compliance controls are associated with this Policy definition 'Azure Key Vault Managed HSM should have purge protection enabled' (c39ba22d-4428-4149-b981-70acb31fc383)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
8.4 |
CIS_Azure_1.1.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
3 |
| CSA_v4.0.12 |
BCR_08 |
CSA_v4.0.12_BCR_08 |
CSA Cloud Controls Matrix v4.0.12 BCR 08 |
Business Continuity Management and Operational Resilience |
Backup |
Shared |
n/a |
Periodically backup data stored in the cloud. Ensure the confidentiality,
integrity and availability of the backup, and verify data restoration from backup for resiliency. |
|
7 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_11 |
EU_2555_(NIS2)_2022_11 |
EU 2022/2555 (NIS2) 2022 11 |
|
Requirements, technical capabilities and tasks of CSIRTs |
Shared |
n/a |
Outlines the requirements, technical capabilities, and tasks of CSIRTs. |
|
68 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_12 |
EU_2555_(NIS2)_2022_12 |
EU 2022/2555 (NIS2) 2022 12 |
|
Coordinated vulnerability disclosure and a European vulnerability database |
Shared |
n/a |
Establishes a coordinated vulnerability disclosure process and a European vulnerability database. |
|
66 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_29 |
EU_2555_(NIS2)_2022_29 |
EU 2022/2555 (NIS2) 2022 29 |
|
Cybersecurity information-sharing arrangements |
Shared |
n/a |
Allows entities to exchange relevant cybersecurity information on a voluntary basis. |
|
66 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_9 |
EU_2555_(NIS2)_2022_9 |
EU 2022/2555 (NIS2) 2022 9 |
|
National cyber crisis management frameworks |
Shared |
n/a |
Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. |
|
14 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.11 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 |
Policy and Implementation - Formal Audits |
Policy Area 11: Formal Audits |
Shared |
Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. |
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. |
|
64 |
| hipaa |
1635.12b1Organizational.2-12.b |
hipaa-1635.12b1Organizational.2-12.b |
1635.12b1Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. |
|
6 |
| HITRUST_CSF_v11.3 |
10.c |
HITRUST_CSF_v11.3_10.c |
HITRUST CSF v11.3 10.c |
Correct Processing in Applications |
Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. |
Shared |
Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. |
Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
|
35 |
| New_Zealand_ISM |
23.4.9.C.01 |
New_Zealand_ISM_23.4.9.C.01 |
New_Zealand_ISM_23.4.9.C.01 |
23. Public Cloud Security |
23.4.9.C.01 Data protection mechanisms |
|
n/a |
For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements. |
|
17 |
| NIST_SP_800-53_R5.1.1 |
CP.10 |
NIST_SP_800-53_R5.1.1_CP.10 |
NIST SP 800-53 R5.1.1 CP.10 |
Contingency Planning Control |
System Recovery and Reconstitution |
Shared |
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. |
Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. |
|
2 |
| NIST_SP_800-53_R5.1.1 |
SI.7.5 |
NIST_SP_800-53_R5.1.1_SI.7.5 |
NIST SP 800-53 R5.1.1 SI.7.5 |
System and Information Integrity Control |
Software, Firmware, and Information Integrity | Automated Response to Integrity Violations |
Shared |
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]
] when integrity violations are discovered. |
Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur. |
|
4 |
| NZ_ISM_v3.5 |
GS-2 |
NZ_ISM_v3.5_GS-2 |
NZISM Security Benchmark GS-2 |
Gateway security |
19.1.11 Using Gateways |
Customer |
n/a |
Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s).
The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies.
Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks |
link |
10 |
| NZISM_Security_Benchmark_v1.1 |
GS-2 |
NZISM_Security_Benchmark_v1.1_GS-2 |
NZISM Security Benchmark GS-2 |
Gateway security |
19.1.11 Using Gateways |
Customer |
Agencies MUST ensure that:
all agency networks are protected from networks in other security domains by one or more gateways;
all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s).
The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies.
Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks |
link |
8 |
| RMiT_v1.0 |
10.16 |
RMiT_v1.0_10.16 |
RMiT 10.16 |
Cryptography |
Cryptography - 10.16 |
Shared |
n/a |
A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for:
(a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation;
(b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction;
(c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and
(d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. |
link |
10 |
| RMiT_v1.0 |
11.15 |
RMiT_v1.0_11.15 |
RMiT 11.15 |
Data Loss Prevention (DLP) |
Data Loss Prevention (DLP) - 11.15 |
Shared |
n/a |
A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following:
(a) data in-use - data being processed by IT resources;
(b) data in-motion - data being transmitted on the network; and
(c) data at-rest - data stored in storage mediums such as servers, backup media and databases. |
link |
14 |
| Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SWIFT_CSCF_2024 |
2.1 |
SWIFT_CSCF_2024_2.1 |
SWIFT Customer Security Controls Framework 2024 2.1 |
Risk Management |
Internal Data Flow Security |
Shared |
The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. |
To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. |
|
48 |
| SWIFT_CSCF_2024 |
6.2 |
SWIFT_CSCF_2024_6.2 |
SWIFT Customer Security Controls Framework 2024 6.2 |
Risk Management |
Software Integrity |
Shared |
Software integrity checks provide a detective control against unexpected modification to operational software. |
To ensure the software integrity of the Swift-related components and act upon results. |
|
16 |
| SWIFT_CSCF_2024 |
6.3 |
SWIFT_CSCF_2024_6.3 |
SWIFT Customer Security Controls Framework 2024 6.3 |
Risk Management |
Database Integrity |
Shared |
Database integrity checks allow unexpected modification to records stored within the database to be detected. |
To ensure the integrity of the database records for the Swift messaging interface or the customer connector and act upon results. |
|
16 |