compliance controls are associated with this Policy definition 'Produce, control and distribute asymmetric cryptographic keys' (de077e7e-0cc8-65a6-6e08-9ab46c827b05)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-12(3) |
FedRAMP_High_R4_SC-12(3) |
FedRAMP High SC-12 (3) |
System And Communications Protection |
Asymmetric Keys |
Shared |
n/a |
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]. |
link |
1 |
| FedRAMP_Moderate_R4 |
SC-12(3) |
FedRAMP_Moderate_R4_SC-12(3) |
FedRAMP Moderate SC-12 (3) |
System And Communications Protection |
Asymmetric Keys |
Shared |
n/a |
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]. |
link |
1 |
| hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
| hipaa |
0913.09s1Organizational.5-09.s |
hipaa-0913.09s1Organizational.5-09.s |
0913.09s1Organizational.5-09.s |
09 Transmission Protection |
0913.09s1Organizational.5-09.s 09.08 Exchange of Information |
Shared |
n/a |
Strong cryptography protocols are used to safeguard covered information during transmission over less trusted/open public networks. |
|
5 |
| hipaa |
0926.09v1Organizational.2-09.v |
hipaa-0926.09v1Organizational.2-09.v |
0926.09v1Organizational.2-09.v |
09 Transmission Protection |
0926.09v1Organizational.2-09.v 09.08 Exchange of Information |
Shared |
n/a |
Approvals are obtained prior to using external public services, including instant messaging or file sharing. |
|
5 |
| hipaa |
0928.09v1Organizational.45-09.v |
hipaa-0928.09v1Organizational.45-09.v |
0928.09v1Organizational.45-09.v |
09 Transmission Protection |
0928.09v1Organizational.45-09.v 09.08 Exchange of Information |
Shared |
n/a |
Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. |
|
9 |
| hipaa |
0929.09v1Organizational.6-09.v |
hipaa-0929.09v1Organizational.6-09.v |
0929.09v1Organizational.6-09.v |
09 Transmission Protection |
0929.09v1Organizational.6-09.v 09.08 Exchange of Information |
Shared |
n/a |
The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). |
|
9 |
| hipaa |
0945.09y1Organizational.3-09.y |
hipaa-0945.09y1Organizational.3-09.y |
0945.09y1Organizational.3-09.y |
09 Transmission Protection |
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). |
|
6 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.13.2.3 |
ISO27001-2013_A.13.2.3 |
ISO 27001:2013 A.13.2.3 |
Communications Security |
Electronic messaging |
Shared |
n/a |
Information involved in electronic messaging shall be appropriately protected. |
link |
10 |
| ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-53_R4 |
SC-12(3) |
NIST_SP_800-53_R4_SC-12(3) |
NIST SP 800-53 Rev. 4 SC-12 (3) |
System And Communications Protection |
Asymmetric Keys |
Shared |
n/a |
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]. |
link |
1 |
| NIST_SP_800-53_R5 |
SC-12(3) |
NIST_SP_800-53_R5_SC-12(3) |
NIST SP 800-53 Rev. 5 SC-12 (3) |
System and Communications Protection |
Asymmetric Keys |
Shared |
n/a |
Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes;prepositioned keying material;DoD-approved or DoD-issued Medium Assurance PKI certificates;DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user???s private key;certificates issued in accordance with organization-defined requirements] . |
link |
1 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
| PCI_DSS_v4.0 |
4.2.1 |
PCI_DSS_v4.0_4.2.1 |
PCI DSS v4.0 4.2.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use. |
link |
12 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |