AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Verify software, firmware and information integrity | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Verify software, firmware and information integrity
Id db28735f-518f-870e-15b4-49623cbe3aa0
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0542 - Verify software, firmware and information integrity
Additional metadata Name/Id: CMA_0542 / CMA_0542
Category: Operational
Title: Verify software, firmware and information integrity
Ownership: Customer
Description: Microsoft recommends that your organization verify software, firmware, and information integrity in order to address and remediate any issues. It is recommended to have an event audit capability that can create audit records and alert users and defined roles if a potential integrity violation is detected. It is also recommended that the system is able to check the boot process integrity of system components defined by your organization. This can allow your organization to expect that only trusted code is executed. Microsoft recommends that your organization ensure processes cannot be executed without supervision for longer than a definer time period. When anomalies occur, your organization can employ operating system timers, manual oversight and responses, and automated responses. It is also recommended to establish controls at runtime for application self-protection in order to detect and prevent software vulnerability exploitation. This can allow your organization to monitor and block inputs that could lead to attacks and to prevent unwanted changes to the runtime environment. Microsoft recommends that your organization ensure processes cannot be executed without supervision for longer than a definer time period and prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code. Consider employing integrity verification tools, integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools to detect unauthorized changes to organization-defined software, firmware, and information. When anomalies occur, your organization can employ operating system timers, manual oversight and responses, and automated responses. It is also suggested to develop related organizational incident response capabilities to facilitate the detection of unauthorized changes to the information system. It is also recommended to establish controls at runtime for application self-protection in order to detect and prevent software vulnerability exploitation. This can allow your organization to monitor and block inputs that could lead to attacks and to prevent unwanted changes to the runtime environment. ISO 16175 recommends that your organization deploy software that - Is user-friendly and allow easy records creation and capture, - Supports interoperability over time and across platforms and domains - Has the capacity for bulk import and export - Relies as much as possible on open, robust and technology neutral standards - Provides agents with tools for searching and retrieving records and metadata - Extracts and render records in a usable format - Integrates and interoperate with other information systems which have the appropriate functionality.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 45 compliance controls are associated with this Policy definition 'Verify software, firmware and information integrity' (db28735f-518f-870e-15b4-49623cbe3aa0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 7.6 CIS_Azure_1.1.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link 10
CIS_Azure_1.3.0 7.6 CIS_Azure_1.3.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link 11
CIS_Azure_1.4.0 7.6 CIS_Azure_1.4.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link 10
CIS_Azure_2.0.0 7.6 CIS_Azure_2.0.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Ensure that Endpoint Protection for all Virtual Machines is installed Shared Endpoint protection will incur an additional cost to you. Install endpoint protection for all virtual machines. Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems. link 10
FedRAMP_High_R4 SA-10(1) FedRAMP_High_R4_SA-10(1) FedRAMP High SA-10 (1) System And Services Acquisition Software / Firmware Integrity Verification Shared n/a The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. Supplemental Guidance: This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7. link 1
FedRAMP_High_R4 SC-21 FedRAMP_High_R4_SC-21 FedRAMP High SC-21 System And Communications Protection Secure Name / Address Resolution Service (Recursive Or Caching Resolver) Shared n/a The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. References: NIST Special Publication 800-81. link 2
FedRAMP_High_R4 SI-7 FedRAMP_High_R4_SI-7 FedRAMP High SI-7 System And Information Integrity Software, Firmware, And Information Integrity Shared n/a The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. Supplemental Guidance: Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity- checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. References: NIST Special Publications 800-147, 800-155. link 1
FedRAMP_High_R4 SI-7(1) FedRAMP_High_R4_SI-7(1) FedRAMP High SI-7 (1) System And Information Integrity Integrity Checks Shared n/a The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]]. Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. link 2
FedRAMP_Moderate_R4 SA-10(1) FedRAMP_Moderate_R4_SA-10(1) FedRAMP Moderate SA-10 (1) System And Services Acquisition Software / Firmware Integrity Verification Shared n/a The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. Supplemental Guidance: This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7. link 1
