Az Policy Advertizer

Canada_Federal_PBMM_3-1-2020_CM_3

CM_3

Canada Federal PBMM 3-1-2020 CM 3

Configuration Change Control

Shared

1. The organization determines the types of changes to the information system that are configuration-controlled. 2. The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. 3. The organization documents configuration change decisions associated with the information system. 4. The organization implements approved configuration-controlled changes to the information system. 5. The organization retains records of configuration-controlled changes to the information system for at least 90 days. 6. The organization audits and reviews activities associated with configuration-controlled changes to the information system. 7. The organization coordinates and provides oversight for configuration change control activities through a central communication process that includes organizational governance bodies that convenes at least annually.

To ensure systematic control and oversight of configuration changes to the information system, mitigating risks and maintaining system integrity.

Canada_Federal_PBMM_3-1-2020_CM_3(6)

CM_3(6)

Canada Federal PBMM 3-1-2020 CM 3(6)

Configuration Change Control

Configuration Change Control | Cryptography Management

Shared

The organization ensures that cryptographic mechanisms used to provide any cryptographic-based safeguards are under configuration management.

To uphold security and integrity measures.

Canada_Federal_PBMM_3-1-2020_CM_6

CM_6

Canada Federal PBMM 3-1-2020 CM 6

Configuration Settings

Shared

1. The organization establishes and documents configuration settings for information technology products employed within the information system using checklists from one or more of the following: a. Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA) that reflect the most restrictive mode consistent with operational requirements. 2. The organization implements the configuration settings. 3. The organization identifies, documents, and approves any deviations from established configuration settings for any configurable information system components. 4. The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

To ensure systematic configuration management of information technology products.

Canada_Federal_PBMM_3-1-2020_CM_6(1)

CM_6(1)

Canada Federal PBMM 3-1-2020 CM 6(1)

Configuration Settings

Configuration Settings | Automated Central Management / Application / Verification

Shared

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for organization-defined information system components.

To enhance efficiency, consistency, and security in configuration management processes.

Canada_Federal_PBMM_3-1-2020_CM_6(2)

CM_6(2)

Canada Federal PBMM 3-1-2020 CM 6(2)

Configuration Settings

Configuration Settings | Respond to Unauthorized Changes

Shared

The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

To ensure prompt detection, mitigation, and resolution of potential security risks.

Canada_Federal_PBMM_3-1-2020_CM_7

CM_7

Canada Federal PBMM 3-1-2020 CM 7

Least Functionality

Shared

1. The organization configures the information system to provide only essential capabilities. 2. The organization prohibits or restricts the use of identified functions, ports, protocols, and/or services following one or more standards from Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), or Defense Information Systems Agency (DISA).

To minimise the attack surface of the information system.

Canada_Federal_PBMM_3-1-2020_CM_7(1)

CM_7(1)

Canada Federal PBMM 3-1-2020 CM 7(1)

Least Functionality

Least Functionality | Periodic Review

Shared

1. The organization reviews the information system at least annually to identify unnecessary and/or non-secure functions, ports, protocols, and services; and 2. The organization disables all functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

To strengthen overall cybersecurity posture.

Canada_Federal_PBMM_3-1-2020_CM_9

CM_9

Canada Federal PBMM 3-1-2020 CM 9

Configuration Management Plan

Shared

1. The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. 2. The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. 3. The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management; and 4. The organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

To protect configuration items throughout their lifecycle while safeguarding the integrity of the configuration management plan.

Canada_Federal_PBMM_3-1-2020_SA_10

SA_10

Canada Federal PBMM 3-1-2020 SA 10

Developer Configuration Management

Shared

1. The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service development, implementation, and operation. 2. The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to all items under configuration management; 3. The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service; 4. The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes; and 5. The organization requires the developer of the information system, system component, or information system service to track security flaws and flaw resolution within the system, component, or service and report findings to the Chief Information Officer or delegate.

To ensure systematic management of system integrity and security throughout the development lifecycle.

Canada_Federal_PBMM_3-1-2020_SA_4(9)

SA_4(9)

Canada Federal PBMM 3-1-2020 SA 4(9)

Acquisition Process

Acquisition Process | Functions / Ports / Protocols / Services in Use

Shared

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

To facilitate early identification and assessment of potential security risks.

Canada_Federal_PBMM_3-1-2020_SA_9(2)

SA_9(2)

Canada Federal PBMM 3-1-2020 SA 9(2)

External Information System Services

External Information System Services | Identification of Functions / Ports / Protocols / Services

Shared

The organization requires providers of all external information systems and services to identify the functions, ports, protocols, and other services required for the use of such services.

To manage security risks and ensure the secure and efficient operation of external systems and services.

Canada_Federal_PBMM_3-1-2020_SC_12

SC_12

Canada Federal PBMM 3-1-2020 SC 12

Cryptographic Key Establishment and Management

Shared

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography.

To enhance overall security posture and compliance with industry best practices.

Canada_Federal_PBMM_3-1-2020_SC_12(1)

SC_12(1)

Canada Federal PBMM 3-1-2020 SC 12(1)

Cryptographic Key Establishment and Management

Cryptographic Key Establishment and Management | Availability

Shared

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

To implement backup and recovery mechanisms.

CIS_Azure_Foundations_v2.1.0

7.9

CIS_Azure_Foundations_v2.1.0_7.9

CIS Azure Foundations v2.1.0 7.9

Virtual Machines

Ensure Trusted Launch is enabled on Virtual Machines

Shared

n/a

Ensure Trusted Launch is enabled on Virtual Machines.

CIS_Controls_v8.1

4.1

CIS_Controls_v8.1_4.1

CIS Controls v8.1 4.1

Secure Configuration of Enterprise Assets and Software

Establish and maintain a secure configuration process.

Shared

1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.

To ensure data integrity and safety of enterprise assets.

CMMC_L2_v1.9.0

SC.L2_3.13.11

CMMC_L2_v1.9.0_SC.L2_3.13.11

Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.11

System and Communications Protection

CUI Encryption

Shared

Employ FIPS validated cryptography when used to protect the confidentiality of CUI.

To ensure the integrity and effectiveness of cryptographic protections applied to sensitive data.

CEK_02

CSA_v4.0.12_CEK_02

CSA Cloud Controls Matrix v4.0.12 CEK 02

Cryptography, Encryption & Key Management

CEK Roles and Responsibilities

Shared

n/a

Define and implement cryptographic, encryption and key management roles and responsibilities.

CEK_10

CSA_v4.0.12_CEK_10

CSA Cloud Controls Matrix v4.0.12 CEK 10

Cryptography, Encryption & Key Management

Key Generation

Shared

n/a

Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.

CEK_11

CSA_v4.0.12_CEK_11

CSA Cloud Controls Matrix v4.0.12 CEK 11

Cryptography, Encryption & Key Management

Key Purpose

Shared

n/a

Manage cryptographic secret and private keys that are provisioned for a unique purpose.

CEK_12

CSA_v4.0.12_CEK_12

CSA Cloud Controls Matrix v4.0.12 CEK 12

Cryptography, Encryption & Key Management

Key Rotation

Shared

n/a

Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.

CEK_15

CSA_v4.0.12_CEK_15

CSA Cloud Controls Matrix v4.0.12 CEK 15

Cryptography, Encryption & Key Management

Key Activation

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements.

CEK_16

CSA_v4.0.12_CEK_16

CSA Cloud Controls Matrix v4.0.12 CEK 16

Cryptography, Encryption & Key Management

Key Suspension

Shared

n/a

Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements.

EU_2555_(NIS2)_2022

EU_2555_(NIS2)_2022_21

EU 2022/2555 (NIS2) 2022 21

Cybersecurity risk-management measures

Shared

n/a

Requires essential and important entities to take appropriate measures to manage cybersecurity risks.

193

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

310

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

310

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

310

FBI_Criminal_Justice_Information_Services_v5.9.5_5.1

FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1

Policy and Implementation - Systems And Communications Protection

Systems And Communications Protection

Shared

In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment.

110

FBI_Criminal_Justice_Information_Services_v5.9.5_5

FBI_Criminal_Justice_Information_Services_v5.9.5_5.7

404 not found

n/a

HITRUST_CSF_v11.3

01.l

HITRUST_CSF_v11.3_01.l

HITRUST CSF v11.3 01.l

Network Access Control

Prevent unauthorized access to networked services.

