compliance controls are associated with this Policy definition 'Implement controls to secure alternate work sites' (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
1.22 |
CIS_Azure_1.1.0_1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.22 |
1 Identity and Access Management |
Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Joining devices to the active directory should require Multi-factor authentication. |
link |
8 |
CIS_Azure_1.3.0 |
1.20 |
CIS_Azure_1.3.0_1.20 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.20 |
1 Identity and Access Management |
Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Joining devices to the active directory should require Multi-factor authentication. |
link |
8 |
CIS_Azure_1.3.0 |
1.22 |
CIS_Azure_1.3.0_1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.22 |
1 Identity and Access Management |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
The customer is responsible for implementing this recommendation. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. |
link |
9 |
CIS_Azure_1.4.0 |
1.19 |
CIS_Azure_1.4.0_1.19 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.19 |
1 Identity and Access Management |
Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Joining or registering devices to the active directory should require Multi-factor authentication. |
link |
8 |
CIS_Azure_1.4.0 |
1.21 |
CIS_Azure_1.4.0_1.21 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.21 |
1 Identity and Access Management |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
The customer is responsible for implementing this recommendation. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. |
link |
9 |
CIS_Azure_2.0.0 |
1.1.1 |
CIS_Azure_2.0.0_1.1.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.1.1 |
1.1 |
Ensure Security Defaults is enabled on Azure Active Directory |
Shared |
This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365. |
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.
Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
For example, doing the following:
- Requiring all users and admins to register for MFA.
- Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.
- Disabling authentication from legacy authentication clients, which can’t do MFA. |
link |
9 |
CIS_Azure_2.0.0 |
1.22 |
CIS_Azure_2.0.0_1.22 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.22 |
1 |
Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' |
Shared |
A slight impact of additional overhead, as Administrators will now have to approve every access to the domain. |
Joining or registering devices to the active directory should require Multi-factor authentication.
Multi-factor authentication is recommended when adding devices to Azure AD. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. _Note:_ Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain. |
link |
8 |
FedRAMP_High_R4 |
AC-17 |
FedRAMP_High_R4_AC-17 |
FedRAMP High AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
FedRAMP_High_R4 |
AC-17(4) |
FedRAMP_High_R4_AC-17(4) |
FedRAMP High AC-17 (4) |
Access Control |
Privileged Commands / Access |
Shared |
n/a |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system.
Supplemental Guidance: Related control: AC-6. |
link |
5 |
FedRAMP_High_R4 |
PE-17 |
FedRAMP_High_R4_PE-17 |
FedRAMP High PE-17 |
Physical And Environmental Protection |
Alternate Work Site |
Shared |
n/a |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7.
Control Enhancements: None.
References: NIST Special Publication 800-46. |
link |
1 |
FedRAMP_Moderate_R4 |
AC-17 |
FedRAMP_Moderate_R4_AC-17 |
FedRAMP Moderate AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
FedRAMP_Moderate_R4 |
AC-17(4) |
FedRAMP_Moderate_R4_AC-17(4) |
FedRAMP Moderate AC-17 (4) |
Access Control |
Privileged Commands / Access |
Shared |
n/a |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system.
Supplemental Guidance: Related control: AC-6. |
link |
5 |
FedRAMP_Moderate_R4 |
PE-17 |
FedRAMP_Moderate_R4_PE-17 |
FedRAMP Moderate PE-17 |
Physical And Environmental Protection |
Alternate Work Site |
Shared |
n/a |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7.
Control Enhancements: None.
References: NIST Special Publication 800-46. |
link |
1 |
hipaa |
0407.01y2Organizational.1-01.y |
hipaa-0407.01y2Organizational.1-01.y |
0407.01y2Organizational.1-01.y |
04 Mobile Device Security |
0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Prior to authorizing teleworking, the physical security of the teleworking site is evaluated and any threats/issues identified are addressed. |
|
2 |
hipaa |
0902.09s2Organizational.13-09.s |
hipaa-0902.09s2Organizational.13-09.s |
0902.09s2Organizational.13-09.s |
09 Transmission Protection |
0902.09s2Organizational.13-09.s 09.08 Exchange of Information |
Shared |
n/a |
Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. |
|
14 |
hipaa |
0912.09s1Organizational.4-09.s |
hipaa-0912.09s1Organizational.4-09.s |
0912.09s1Organizational.4-09.s |
09 Transmission Protection |
0912.09s1Organizational.4-09.s 09.08 Exchange of Information |
Shared |
n/a |
Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. |
|
9 |
hipaa |
1118.01j2Organizational.124-01.j |
hipaa-1118.01j2Organizational.124-01.j |
1118.01j2Organizational.124-01.j |
11 Access Control |
1118.01j2Organizational.124-01.j 01.04 Network Access Control |
Shared |
n/a |
The organization has implemented encryption (e.g., VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors, or third-party. |
|
9 |
hipaa |
1121.01j3Organizational.2-01.j |
hipaa-1121.01j3Organizational.2-01.j |
1121.01j3Organizational.2-01.j |
11 Access Control |
1121.01j3Organizational.2-01.j 01.04 Network Access Control |
Shared |
n/a |
Remote administration sessions are authorized, encrypted, and employ increased security measures. |
|
11 |
hipaa |
1179.01j3Organizational.1-01.j |
hipaa-1179.01j3Organizational.1-01.j |
1179.01j3Organizational.1-01.j |
11 Access Control |
1179.01j3Organizational.1-01.j 01.04 Network Access Control |
Shared |
n/a |
The information system monitors and controls remote access methods. |
|
7 |
hipaa |
1816.08d2Organizational.4-08.d |
hipaa-1816.08d2Organizational.4-08.d |
1816.08d2Organizational.4-08.d |
18 Physical & Environmental Security |
1816.08d2Organizational.4-08.d 08.01 Secure Areas |
Shared |
n/a |
Any security threats presented by neighboring premises are identified. |
|
4 |
ISO27001-2013 |
A.11.2.6 |
ISO27001-2013_A.11.2.6 |
ISO 27001:2013 A.11.2.6 |
Physical And Environmental Security |
Security of equipment and assets off-premises |
Shared |
n/a |
Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. |
link |
10 |
ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
ISO27001-2013 |
A.6.2.1 |
ISO27001-2013_A.6.2.1 |
ISO 27001:2013 A.6.2.1 |
Organization of Information Security |
Mobile device policy |
Shared |
n/a |
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. |
link |
13 |
ISO27001-2013 |
A.6.2.2 |
ISO27001-2013_A.6.2.2 |
ISO 27001:2013 A.6.2.2 |
Organization of Information Security |
Teleworking |
Shared |
n/a |
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. |
link |
16 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.eq.1 Clear desk |
mp.eq.1 Clear desk |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
|
mp.eq.3 Protection of portable devices |
mp.eq.3 Protection of portable devices |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
NIST_SP_800-171_R2_3 |
.1.15 |
NIST_SP_800-171_R2_3.1.15 |
NIST SP 800-171 R2 3.1.15 |
Access Control |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Security-relevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. |
link |
5 |
NIST_SP_800-171_R2_3 |
.10.6 |
NIST_SP_800-171_R2_3.10.6 |
NIST SP 800-171 R2 3.10.6 |
Physical Protection |
Enforce safeguarding measures for CUI at alternate work sites. |
Shared |
Microsoft is responsible for implementing this requirement. |
Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. [SP 800-46] and [SP 800-114] provide guidance on enterprise and user security when teleworking. |
link |
1 |
NIST_SP_800-53_R4 |
AC-17 |
NIST_SP_800-53_R4_AC-17 |
NIST SP 800-53 Rev. 4 AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
NIST_SP_800-53_R4 |
AC-17(4) |
NIST_SP_800-53_R4_AC-17(4) |
NIST SP 800-53 Rev. 4 AC-17 (4) |
Access Control |
Privileged Commands / Access |
Shared |
n/a |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system.
Supplemental Guidance: Related control: AC-6. |
link |
5 |
NIST_SP_800-53_R4 |
PE-17 |
NIST_SP_800-53_R4_PE-17 |
NIST SP 800-53 Rev. 4 PE-17 |
Physical And Environmental Protection |
Alternate Work Site |
Shared |
n/a |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7.
Control Enhancements: None.
References: NIST Special Publication 800-46. |
link |
1 |
NIST_SP_800-53_R5 |
AC-17 |
NIST_SP_800-53_R5_AC-17 |
NIST SP 800-53 Rev. 5 AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections. |
link |
41 |
NIST_SP_800-53_R5 |
AC-17(4) |
NIST_SP_800-53_R5_AC-17(4) |
NIST SP 800-53 Rev. 5 AC-17 (4) |
Access Control |
Privileged Commands and Access |
Shared |
n/a |
(a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and
(b) Document the rationale for remote access in the security plan for the system. |
link |
5 |
NIST_SP_800-53_R5 |
PE-17 |
NIST_SP_800-53_R5_PE-17 |
NIST SP 800-53 Rev. 5 PE-17 |
Physical and Environmental Protection |
Alternate Work Site |
Shared |
n/a |
a. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees;
b. Employ the following controls at alternate work sites: [Assignment: organization-defined controls];
c. Assess the effectiveness of controls at alternate work sites; and
d. Provide a means for employees to communicate with information security and privacy personnel in case of incidents. |
link |
1 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
PCI_DSS_v4.0 |
1.5.1 |
PCI_DSS_v4.0_1.5.1 |
PCI DSS v4.0 1.5.1 |
Requirement 01: Install and Maintain Network Security Controls |
Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated |
Shared |
n/a |
Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period. |
link |
5 |
PCI_DSS_v4.0 |
8.4.2 |
PCI_DSS_v4.0_8.4.2 |
PCI DSS v4.0 8.4.2 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Multi-factor authentication (MFA) is implemented to secure access into the CDE |
Shared |
n/a |
MFA is implemented for all access into the CDE. |
link |
8 |
PCI_DSS_v4.0 |
8.4.3 |
PCI_DSS_v4.0_8.4.3 |
PCI DSS v4.0 8.4.3 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Multi-factor authentication (MFA) is implemented to secure access into the CDE |
Shared |
n/a |
MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows:
• All remote access by all personnel, both users and administrators, originating from outside the entity’s network.
• All remote access by third parties and vendors. |
link |
8 |
PCI_DSS_v4.0 |
8.5.1 |
PCI_DSS_v4.0_8.5.1 |
PCI DSS v4.0 8.5.1 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Multi-factor authentication (MFA) systems are configured to prevent misuse |
Shared |
n/a |
MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks.
• MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period.
• At least two different types of authentication factors are used.
• Success of all authentication factors is required before access is granted. |
link |
8 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
40 |
SWIFT_CSCF_v2022 |
1.4 |
SWIFT_CSCF_v2022_1.4 |
SWIFT CSCF v2022 1.4 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Control/Protect Internet access from operator PCs and systems within the secure zone. |
Shared |
n/a |
All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business. |
link |
11 |
SWIFT_CSCF_v2022 |
2.6 |
SWIFT_CSCF_v2022_2.6 |
SWIFT CSCF v2022 2.6 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications |
Shared |
n/a |
The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. |
link |
17 |