FedRAMP_Moderate_R4 SC-21 FedRAMP_Moderate_R4_SC-21 FedRAMP Moderate SC-21 System And Communications Protection Secure Name /Address Resolution Service (Recursive Or Caching Resolver) Shared n/a The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. References: NIST Special Publication 800-81. link 2
FedRAMP_Moderate_R4 SI-7 FedRAMP_Moderate_R4_SI-7 FedRAMP Moderate SI-7 System And Information Integrity Software, Firmware, And Information Integrity Shared n/a The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. Supplemental Guidance: Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity- checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. References: NIST Special Publications 800-147, 800-155. link 1
FedRAMP_Moderate_R4 SI-7(1) FedRAMP_Moderate_R4_SI-7(1) FedRAMP Moderate SI-7 (1) System And Information Integrity Integrity Checks Shared n/a The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]]. Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. link 2
hipaa 0209.09m3Organizational.7-09.m hipaa-0209.09m3Organizational.7-09.m 0209.09m3Organizational.7-09.m 02 Endpoint Protection 0209.09m3Organizational.7-09.m 09.06 Network Security Management Shared n/a File sharing is disabled on wireless-enabled devices. 6
hipaa 0603.06g2Organizational.1-06.g hipaa-0603.06g2Organizational.1-06.g 0603.06g2Organizational.1-06.g 06 Configuration Management 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a Automated compliance tools are used when possible. 6
hipaa 0626.10h1System.3-10.h hipaa-0626.10h1System.3-10.h 0626.10h1System.3-10.h 06 Configuration Management 0626.10h1System.3-10.h 10.04 Security of System Files Shared n/a Operational systems only hold approved programs or executable code. 3
hipaa 0627.10h1System.45-10.h hipaa-0627.10h1System.45-10.h 0627.10h1System.45-10.h 06 Configuration Management 0627.10h1System.45-10.h 10.04 Security of System Files Shared n/a The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. 11
hipaa 0628.10h1System.6-10.h hipaa-0628.10h1System.6-10.h 0628.10h1System.6-10.h 06 Configuration Management 0628.10h1System.6-10.h 10.04 Security of System Files Shared n/a If systems or system components in production are no longer supported by the developer, vendor, or manufacturer, the organization is able to provide evidence of a formal migration plan approved by management to replace the system or system components. 4
hipaa 0663.10h1System.7-10.h hipaa-0663.10h1System.7-10.h 0663.10h1System.7-10.h 06 Configuration Management 0663.10h1System.7-10.h 10.04 Security of System Files Shared n/a The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline. 16
hipaa 0672.10k3System.5-10.k hipaa-0672.10k3System.5-10.k 0672.10k3System.5-10.k 06 Configuration Management 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes Shared n/a The integrity of all virtual machine images is ensured at all times by (i) logging and raising an alert for any changes made to virtual machine images, and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity. 12
hipaa 0708.10b2System.2-10.b hipaa-0708.10b2System.2-10.b 0708.10b2System.2-10.b 07 Vulnerability Management 0708.10b2System.2-10.b 10.02 Correct Processing in Applications Shared n/a System and information integrity requirements are developed, documented, disseminated, reviewed, and updated annually. 3
hipaa 0733.10b2System.4-10.b hipaa-0733.10b2System.4-10.b 0733.10b2System.4-10.b 07 Vulnerability Management 0733.10b2System.4-10.b 10.02 Correct Processing in Applications Shared n/a The information system checks the validity of organization-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible. For in-house developed software, the organization ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. 2
hipaa 0791.10b2Organizational.4-10.b hipaa-0791.10b2Organizational.4-10.b 0791.10b2Organizational.4-10.b 07 Vulnerability Management 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications Shared n/a Procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed, and updated as necessary by the appointed senior-level information security official of the organization. 8
hipaa 0871.09m3Organizational.22-09.m hipaa-0871.09m3Organizational.22-09.m 0871.09m3Organizational.22-09.m 08 Network Protection 0871.09m3Organizational.22-09.m 09.06 Network Security Management Shared n/a Authoritative DNS servers are segregated into internal and external roles. 4
hipaa 1206.09aa2System.23-09.aa hipaa-1206.09aa2System.23-09.aa 1206.09aa2System.23-09.aa 12 Audit Logging & Monitoring 1206.09aa2System.23-09.aa 09.10 Monitoring Shared n/a Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects. 6
hipaa 1208.09aa3System.1-09.aa hipaa-1208.09aa3System.1-09.aa 1208.09aa3System.1-09.aa 12 Audit Logging & Monitoring 1208.09aa3System.1-09.aa 09.10 Monitoring Shared n/a Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. 18
hipaa 1220.09ab3System.56-09.ab hipaa-1220.09ab3System.56-09.ab 1220.09ab3System.56-09.ab 12 Audit Logging & Monitoring 1220.09ab3System.56-09.ab 09.10 Monitoring Shared n/a Monitoring includes inbound and outbound communications and file integrity monitoring. 4
NIST_SP_800-53_R4 SA-10(1) NIST_SP_800-53_R4_SA-10(1) NIST SP 800-53 Rev. 4 SA-10 (1) System And Services Acquisition Software / Firmware Integrity Verification Shared n/a The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. Supplemental Guidance: This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7. link 1
NIST_SP_800-53_R4 SC-21 NIST_SP_800-53_R4_SC-21 NIST SP 800-53 Rev. 4 SC-21 System And Communications Protection Secure Name /Address Resolution Service (Recursive Or Caching Resolver) Shared n/a The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. References: NIST Special Publication 800-81. link 2
NIST_SP_800-53_R4 SI-7 NIST_SP_800-53_R4_SI-7 NIST SP 800-53 Rev. 4 SI-7 System And Information Integrity Software, Firmware, And Information Integrity Shared n/a The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. Supplemental Guidance: Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity- checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. References: NIST Special Publications 800-147, 800-155. link 1
NIST_SP_800-53_R4 SI-7(1) NIST_SP_800-53_R4_SI-7(1) NIST SP 800-53 Rev. 4 SI-7 (1) System And Information Integrity Integrity Checks Shared n/a The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]]. Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. link 2
NIST_SP_800-53_R5 SA-10(1) NIST_SP_800-53_R5_SA-10(1) NIST SP 800-53 Rev. 5 SA-10 (1) System and Services Acquisition Software and Firmware Integrity Verification Shared n/a Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. link 1
NIST_SP_800-53_R5 SC-21 NIST_SP_800-53_R5_SC-21 NIST SP 800-53 Rev. 5 SC-21 System and Communications Protection Secure Name/address Resolution Service (recursive or Caching Resolver) Shared n/a Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. link 2
NIST_SP_800-53_R5 SI-7 NIST_SP_800-53_R5_SI-7 NIST SP 800-53 Rev. 5 SI-7 System and Information Integrity Software, Firmware, and Information Integrity Shared n/a a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]. link 1
NIST_SP_800-53_R5 SI-7(1) NIST_SP_800-53_R5_SI-7(1) NIST SP 800-53 Rev. 5 SI-7 (1) System and Information Integrity Integrity Checks Shared n/a Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (OneOrMore): at startup;at [Assignment: organization-defined transitional states or security-relevant events] ; [Assignment: organization-defined frequency] ] . link 2
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
PCI_DSS_v4.0 11.5.2 PCI_DSS_v4.0_11.5.2 PCI DSS v4.0 11.5.2 Requirement 11: Test Security of Systems and Networks Regularly Network intrusions and unexpected file changes are detected and responded to Shared n/a A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: • To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files • To perform critical file comparisons at least once weekly. link 4
PCI_DSS_v4.0 11.6.1 PCI_DSS_v4.0_11.6.1 PCI DSS v4.0 11.6.1 Requirement 11: Test Security of Systems and Networks Regularly Unauthorized changes on payment pages are detected and responded to Shared n/a A change- and tamper-detection mechanism is deployed as follows: • To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. • The mechanism is configured to evaluate the received HTTP header and payment page. • The mechanism functions are performed as follows: – At least once every seven days OR – Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). link 3
PCI_DSS_v4.0 6.4.3 PCI_DSS_v4.0_6.4.3 PCI DSS v4.0 6.4.3 Requirement 06: Develop and Maintain Secure Systems and Software Public-facing web applications are protected against attacks Shared n/a All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: • A method is implemented to confirm that each script is authorized. • A method is implemented to assure the integrity of each script. • An inventory of all scripts is maintained with written justification as to why each is necessary. link 2
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 47
SOC_2 CC7.1 SOC_2_CC7.1 SOC 2 Type 2 CC7.1 System Operations Detection and monitoring of new vulnerabilities Shared The customer is responsible for implementing this recommendation. • Uses Defined Configuration Standards — Management has defined configuration standards. • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. • Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. • Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components. • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis 15
SWIFT_CSCF_v2022 6.1 SWIFT_CSCF_v2022_6.1 SWIFT CSCF v2022 6.1 6. Detect Anomalous Activity to Systems or Transaction Records Ensure that local SWIFT infrastructure is protected against malware and act upon results. Shared n/a Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. link 29
SWIFT_CSCF_v2022 6.2 SWIFT_CSCF_v2022_6.2 SWIFT CSCF v2022 6.2 6. Detect Anomalous Activity to Systems or Transaction Records Ensure the software integrity of the SWIFT-related components and act upon results. Shared n/a A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. link 6
SWIFT_CSCF_v2022 6.3 SWIFT_CSCF_v2022_6.3 SWIFT CSCF v2022 6.3 6. Detect Anomalous Activity to Systems or Transaction Records Ensure the integrity of the database records for the SWIFT messaging interface or the customer connector and act upon results. Shared n/a A database integrity check is performed at regular intervals on databases that record SWIFT transactions and results are considered for appropriate resolving actions. link 2
SWIFT_CSCF_v2022 8.5 SWIFT_CSCF_v2022_8.5 SWIFT CSCF v2022 8.5 8. Set and Monitor Performance Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. Shared n/a Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. link 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add db28735f-518f-870e-15b4-49623cbe3aa0
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC