM-4 Configuration Management Security Impact Analysis Shared n/a The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. References: NIST Special Publication 800-128. link 8
FedRAMP_High_R4 RA-3 FedRAMP_High_R4_RA-3 FedRAMP High RA-3 Risk Assessment Risk Assessment Shared n/a The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. link 4
FedRAMP_Moderate_R4 CM-3 FedRAMP_Moderate_R4_CM-3 FedRAMP Moderate CM-3 Configuration Management Configuration Change Control Shared n/a The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. References: NIST Special Publication 800-128. link 8
FedRAMP_Moderate_R4 CM-4 FedRAMP_Moderate_R4_CM-4 FedRAMP Moderate CM-4 Configuration Management Security Impact Analysis Shared n/a The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. References: NIST Special Publication 800-128. link 8
FedRAMP_Moderate_R4 RA-3 FedRAMP_Moderate_R4_RA-3 FedRAMP Moderate RA-3 Risk Assessment Risk Assessment Shared n/a The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. link 4
hipaa 0125.05a3Organizational.2-05.a hipaa-0125.05a3Organizational.2-05.a 0125.05a3Organizational.2-05.a 01 Information Protection Program 0125.05a3Organizational.2-05.a 05.01 Internal Organization Shared n/a Annual risk assessments are performed by an independent organization. 8
hipaa 0618.09b1System.1-09.b hipaa-0618.09b1System.1-09.b 0618.09b1System.1-09.b 06 Configuration Management 0618.09b1System.1-09.b 09.01 Documented Operating Procedures Shared n/a Changes to information assets, including systems, networks, and network services, are controlled and archived. 16
hipaa 0638.10k2Organizational.34569-10.k hipaa-0638.10k2Organizational.34569-10.k 0638.10k2Organizational.34569-10.k 06 Configuration Management 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes Shared n/a Changes are formally controlled, documented, and enforced in order to minimize the corruption of information systems. 14
hipaa 0641.10k2Organizational.11-10.k hipaa-0641.10k2Organizational.11-10.k 0641.10k2Organizational.11-10.k 06 Configuration Management 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes Shared n/a The organization does not use automated updates on critical systems. 13
hipaa 0643.10k3Organizational.3-10.k hipaa-0643.10k3Organizational.3-10.k 0643.10k3Organizational.3-10.k 06 Configuration Management 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes Shared n/a The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and, (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. 17
hipaa 0672.10k3System.5-10.k hipaa-0672.10k3System.5-10.k 0672.10k3System.5-10.k 06 Configuration Management 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes Shared n/a The integrity of all virtual machine images is ensured at all times by (i) logging and raising an alert for any changes made to virtual machine images, and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity. 12
hipaa 069.06g2Organizational.56-06.g hipaa-069.06g2Organizational.56-06.g 069.06g2Organizational.56-06.g 06 Configuration Management 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The internal security organization reviews and maintains records of compliance results (e.g., organization-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and address longer term areas of concern as part of its formal risk assessment process. 7
hipaa 0821.09m2Organizational.2-09.m hipaa-0821.09m2Organizational.2-09.m 0821.09m2Organizational.2-09.m 08 Network Protection 0821.09m2Organizational.2-09.m 09.06 Network Security Management Shared n/a The organization tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. 18
hipaa 0824.09m3Organizational.1-09.m hipaa-0824.09m3Organizational.1-09.m 0824.09m3Organizational.1-09.m 08 Network Protection 0824.09m3Organizational.1-09.m 09.06 Network Security Management Shared n/a The impact of the loss of network service to the business is defined. 10
hipaa 0863.09m2Organizational.910-09.m hipaa-0863.09m2Organizational.910-09.m 0863.09m2Organizational.910-09.m 08 Network Protection 0863.09m2Organizational.910-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. 25
hipaa 1208.09aa3System.1-09.aa hipaa-1208.09aa3System.1-09.aa 1208.09aa3System.1-09.aa 12 Audit Logging & Monitoring 1208.09aa3System.1-09.aa 09.10 Monitoring Shared n/a Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. 18
hipaa 1314.02e2Organizational.5-02.e hipaa-1314.02e2Organizational.5-02.e 1314.02e2Organizational.5-02.e 13 Education, Training and Awareness 1314.02e2Organizational.5-02.e 02.03 During Employment Shared n/a The organization conducts an internal annual review of the effectiveness of its security and privacy education and training program, and updates the program to reflect risks identified in the organization's risk assessment. 4
hipaa 1635.12b1Organizational.2-12.b hipaa-1635.12b1Organizational.2-12.b 1635.12b1Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. 6
hipaa 1637.12b2Organizational.2-12.b hipaa-1637.12b2Organizational.2-12.b 1637.12b2Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. 8
hipaa 1638.12b2Organizational.345-12.b hipaa-1638.12b2Organizational.345-12.b 1638.12b2Organizational.345-12.b 16 Business Continuity & Disaster Recovery 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business continuity risk assessments: (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and, (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. 5
hipaa 1704.03b1Organizational.12-03.b hipaa-1704.03b1Organizational.12-03.b 1704.03b1Organizational.12-03.b 17 Risk Management 1704.03b1Organizational.12-03.b 03.01 Risk Management Program Shared n/a The organization performs risk assessments in a consistent way and at planned intervals, or when there are major changes to the organization's environment, and reviews the risk assessment results annually. 2
ISO27001-2013 A.12.1.2 ISO27001-2013_A.12.1.2 ISO 27001:2013 A.12.1.2 Operations Security Change management Shared n/a Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. link 27
ISO27001-2013 A.12.5.1 ISO27001-2013_A.12.5.1 ISO 27001:2013 A.12.5.1 Operations Security Installation of software on operational systems Shared n/a Procedures shall be implemented to control the installation of software on operational systems. link 18
ISO27001-2013 A.12.6.1 ISO27001-2013_A.12.6.1 ISO 27001:2013 A.12.6.1 Operations Security Management of technical vulnerabilities Shared n/a Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. link 11
ISO27001-2013 A.12.6.2 ISO27001-2013_A.12.6.2 ISO 27001:2013 A.12.6.2 Operations Security Restrictions on software installation Shared n/a Rules governing the installation of software by users shall be established and implemented. link 18
ISO27001-2013 A.14.2.2 ISO27001-2013_A.14.2.2 ISO 27001:2013 A.14.2.2 System Acquisition, Development And Maintenance System change control procedures Shared n/a Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. link 25
ISO27001-2013 A.14.2.3 ISO27001-2013_A.14.2.3 ISO 27001:2013 A.14.2.3 System Acquisition, Development And Maintenance Technical review of applications after operating platform changes Shared n/a When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. link 18
ISO27001-2013 A.14.2.4 ISO27001-2013_A.14.2.4 ISO 27001:2013 A.14.2.4 System Acquisition, Development And Maintenance Restrictions on changes to software packages Shared n/a Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. link 24
ISO27001-2013 C.6.1.2.c.1 ISO27001-2013_C.6.1.2.c.1 ISO 27001:2013 C.6.1.2.c.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: c) identifies the information security risks: - 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.c.2 ISO27001-2013_C.6.1.2.c.2 ISO 27001:2013 C.6.1.2.c.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: c) identifies the information security risks: - 2) identify the risk owners. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.d.1 ISO27001-2013_C.6.1.2.d.1 ISO 27001:2013 C.6.1.2.d.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: d) analyses the information security risks: - 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.d.2 ISO27001-2013_C.6.1.2.d.2 ISO 27001:2013 C.6.1.2.d.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: d) analyses the information security risks: - 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1). The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.d.3 ISO27001-2013_C.6.1.2.d.3 ISO 27001:2013 C.6.1.2.d.3 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: d) analyses the information security risks: - 3) determine the levels of risk. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.e.1 ISO27001-2013_C.6.1.2.e.1 ISO 27001:2013 C.6.1.2.e.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: e) evaluates the information security risks: - 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a). The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.e.2 ISO27001-2013_C.6.1.2.e.2 ISO 27001:2013 C.6.1.2.e.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: e) evaluates the information security risks: - 2) prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.8.1 ISO27001-2013_C.8.1 ISO 27001:2013 C.8.1 Operation Operational planning and control Shared n/a The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled. link 21
ISO27001-2013 C.8.2 ISO27001-2013_C.8.2 ISO 27001:2013 C.8.2 Operation Information security risk assessment Shared n/a The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments. link 3
mp.eq.2 User session lockout mp.eq.2 User session lockout 404 not found n/a n/a 29
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 59
NIST_SP_800-171_R2_3 .11.1 NIST_SP_800-171_R2_3.11.1 NIST SP 800-171 R2 3.11.1 Risk Assessment Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI Shared Microsoft and the customer share responsibilities for implementing this requirement. Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments. link 2
NIST_SP_800-171_R2_3 .4.3 NIST_SP_800-171_R2_3.4.3 NIST SP 800-171 R2 3.4.3 Configuration Management Track, review, approve or disapprove, and log changes to organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. [SP 800-128] provides guidance on configuration change control. link 15
NIST_SP_800-171_R2_3 .4.4 NIST_SP_800-171_R2_3.4.4 NIST SP 800-171 R2 3.4.4 Configuration Management Analyze the security impact of changes prior to implementation. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. [SP 800-128] provides guidance on configuration change control and security impact analysis. link 8
NIST_SP_800-53_R4 CM-3 NIST_SP_800-53_R4_CM-3 NIST SP 800-53 Rev. 4 CM-3 Configuration Management Configuration Change Control Shared n/a The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. References: NIST Special Publication 800-128. link 8
NIST_SP_800-53_R4 CM-4 NIST_SP_800-53_R4_CM-4 NIST SP 800-53 Rev. 4 CM-4 Configuration Management Security Impact Analysis Shared n/a The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. References: NIST Special Publication 800-128. link 8
NIST_SP_800-53_R4 RA-3 NIST_SP_800-53_R4_RA-3 NIST SP 800-53 Rev. 4 RA-3 Risk Assessment Risk Assessment Shared n/a The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. link 4
NIST_SP_800-53_R5 CM-3 NIST_SP_800-53_R5_CM-3 NIST SP 800-53 Rev. 5 CM-3 Configuration Management Configuration Change Control Shared n/a a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (OneOrMore): [Assignment: organization-defined frequency] ;when [Assignment: organization-defined configuration change conditions] ] . link 8
NIST_SP_800-53_R5 CM-4 NIST_SP_800-53_R5_CM-4 NIST SP 800-53 Rev. 5 CM-4 Configuration Management Impact Analyses Shared n/a Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. link 8
NIST_SP_800-53_R5 RA-3 NIST_SP_800-53_R5_RA-3 NIST SP 800-53 Rev. 5 RA-3 Risk Assessment Risk Assessment Shared n/a a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans;risk assessment report; [Assignment: organization-defined document] ] ; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. link 4
op.exp.4 Security maintenance and updates op.exp.4 Security maintenance and updates 404 not found n/a n/a 78
op.exp.5 Change management op.exp.5 Change management 404 not found n/a n/a 71
op.pl.1 Risk analysis op.pl.1 Risk analysis 404 not found n/a n/a 70
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
PCI_DSS_v4.0 1.2.2 PCI_DSS_v4.0_1.2.2 PCI DSS v4.0 1.2.2 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1. link 8
PCI_DSS_v4.0 12.3.1 PCI_DSS_v4.0_12.3.1 PCI DSS v4.0 12.3.1 Requirement 12: Support Information Security with Organizational Policies and Programs Risks to the cardholder data environment are formally identified, evaluated, and managed Shared n/a Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: • Identification of the assets being protected. • Identification of the threat(s) that the requirement is protecting against. • Identification of factors that contribute to the likelihood and/or impact of a threat being realized. • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. • Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed. • Performance of updated risk analyses when needed, as determined by the annual review. link 4
PCI_DSS_v4.0 12.3.2 PCI_DSS_v4.0_12.3.2 PCI DSS v4.0 12.3.2 Requirement 12: Support Information Security with Organizational Policies and Programs Risks to the cardholder data environment are formally identified, evaluated, and managed Shared n/a A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include: • Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis). • Approval of documented evidence by senior management. • Performance of the targeted analysis of risk at least once every 12 months. link 4
PCI_DSS_v4.0 5.2.3.1 PCI_DSS_v4.0_5.2.3.1 PCI DSS v4.0 5.2.3.1 Requirement 05: Protect All Systems and Networks from Malicious Software Malicious software (malware) is prevented, or detected and addressed Shared n/a The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. link 3
PCI_DSS_v4.0 5.3.5 PCI_DSS_v4.0_5.3.5 PCI DSS v4.0 5.3.5 Requirement 05: Protect All Systems and Networks from Malicious Software Anti-malware mechanisms and processes are active, maintained, and monitored Shared n/a Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. link 8
PCI_DSS_v4.0 6.5.1 PCI_DSS_v4.0_6.5.1 PCI DSS v4.0 6.5.1 Requirement 06: Develop and Maintain Secure Systems and Software Changes to all system components are managed securely Shared n/a Changes to all system components in the production environment are made according to established procedures that include: • Reason for, and description of, the change. • Documentation of security impact. • Documented change approval by authorized parties. • Testing to verify that the change does not adversely impact system security. • For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production. • Procedures to address failures and return to a secure state. link 8
SOC_2 CC3.1 SOC_2_CC3.1 SOC 2 Type 2 CC3.1 Risk Assessment COSO Principle 6 Shared The customer is responsible for implementing this recommendation. • Reflects Management's Choices — Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity. • Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the achievement of operations objectives. • Includes Operations and Financial Performance Goals — The organization reflects the desired level of operations and financial performance for the entity within operations objectives. • Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. External Financial Reporting Objectives • Complies With Applicable Accounting Standards — Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. • Considers Materiality — Management considers materiality in financial statement presentation. • Reflects Entity Activities — External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. External Nonfinancial Reporting Objectives • Complies With Externally Established Frameworks — Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. • Considers the Required Level of Precision — Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting. • Reflects Entity Activities — External reporting reflects the underlying transactions and events within a range of acceptable limits. Internal Reporting Objectives • Reflects Management's Choices — Internal reporting provides management with accurate and complete information regarding management's choices and information Page 22 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS needed in managing the entity. • Considers the Required Level of Precision — Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives. • Reflects Entity Activities — Internal reporting reflects the underlying transactions and events within a range of acceptable limits. Compliance Objectives • Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives. • Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the achievement of operations objectives 7
SOC_2 CC3.2 SOC_2_CC3.2 SOC 2 Type 2 CC3.2 Risk Assessment COSO Principle 7 Shared The customer is responsible for implementing this recommendation. Points of focus specified in the COSO framework: • Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. • Analyzes Internal and External Factors — Risk identification considers both internal and external factors and their impact on the achievement of objectives. • Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. • Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes estimating the potential significance of the risk. • Determines How to Respond to Risks — Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Additional points of focus specifically related to all engagements using the trust services criteria: • Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities — The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets. • Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. • Considers the Significance of the Risk — The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood. 11
SOC_2 CC3.3 SOC_2_CC3.3 SOC 2 Type 2 CC3.3 Risk Assessment COSO Principle 8 Shared The customer is responsible for implementing this recommendation. • Considers Various Types of Fraud — The assessment of fraud considers fraudulent Page 24 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. • Assesses Incentives and Pressures — The assessment of fraud risks considers incentives and pressures. • Assesses Opportunities — The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts. • Assesses Attitudes and Rationalizations — The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. Additional point of focus specifically related to all engagements using the trust services criteria: • Considers the Risks Related to the Use of IT and Access to Information — The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information 1
SOC_2 CC3.4 SOC_2_CC3.4 SOC 2 Type 2 CC3.4 Risk Assessment COSO Principle 9 Shared The customer is responsible for implementing this recommendation. • Assesses Changes in the External Environment — The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. • Assesses Changes in the Business Model — The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. • Assesses Changes in Leadership — The entity considers changes in management and respective attitudes and philosophies on the system of internal control. Page 25 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus specifically related to all engagements using the trust services criteria: • Assesses Changes in Systems and Technology — The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. • Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships 6
SOC_2 CC5.1 SOC_2_CC5.1 SOC 2 Type 2 CC5.1 Control Activities COSO Principle 10 Shared The customer is responsible for implementing this recommendation. • Integrates With Risk Assessment — Control activities help ensure that risk responses that address and mitigate risks are carried out. • Considers Entity-Specific Factors — Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. • Determines Relevant Business Processes — Management determines which relevant business processes require control activities. • Evaluates a Mix of Control Activity Types — Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls. • Considers at What Level Activities Are Applied — Management considers control activities at various levels in the entity. • Addresses Segregation of Duties — Management segregates incompatible duties and, where such segregation is not practical, management selects and develops alternative control activities. 2
SOC_2 CC5.2 SOC_2_CC5.2 SOC 2 Type 2 CC5.2 Control Activities COSO Principle 11 Shared The customer is responsible for implementing this recommendation. • Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. • Establishes Relevant Technology Infrastructure Control Activities — Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. • Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. • Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. 18
SOC_2 CC5.3 SOC_2_CC5.3 SOC 2 Type 2 CC5.3 Control Activities COSO Principle 12 Shared The customer is responsible for implementing this recommendation. Establishes Policies and Procedures to Support Deployment of Management’s Directives — Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions. • Establishes Responsibility and Accountability for Executing Policies and Procedures — Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. • Performs in a Timely Manner — Responsible personnel perform control activities in a timely manner as defined by the policies and procedures. • Takes Corrective Action — Responsible personnel investigate and act on matters identified as a result of executing control activities. • Performs Using Competent Personnel — Competent personnel with sufficient authority perform control activities with diligence and continuing focus. • Reassesses Policies and Procedures — Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary 4
SOC_2 CC8.1 SOC_2_CC8.1 SOC 2 Type 2 CC8.1 Change Management Changes to infrastructure, data, and software Shared The customer is responsible for implementing this recommendation. Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. 52
SOC_2 CC9.1 SOC_2_CC9.1 SOC 2 Type 2 CC9.1 Risk Mitigation Risk mitigation activities Shared The customer is responsible for implementing this recommendation. • Considers Mitigation of Risks of Business Disruption — Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications to meet the entity's objectives during response, mitigation, and recovery efforts. • Considers the Use of Insurance to Mitigate Financial Impact Risks — The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives 3
SWIFT_CSCF_v2022 2.3 SWIFT_CSCF_v2022_2.3 SWIFT CSCF v2022 2.3 2. Reduce Attack Surface and Vulnerabilities Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Shared n/a Security hardening is conducted and maintained on all in-scope components. link 25
SWIFT_CSCF_v2022 7.4A SWIFT_CSCF_v2022_7.4A SWIFT CSCF v2022 7.4A 7. Plan for Incident Response and Information Sharing Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. Shared n/a Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC