compliance controls are associated with this Policy definition 'Establish a threat intelligence program' (b0e3035d-6366-2e37-796e-8bcab9c649e6)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
SI-5 |
FedRAMP_High_R4_SI-5 |
FedRAMP High SI-5 |
System And Information Integrity |
Security Alerts, Advisories, And Directives |
Shared |
n/a |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects
on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2.
References: NIST Special Publication 800-40. |
link |
4 |
FedRAMP_Moderate_R4 |
SI-5 |
FedRAMP_Moderate_R4_SI-5 |
FedRAMP Moderate SI-5 |
System And Information Integrity |
Security Alerts, Advisories, And Directives |
Shared |
n/a |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects
on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2.
References: NIST Special Publication 800-40. |
link |
4 |
hipaa |
1222.09ab3System.8-09.ab |
hipaa-1222.09ab3System.8-09.ab |
1222.09ab3System.8-09.ab |
12 Audit Logging & Monitoring |
1222.09ab3System.8-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems/machines/devices, and correlates this information with input from non-technical sources to gain and enhance organization-wide situational awareness. Using the SIEM tool, the organization devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. |
|
10 |
hipaa |
1411.09f1System.1-09.f |
hipaa-1411.09f1System.1-09.f |
1411.09f1System.1-09.f |
14 Third Party Assurance |
1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. |
|
9 |
ISO27001-2013 |
A.6.1.4 |
ISO27001-2013_A.6.1.4 |
ISO 27001:2013 A.6.1.4 |
Organization of Information Security |
Contact with special interest groups |
Shared |
n/a |
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. |
link |
6 |
NIST_SP_800-171_R2_3 |
.14.3 |
NIST_SP_800-171_R2_3.14.3 |
NIST SP 800-171 R2 3.14.3 |
System and Information Integrity |
Monitor system security alerts and advisories and take action in response. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. [SP 800-161] provides guidance on supply chain risk management. |
link |
14 |
NIST_SP_800-53_R4 |
SI-5 |
NIST_SP_800-53_R4_SI-5 |
NIST SP 800-53 Rev. 4 SI-5 |
System And Information Integrity |
Security Alerts, Advisories, And Directives |
Shared |
n/a |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects
on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2.
References: NIST Special Publication 800-40. |
link |
4 |
NIST_SP_800-53_R5 |
SI-5 |
NIST_SP_800-53_R5_SI-5 |
NIST SP 800-53 Rev. 5 SI-5 |
System and Information Integrity |
Security Alerts, Advisories, and Directives |
Shared |
n/a |
a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generate internal security alerts, advisories, and directives as deemed necessary;
c. Disseminate security alerts, advisories, and directives to: [Selection (OneOrMore): [Assignment: organization-defined personnel or roles] ; [Assignment: organization-defined elements within the organization] ; [Assignment: organization-defined external organizations] ] ; and
d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. |
link |
4 |
|
op.exp.7 Incident management |
op.exp.7 Incident management |
404 not found |
|
|
|
n/a |
n/a |
|
103 |
|
op.mon.3 Monitoring |
op.mon.3 Monitoring |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
PCI_DSS_v4.0 |
12.3.4 |
PCI_DSS_v4.0_12.3.4 |
PCI DSS v4.0 12.3.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risks to the cardholder data environment are formally identified, evaluated, and managed |
Shared |
n/a |
Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:
• Analysis that the technologies continue to receive security fixes from vendors promptly.
• Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
• Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
• Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans. |
link |
3 |
PCI_DSS_v4.0 |
6.3.1 |
PCI_DSS_v4.0_6.3.1 |
PCI DSS v4.0 6.3.1 |
Requirement 06: Develop and Maintain Secure Systems and Software |
Security vulnerabilities are identified and addressed |
Shared |
n/a |
Security vulnerabilities are identified and managed as follows:
• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered. |
link |
4 |