Shared

Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed.

Physical and logical access to diagnostic and configuration ports shall be controlled.

ISO_IEC_27017_2015

10.1.1

ISO_IEC_27017_2015_10.1.1

ISO IEC 27017 2015 10.1.1

Cryptography

Policy on the use of cryptographic controls

Shared

For Cloud Service Customer: The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud service provider. When the cloud service provider offers cryptography, the cloud service customer should review any information supplied by the cloud service provider to confirm whether the cryptographic capabilities: (i) meet the cloud service customer's policy requirements; (ii) are compatible with any other cryptographic protection used by the cloud service customer; (iii) apply to data at rest and in transit to, from and within the cloud service. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection.

To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.

ISO_IEC_27017_2015

18.1.5

ISO_IEC_27017_2015_18.1.5

ISO IEC 27017 2015 18.1.5

Compliance

Regulation of Cryptographic Controls

Shared

For Cloud Service Customer: The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. For Cloud Service Provider: The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations.

To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.

NIS2

PV._Posture_and_Vulnerability_Management_5

NIS2_PV._Posture_and_Vulnerability_Management_5

PV. Posture and Vulnerability Management

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

n/a

missing value

NIST_SP_800-171_R3_3

.13.11

NIST_SP_800-171_R3_3.13.11

NIST 800-171 R3 3.13.11

System and Communications Protection Control

Cryptographic Protection

Shared

Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.

Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography].

NIST_SP_800-171_R3_3

.4.6

NIST_SP_800-171_R3_3.4.6

404 not found

n/a

NIST_SP_800-53_R5.1.1

CM.7.1

NIST_SP_800-53_R5.1.1_CM.7.1

NIST SP 800-53 R5.1.1 CM.7.1

Configuration Management Control

Least Functionality | Periodic Review

Shared

(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

NIST_SP_800-53_R5.1.1

SC.13

NIST_SP_800-53_R5.1.1_SC.13

NIST SP 800-53 R5.1.1 SC.13

System and Communications Protection

Cryptographic Protection

Shared

a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

17.1.51.C.01.

NZISM_v3.7_17.1.51.C.01.

NZISM v3.7 17.1.51.C.01.

Cryptographic Fundamentals

17.1.51.C.01. - enhace overall security posture.

Shared

n/a

Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB.

17.1.52.C.01.

NZISM_v3.7_17.1.52.C.01.

NZISM v3.7 17.1.52.C.01.

Cryptographic Fundamentals

17.1.52.C.01. - enhace overall security posture.

Shared

n/a

Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure.

17.1.52.C.02.

NZISM_v3.7_17.1.52.C.02.

NZISM v3.7 17.1.52.C.02.

Cryptographic Fundamentals

17.1.52.C.02. - enhance data accessibility and integrity.

Shared

n/a

Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure.

17.1.53.C.03.

NZISM_v3.7_17.1.53.C.03.

NZISM v3.7 17.1.53.C.03.

Cryptographic Fundamentals

17.1.53.C.03. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information.

17.1.53.C.04.

NZISM_v3.7_17.1.53.C.04.

NZISM v3.7 17.1.53.C.04.

Cryptographic Fundamentals

17.1.53.C.04. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information.

17.1.54.C.01.

NZISM_v3.7_17.1.54.C.01.

NZISM v3.7 17.1.54.C.01.

Cryptographic Fundamentals

17.1.54.C.01. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system.

17.1.55.C.01.

NZISM_v3.7_17.1.55.C.01.

NZISM v3.7 17.1.55.C.01.

Cryptographic Fundamentals

17.1.55.C.01. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks.

17.1.55.C.02.

NZISM_v3.7_17.1.55.C.02.

NZISM v3.7 17.1.55.C.02.

Cryptographic Fundamentals

17.1.55.C.02. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks.

17.1.55.C.03.

NZISM_v3.7_17.1.55.C.03.

NZISM v3.7 17.1.55.C.03.

Cryptographic Fundamentals

17.1.55.C.03. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency.

17.1.55.C.04.

NZISM_v3.7_17.1.55.C.04.

NZISM v3.7 17.1.55.C.04.

Cryptographic Fundamentals

17.1.55.C.04. - ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information.

Shared

n/a

Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks.

17.1.56.C.02.

NZISM_v3.7_17.1.56.C.02.

NZISM v3.7 17.1.56.C.02.

Cryptographic Fundamentals

17.1.56.C.02. - ensure compliance with security protocols and best practices.

Shared

n/a

Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment.

17.1.57.C.01.

NZISM_v3.7_17.1.57.C.01.

NZISM v3.7 17.1.57.C.01.

Cryptographic Fundamentals

17.1.57.C.01. - ensure compliance with security protocols and best practices.

Shared

n/a

In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit.

17.1.58.C.01.

NZISM_v3.7_17.1.58.C.01.

NZISM v3.7 17.1.58.C.01.

Cryptographic Fundamentals

17.1.58.C.01. - ensure compliance with security protocols and best practices.

Shared

n/a

Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations.

17.1.58.C.02.

NZISM_v3.7_17.1.58.C.02.

NZISM v3.7 17.1.58.C.02.

Cryptographic Fundamentals

17.1.58.C.02. - enhance overall cybersecurity posture.

Shared

n/a

Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods.

22.3.11.C.01.

NZISM_v3.7_22.3.11.C.01.

NZISM v3.7 22.3.11.C.01.

Virtual Local Area Networks

22.3.11.C.01. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches MUST be disabled.

22.3.11.C.02.

NZISM_v3.7_22.3.11.C.02.

NZISM v3.7 22.3.11.C.02.

Virtual Local Area Networks

22.3.11.C.02. - ensure data security and integrity.

Shared

n/a

Unused ports on the switches SHOULD be disabled.

PCI_DSS_v4.0.1

2.2.4

PCI_DSS_v4.0.1_2.2.4

PCI DSS v4.0.1 2.2.4

Apply Secure Configurations to All System Components

Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled

Shared

n/a

Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled

PCI_DSS_v4.0.1

3.5.1.1

PCI_DSS_v4.0.1_3.5.1.1

PCI DSS v4.0.1 3.5.1.1

Protect Stored Account Data

Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7

Shared

n/a

Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable) to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures. Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. Examine data repositories to verify the PAN is rendered unreadable. Examine audit logs, including payment application logs, to verify the PAN is rendered unreadable

PCI_DSS_v4.0.1

4.2.1

PCI_DSS_v4.0.1_4.2.1

PCI DSS v4.0.1 4.2.1

Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use

Shared

n/a

Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement. Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected

RBI_CSF_Banks_v2016

13.1

RBI_CSF_Banks_v2016_13.1

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.1

n/a

Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise.

RBI_CSF_Banks_v2016

4.3

RBI_CSF_Banks_v2016_4.3

Network Management And Security

Network Device Configuration Management-4.3

n/a

Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security.

RBI_ITF_NBFC_v2017

3.1.b

RBI_ITF_NBFC_v2017_3.1.b

RBI IT Framework 3.1.b

Information and Cyber Security

Segregation of Functions-3.1

n/a

The IS Policy must provide for a IS framework with the following basic tenets: Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be a clear segregation of responsibilities relating to system administration, database administration and transaction processing.

link

SOC_2

CC6.8

SOC_2_CC6.8

SOC 2 Type 2 CC6.8

Logical and Physical Access Controls

Prevent or detect against unauthorized or malicious software

Shared

The customer is responsible for implementing this recommendation.

Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.

SOC_2

CC8.1

SOC_2_CC8.1

SOC 2 Type 2 CC8.1

Change Management

Changes to infrastructure, data, and software

Shared

The customer is responsible for implementing this recommendation.

Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.

CC2.3

SOC_2023_CC2.3

SOC 2023 CC2.3

Information and Communication

Facilitate effective internal communication.

Shared

n/a

Entity to communicate with external parties regarding matters affecting the functioning of internal control.

218

CC5.3

SOC_2023_CC5.3

SOC 2023 CC5.3

Control Activities

Maintain alignment with organizational objectives and regulatory requirements.

Shared

n/a

Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures.

229

CC7.2

SOC_2023_CC7.2

SOC 2023 CC7.2

Systems Operations

Maintain robust security measures and ensure operational resilience.

Shared

n/a

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events.

167