compliance controls are associated with this Policy definition 'Run simulation attacks' (a8f9c283-9a66-3eb3-9e10-bdba95b85884)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IR-3 |
FedRAMP_High_R4_IR-3 |
FedRAMP High IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: NIST Special Publications 800-84, 800-115. |
link |
3 |
| FedRAMP_High_R4 |
IR-3(2) |
FedRAMP_High_R4_IR-3(2) |
FedRAMP High IR-3 (2) |
Incident Response |
Coordination With Related Plans |
Shared |
n/a |
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and
Occupant Emergency Plans. |
link |
3 |
| FedRAMP_High_R4 |
PE-13(1) |
FedRAMP_High_R4_PE-13(1) |
FedRAMP High PE-13 (1) |
Physical And Environmental Protection |
Detection Devices / Systems |
Shared |
n/a |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
3 |
| FedRAMP_Moderate_R4 |
IR-3 |
FedRAMP_Moderate_R4_IR-3 |
FedRAMP Moderate IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: NIST Special Publications 800-84, 800-115. |
link |
3 |
| FedRAMP_Moderate_R4 |
IR-3(2) |
FedRAMP_Moderate_R4_IR-3(2) |
FedRAMP Moderate IR-3 (2) |
Incident Response |
Coordination With Related Plans |
Shared |
n/a |
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and
Occupant Emergency Plans. |
link |
3 |
| hipaa |
12102.09ab1Organizational.4-09.ab |
hipaa-12102.09ab1Organizational.4-09.ab |
12102.09ab1Organizational.4-09.ab |
12 Audit Logging & Monitoring |
12102.09ab1Organizational.4-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. |
|
7 |
| hipaa |
1331.02e3Organizational.4-02.e |
hipaa-1331.02e3Organizational.4-02.e |
1331.02e3Organizational.4-02.e |
13 Education, Training and Awareness |
1331.02e3Organizational.4-02.e 02.03 During Employment |
Shared |
n/a |
The organization trains workforce members on how to properly respond to perimeter security alarms. |
|
6 |
| hipaa |
1505.11a1Organizational.13-11.a |
hipaa-1505.11a1Organizational.13-11.a |
1505.11a1Organizational.13-11.a |
15 Incident Management |
1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. |
|
19 |
| hipaa |
1509.11a2Organizational.236-11.a |
hipaa-1509.11a2Organizational.236-11.a |
1509.11a2Organizational.236-11.a |
15 Incident Management |
1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. |
|
17 |
| hipaa |
1510.11a2Organizational.47-11.a |
hipaa-1510.11a2Organizational.47-11.a |
1510.11a2Organizational.47-11.a |
15 Incident Management |
1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. |
|
11 |
| hipaa |
1516.11c1Organizational.12-11.c |
hipaa-1516.11c1Organizational.12-11.c |
1516.11c1Organizational.12-11.c |
15 Incident Management |
1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The security incident response program accounts for and prepares the organization for a variety of incidents. |
|
10 |
| hipaa |
1520.11c2Organizational.4-11.c |
hipaa-1520.11c2Organizational.4-11.c |
1520.11c2Organizational.4-11.c |
15 Incident Management |
1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The incident response plan is communicated to the appropriate individuals throughout the organization. |
|
8 |
| hipaa |
1521.11c2Organizational.56-11.c |
hipaa-1521.11c2Organizational.56-11.c |
1521.11c2Organizational.56-11.c |
15 Incident Management |
1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. |
|
16 |
| hipaa |
1560.11d1Organizational.1-11.d |
hipaa-1560.11d1Organizational.1-11.d |
1560.11d1Organizational.1-11.d |
15 Incident Management |
1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. |
|
8 |
| hipaa |
1562.11d2Organizational.2-11.d |
hipaa-1562.11d2Organizational.2-11.d |
1562.11d2Organizational.2-11.d |
15 Incident Management |
1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization coordinates incident handling activities with contingency planning activities. |
|
12 |
| hipaa |
1563.11d2Organizational.3-11.d |
hipaa-1563.11d2Organizational.3-11.d |
1563.11d2Organizational.3-11.d |
15 Incident Management |
1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training and testing exercises, and implements the resulting changes accordingly. |
|
4 |
| hipaa |
1589.11c1Organizational.5-11.c |
hipaa-1589.11c1Organizational.5-11.c |
1589.11c1Organizational.5-11.c |
15 Incident Management |
1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The organization tests and/or exercises its incident response capability regularly. |
|
4 |
| hipaa |
1814.08d1Organizational.12-08.d |
hipaa-1814.08d1Organizational.12-08.d |
1814.08d1Organizational.12-08.d |
18 Physical & Environmental Security |
1814.08d1Organizational.12-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire extinguishers and detectors are installed according to applicable laws and regulations. |
|
3 |
| hipaa |
1815.08d2Organizational.123-08.d |
hipaa-1815.08d2Organizational.123-08.d |
1815.08d2Organizational.123-08.d |
18 Physical & Environmental Security |
1815.08d2Organizational.123-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire prevention and suppression mechanisms, including workforce training, are provided. |
|
3 |
| hipaa |
1818.08d3Organizational.3-08.d |
hipaa-1818.08d3Organizational.3-08.d |
1818.08d3Organizational.3-08.d |
18 Physical & Environmental Security |
1818.08d3Organizational.3-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire suppression and detection systems are supported by an independent energy source. |
|
3 |
| hipaa |
1862.08d1Organizational.3-08.d |
hipaa-1862.08d1Organizational.3-08.d |
1862.08d1Organizational.3-08.d |
18 Physical & Environmental Security |
1862.08d1Organizational.3-08.d 08.01 Secure Areas |
Shared |
n/a |
Fire authorities are automatically notified when a fire alarm is activated. |
|
2 |
| NIST_SP_800-171_R2_3 |
.6.3 |
NIST_SP_800-171_R2_3.6.3 |
NIST SP 800-171 R2 3.6.3 |
Incident response |
Test the organizational incident response capability. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities. |
link |
3 |
| NIST_SP_800-53_R4 |
IR-3 |
NIST_SP_800-53_R4_IR-3 |
NIST SP 800-53 Rev. 4 IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8.
References: NIST Special Publications 800-84, 800-115. |
link |
3 |
| NIST_SP_800-53_R4 |
IR-3(2) |
NIST_SP_800-53_R4_IR-3(2) |
NIST SP 800-53 Rev. 4 IR-3 (2) |
Incident Response |
Coordination With Related Plans |
Shared |
n/a |
The organization coordinates incident response testing with organizational elements responsible for related plans.
Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and
Occupant Emergency Plans. |
link |
3 |
| NIST_SP_800-53_R4 |
PE-13(1) |
NIST_SP_800-53_R4_PE-13(1) |
NIST SP 800-53 Rev. 4 PE-13 (1) |
Physical And Environmental Protection |
Detection Devices / Systems |
Shared |
n/a |
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. |
link |
3 |
| NIST_SP_800-53_R5 |
IR-3 |
NIST_SP_800-53_R5_IR-3 |
NIST SP 800-53 Rev. 5 IR-3 |
Incident Response |
Incident Response Testing |
Shared |
n/a |
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. |
link |
3 |
| NIST_SP_800-53_R5 |
IR-3(2) |
NIST_SP_800-53_R5_IR-3(2) |
NIST SP 800-53 Rev. 5 IR-3 (2) |
Incident Response |
Coordination with Related Plans |
Shared |
n/a |
Coordinate incident response testing with organizational elements responsible for related plans. |
link |
3 |
| NIST_SP_800-53_R5 |
PE-13(1) |
NIST_SP_800-53_R5_PE-13(1) |
NIST SP 800-53 Rev. 5 PE-13 (1) |
Physical and Environmental Protection |
Detection Systems ??? Automatic Activation and Notification |
Shared |
n/a |
Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
link |
3 |
| SOC_2 |
A1.2 |
SOC_2_A1.2 |
SOC 2 Type 2 A1.2 |
Additional Criteria For Availability |
Environmental protections, software, data back-up processes, and recovery infrastructure |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the
system, including threats resulting from adverse weather, failure of environmental
control systems, electrical discharge, fire, and water.
• Designs Detection Measures — Detection measures are implemented to identify
anomalies that could result from environmental threat events.
• Implements and Maintains Environmental Protection Mechanisms — Management
implements and maintains environmental protection mechanisms to prevent and
mitigate environmental events.
• Implements Alerts to Analyze Anomalies — Management implements alerts that are
communicated to personnel for analysis to identify environmental threat events.
• Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems
(for example, uninterruptable power system and generator backup subsystem).
• Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary.
• Determines Data Requiring Backup — Data is evaluated to determine whether
backup is required.
• Performs Data Backup — Procedures are in place for backing up data, monitoring
to detect backup failures, and initiating corrective action when such failures occur.
• Addresses Offsite Storage — Backup data is stored in a location at a distance from
its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
• Implements Alternate Processing Infrastructure — Measures are implemented for
migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. |
|
13 |
| SOC_2 |
CC7.5 |
SOC_2_CC7.5 |
SOC 2 Type 2 CC7.5 |
System Operations |
Recovery from identified security incidents |
Shared |
The customer is responsible for implementing this recommendation. |
• Restores the Affected Environment — The activities restore the affected environment
to functional operation by rebuilding systems, updating software, installing patches,
and changing configurations, as needed.
• Communicates Information About the Event — Communications about the nature of
the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal
and external).
• Determines Root Cause of the Event — The root cause of the event is determined.
• Implements Changes to Prevent and Detect Recurrences — Additional architecture
or changes to preventive and detective controls, or both, are implemented to prevent
and detect recurrences on a timely basis.
• Improves Response and Recovery Procedures — Lessons learned are analyzed and
the incident-response plan and recovery procedures are improved.
• Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system
components from across the entity that can impair availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision
of continuity plans and systems based on test results |
|
19 |
| SWIFT_CSCF_v2022 |
11.2 |
SWIFT_CSCF_v2022_11.2 |
SWIFT CSCF v2022 11.2 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
Shared |
n/a |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
link |
20 |
| SWIFT_CSCF_v2022 |
9.1 |
SWIFT_CSCF_v2022_9.1 |
SWIFT CSCF v2022 9.1 |
9. Ensure Availability through Resilience |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
Shared |
n/a |
Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. |
link |
8 |
| SWIFT_CSCF_v2022 |
9.3 |
SWIFT_CSCF_v2022_9.3 |
SWIFT CSCF v2022 9.3 |
9. Ensure Availability through Resilience |
Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. |
Shared |
n/a |
Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. |
link |
7 |