SDPC
Global Education Security Standard (GESS)

Home | About GESS | GESS Documentation | Self-Assessment | Attributions

V1.0 of GESS identifies and cross walks controls from the following Security Frameworks;
Filter All Controls Across Frameworks (Click on the standard(s) you DON'T want to include):
  

Filter GESS Controls Across Frameworks (Click on the standard(s) you DON'T want to include):
  

Filter GESS Controls by Jurisdiction:
  

Filter GESS Controls by Control Set:
  

Search results include:

Standard Control Control Text Statements Control Type Category Jurisdiction NH Standard ST4S Version
NIST 800-171 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). All access to the service requires authentication including both human and automated access. Basic Access Control United States Y 1
NIST 800-171 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. The service provides role-based access control (RBAC) and this is this process documented for all systems including the service. Derived Access Control United States Y 1
NIST 800-171 3.1.3 Control the flow of CUI in accordance with approved authorizations. If a multi-tenancy model is used to store and process customer data, partitioning controls are implemented to securely separate each customer's data from that of other customers. Derived Data Security United States 1
NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. During development of the service, different mission, testing, auditing, and system support roles are allocated to different individuals (organization staff, vendor staff, external contractors, associates) as a matter of policy. Derived Governance United States 1
NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts. Within your organization and within the service super user privileged accounts restricted to specific users or roles. Derived Access Control United States Y 1
NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions. Within your organization and within the service super user privileged accounts restricted by policy to only those functions that require such access and only for the duration required. Derived Access Control United States 1
NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions in audit logs. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Derived Platform Security United States 1
NIST 800-171 3.1.8 Limit unsuccessful logon attempts. User passwords are reset after several unsuccessful logon attempts. Derived Access Control United States Y 1
NIST 800-171 3.1.9 Provide privacy and security notices consistent with applicable CUI rules. During development of the service, different mission, testing, auditing, and system support roles are allocated to different individuals (organization staff, vendor staff, external contractors, associates) as a matter of policy. Derived Governance United States 1
NIST 800-171 3.1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. All internal organization systems configured with a session or screen lock that activates after a maximum of 15 minutes of user inactivity or if manually activated by the user. If on a mobile device are all internal organization systems configured with a session or screen lock that activates after a maximum of 2 minutes of user inactivity or if manually activated by the user. In both cases requires the user to reauthenticate to unlock the system. Basic Access Control United States 1
NIST 800-171 3.1.11 Terminate (automatically) a user session after a defined condition. User log-in sessions automatically terminated after a period of inactivity, or in response to a security incident. Derived Access Control United States 1
NIST 800-171 3.1.12 Monitor and control remote access sessions. In relation to the remote access tools available within the service, the following controls are implemented; A. Remote access tools can be disabled by an administrator or moderator B. Remote access sessions can only be initiated with the agreement of the user C. Users can take back control during remote access sessions D. Users can terminate remote access sessions once initiated. E. Onscreen notification is displayed throughout remote access sessions F. Remote access sessions are logged Derived Access Control United States 1
NIST 800-171 3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Derived Platform Security United States Y 1
NIST 800-171 3.1.14 Route remote access via managed access control points. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Derived Platform Security United States 1
NIST 800-171 3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information. The service requires additional authorization protocols to execute privileged commands remotely, compare to on-site. Derived Access Control United States 1
NIST 800-171 3.1.16 Authorize wireless access prior to allowing such connections. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Derived Platform Security United States Y 1
NIST 800-171 3.1.17 Protect wireless access using authentication and encryption. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Derived Platform Security United States Y 1
NIST 800-171 3.1.18 Control connection of mobile devices. A documented and implemented security policy is in place that governs the management and connectivity of mobile devices, including: use of a Mobile Device Management solution applied to all mobile devices and encryption of any sensitive information transferred to mobile devices Derived Governance United States 1
NIST 800-171 3.1.19 Encrypt CUI on mobile devices. A documented and implemented security policy is in place that governs the management and connectivity of mobile devices, including: use of a Mobile Device Management solution applied to all mobile devices and encryption of any sensitive information transferred to mobile devices Derived Governance United States 1
NIST 800-171 3.1.20 Verify and control/limit connections to and use of external information systems. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.1.21 Limit use of portable storage devices on external systems. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Derived Platform Security United States 1
NIST 800-171 3.1.22 Control CUI posted or processed on publicly accessible systems. The organization does not share user data with third parties in any circumstances other than the following: the individual has consented to the use or disclosure of the information; the use or disclosure of the information is required or authorized by or under a law or a court/tribunal order in the customer’s country; the use or disclosure is required or permitted under privacy legislation in the customer’s country; or the entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body relevant jurisdictional circumstances, for example for services in Australia, as per the Australian Privacy Principles, as well as the permitted general situations and permitted health situations. For services in New Zealand as per the Privacy Principles and information sharing provisions in the Privacy Act 2020, as well as the Oranga Tamariki Act 1989 and the Family Violence Act 2018. For the UK, as per Keeping Children Safe in Education. Derived Privacy United States 1
NIST 800-171 3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Basic Personnel United States Y 1
NIST 800-171 3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Basic Personnel United States Y 1
NIST 800-171 3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Derived Personnel United States 1
NIST 800-171 3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful unauthorized system activity. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Basic Platform Security United States Y 1
NIST 800-171 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Basic Platform Security United States Y 1
NIST 800-171 3.3.3 Review and update events. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. Derived Governance United States 1
NIST 800-171 3.3.4 Alert in the event of an audit process failure. The organization has implemented a centralized logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times. Derived Platform Security United States 1
NIST 800-171 3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of suspicious, or unusual activity. The organization has a documented and implemented event log auditing procedure which outlines, at a minimum: Schedule of audits (annual or real-time for sensitive data); Definitions of security violations; Actions to be taken when violations are detected; and Reporting requirements. Derived Detect & Respond United States 1
NIST 800-171 3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting. The organization has implemented a centralized logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times. Derived Platform Security United States 1
NIST 800-171 3.3.7 Provide system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Derived Platform Security United States 1
NIST 800-171 3.3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion. The organization has implemented a centralized logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times. Derived Platform Security United States 1
NIST 800-171 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Basic Asset & Risk Management United States Y 1
NIST 800-171 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Basic Platform Security United States Y 1
NIST 800-171 3.4.3 Track, review, approve/ or disapprove, and audit log changes to orgaizational systems. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized Derived Platform Security United States 1
NIST 800-171 3.4.4 Analyze the security impact of changes prior to implementation. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized Derived Platform Security United States 1
NIST 800-171 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. Vendor staff, external contractors or associates with non-privileged accounts are restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints. Derived Platform Security United States 1
NIST 800-171 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. Derived Platform Security United States 1
NIST 800-171 3.4.7 Restrict, disable, prevent the use of nonessential programs, functions, ports, protocols, and services. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Derived Platform Security United States Y 1
NIST 800-171 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Derived Platform Security United States 1
NIST 800-171 3.4.9 Control and monitor user-installed software. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Derived Platform Security United States 1
NIST 800-171 3.5.1 Identify system users, processes acting on behalf of users, devices. All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. Basic Access Control United States Y 1
NIST 800-171 3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems. All access to the service requires authentication including both human and automated access. Basic Access Control United States Y 1
NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. The service offers multi-factor authentication for end users. Derived Access Control United States 1
NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Multi-factor authentication relay-resistant (e.g. nonces, one-time authentication tokens) is in the service. Derived Access Control United States 1
NIST 800-171 3.5.5 Prevent reuse of identifiers for a defined period. Within the organization, All accounts are disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time. Derived Access Control United States 1
NIST 800-171 3.5.6 Disable identifiers after a defined period of inactivity. Within the organization, All accounts are disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time. Derived Access Control United States 1
NIST 800-171 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. Derived Access Control United States Y 1
NIST 800-171 3.5.8 Prohibit password reuse for a specified number of generations. When a new password is selected by a user, there a restriction on both how similar the new password is to the previous password and the time duration or number of password changes before a previous password can be reused by a user. Derived Access Control United States 1
NIST 800-171 3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password. When a password reset is requested by the user or enforced by the service, are: the newly assigned passwords (e.g., temporary initial passwords) randomly generated; users required to provide verification of their identity (e.g., answering a set of challenge-response questions); new passwords provided via a secure communication channel or split into parts; and users required to change their assigned temporary password on first use. Derived Access Control United States 1
NIST 800-171 3.5.10 Store and transmit only cryptographically-protected of passwords. Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program’s Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? Derived Access Control United States 1
NIST 800-171 3.5.11 Obscure feedback of authentication information. All user passwords masked or obscured as users enter then to access the service. Derived Access Control United States 1
NIST 800-171 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Your organization has a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: Identified, following a clear definition; Reported by staff (if internal); Proactively monitored; Contained; Investigated; Remediated; Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: Date incident occurred; Date incident discovered; Description of the incident; Actions taken in response to the incident; and Name of person to whom the incident was reported. Basic Detect & Respond United States Y 1
NIST 800-171 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. When a data breach occurs, affected customers, organizations, and the relevant authorities, are notified as soon as possible after a data breach is discovered and given all relevant details (including affected individuals and what information was disclosed). Basic Detect & Respond United States Y 1
NIST 800-171 3.6.3 Test the organizational incident response capability. The incident response capability of the organization is regularly tested and reviewed. Derived Detect & Respond United States 1
NIST 800-171 3.7.1 Perform maintenance on organizational systems. Your organization use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly. Basic Platform Security United States Y 1
NIST 800-171 3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Vendor staff, external contractors or associates with non-privileged accounts are restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints. Basic Platform Security United States Y 1
NIST 800-171 3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Derived Platform Security United States Y 1
NIST 800-171 3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in the organizational systems. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. Within your organization and within the service super user privileged accounts restricted by policy to only those functions that require such access and only for the duration required. Derived Access Control United States 1
NIST 800-171 3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization. Vendor staff, external contractors or associates with non-privileged accounts are restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints. Derived Platform Security United States 1
NIST 800-171 3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Basic Governance United States Y 1
NIST 800-171 3.8.2 Limit access to CUI on information system media to authorized users. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Basic Governance United States Y 1
NIST 800-171 3.8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Basic Asset & Risk Management United States Y 1
NIST 800-171 3.8.4 Mark media with necessary CUI markings and distribution limitations. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States Y 1
NIST 800-171 3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.8.7 Control the use of removable media on system components. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI. All vendor staff, external contractors and associates who have access to user data or user content undergo employment screening (e.g., criminal history checks, working with children checks) as per applicable regulatory requirements. Basic Personnel United States Y 1
NIST 800-171 3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. All vendor staff, external contractors or associates with access to systems, applications and information including audit logs, validated and approved by appropriate personnel. Personnel are periodically reviewed, at least annually, and revalidated or revoked; reviewed and revalidated or revoked due to changes in role employment and/or inactivity, or are appropriate security notices provided when they access the system. Basic Access Control United States Y 1
NIST 800-171 3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. Basic Access Control United States Y 1
NIST 800-171 3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. Basic Access Control United States Y 1
NIST 800-171 3.10.3 Escort visitors and monitor visitor activity. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. Derived Access Control United States 1
NIST 800-171 3.10.4 Maintain audit logs of physical access. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. Derived Access Control United States 1
NIST 800-171 3.10.5 Control and manage physical access devices. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. Derived Access Control United States 1
NIST 800-171 3.10.6 Enforce safeguarding measures for CUI at alternate work sites. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media Derived Governance United States 1
NIST 800-171 3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Your organization has a documented and implemented security, privacy, and online safety risk management framework along with supporting processes. This framework includes: scope and categorization of information assets and systems, periodic or continuous risk assessments including those related to the supply chain, implemented controls recorded in a risk register with details such as identified risks, categories, risk ratings, owners, mitigation actions, accepted risks, and residual risk ratings post-mitigation. It also includes proactive monitoring and testing of assets and systems to maintain security posture, with regular reviews and updates in response to security incidents. Basic Asset & Risk Management United States Y 1
NIST 800-171 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Derived Detect & Respond United States Y 1
NIST 800-171 3.11.3 Remediate vulnerabilities in accordance with risk assessments. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Derived Detect & Respond United States Y 1
NIST 800-171 3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Basic Detect & Respond United States Y 1
NIST 800-171 3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Basic Detect & Respond United States Y 1
NIST 800-171 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. Basic Governance United States 1
NIST 800-171 3.13.1 Monitor, control, and protect l communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Network controls are in place to prevent system components that do not need to be accessed from the Internet from being accessed from the Internet. Basic Data Security United States Y 1
NIST 800-171 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. The service's application development has the following characteristics: - Environments are separated into at least development, testing and production environments; - Development and modification of software only takes place in development environments; - Unauthorized access to the authoritative software source is prevented; - Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organization's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development); - Privacy-by-design principles; - Threat modelling is used in support of application development; and - Alignment to a security and privacy architecture that has been drawn up for the system Basic Platform Security United States 1
NIST 800-171 3.13.3 Separate user functionality from information system management functionality. Privileged system management is segregated from user functionality through different computers or different operating systems or do you use VPNs. Derived Access Control United States 1
NIST 800-171 3.13.4 Prevent unauthorized and unintended information transfer via shared system resources. Data is protected at rest, including backups, data storage and audit logs, at minimum with the following encryption algorithms: AES 192, AES 256 (AES 256 recommended). Derived Data Security United States 1
NIST 800-171 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Network controls are in place to prevent system components that do not need to be accessed from the Internet from being accessed from the Internet. Derived Data Security United States 1
NIST 800-171 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Derived Platform Security United States Y 1
NIST 800-171 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Derived Data Security United States 1
NIST 800-171 3.13.10 Establish and manage cryptographic keys for cryptography employed in the organizational systems. The organization has a standardized, documented key management process which describes the full lifecycle of each key used in the operation of the production environment. Derived Access Control United States 1
NIST 800-171 3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Derived Data Security United States 1
NIST 800-171 3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. In relation to the remote access tools available within the service, the following controls are implemented; A. Remote access tools can be disabled by an administrator or moderator B. Remote access sessions can only be initiated with the agreement of the user C. Users can take back control during remote access sessions D. Users can terminate remote access sessions once initiated. E. Onscreen notification is displayed throughout remote access sessions F. Remote access sessions are logged Derived Access Control United States 1
NIST 800-171 3.13.13 Control and monitor the use of mobile code. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Derived Platform Security United States 1
NIST 800-171 3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. In relation to the remote access tools available within the service, the following controls are implemented; A. Remote access tools can be disabled by an administrator or moderator B. Remote access sessions can only be initiated with the agreement of the user C. Users can take back control during remote access sessions D. Users can terminate remote access sessions once initiated. E. Onscreen notification is displayed throughout remote access sessions F. Remote access sessions are logged Derived Access Control United States 1
NIST 800-171 3.13.15 Protect the authenticity of communications sessions. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Derived Data Security United States 1
NIST 800-171 3.14.1 Identify, report, and correct system flaws in a timely manner. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Basic Detect & Respond United States Y 1
NIST 800-171 3.14.2 Provide protection from malicious code at designated locations within organizational systems. The following features built into the file download functionality available within the service: All files are scanned for Malware/Viruses during download; All files are scanned for Malware/Viruses while at rest; and All files found to contain Malware/Viruses are deleted or quarantined. Basic Detect & Respond United States 1
NIST 800-171 3.14.3 Monitor system security alerts and advisories and take actions in response. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Basic Detect & Respond United States Y 1
NIST 800-171 3.14.4 Update malicious code protection mechanisms when new releases are available. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Derived Detect & Respond United States Y 1
NIST 800-171 3.14.7 Identify unauthorized use of organizational systems. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Derived Platform Security United States 1
AUISM 714 A CISO is appointed to provide cyber security leadership and guidance for their organisation. There exists within the organization a position responsible for information security (i.e., CIO, CTO, CISO). Governance Australia
AUISM 1478 The CISO oversees their organisationís cyber security program and ensures their organisationís compliance with cyber security policy, standards, regulations and legislation. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. Governance Australia Y
AUISM 1636 System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended. Your organization has a documented and implemented security, privacy, and online safety risk management framework along with supporting processes. This framework includes: scope and categorization of information assets and systems, periodic or continuous risk assessments including those related to the supply chain, implemented controls recorded in a risk register with details such as identified risks, categories, risk ratings, owners, mitigation actions, accepted risks, and residual risk ratings post-mitigation. It also includes proactive monitoring and testing of assets and systems to maintain security posture, with regular reviews and updates in response to security incidents. Asset & Risk Management Australia Y
AUISM 1526 System owners monitor each system, and associated cyber threats, security risks and controls, on an ongoing basis. Your organization has a documented and implemented security, privacy, and online safety risk management framework along with supporting processes. This framework includes: scope and categorization of information assets and systems, periodic or continuous risk assessments including those related to the supply chain, implemented controls recorded in a risk register with details such as identified risks, categories, risk ratings, owners, mitigation actions, accepted risks, and residual risk ratings post-mitigation. It also includes proactive monitoring and testing of assets and systems to maintain security posture, with regular reviews and updates in response to security incidents. Asset & Risk Management Australia Y
AUISM 125 A cyber security incident register is developed, implemented and maintained. Your organization has a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: Identified, following a clear definition; Reported by staff (if internal); Proactively monitored; Contained; Investigated; Remediated; Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: Date incident occurred; Date incident discovered; Description of the incident; Actions taken in response to the incident; and Name of person to whom the incident was reported. Detect & Respond Australia Y
AUISM 123 Cyber security incidents are reported to an organisationís Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. When a data breach occurs, affected customers, organizations, and the relevant authorities, are notified as soon as possible after a data breach is discovered and given all relevant details (including affected individuals and what information was disclosed). Detect & Respond Australia Y
AUISM 140 Cyber security incidents are reported to the ACSC. When a data breach occurs, affected customers, organizations, and the relevant authorities, are notified as soon as possible after a data breach is discovered and given all relevant details (including affected individuals and what information was disclosed). Detect & Respond Australia Y
AUISM 1570 Outsourced cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months. Any cloud service providers that the service depends on have a recognized independent security audit and/or certificate of compliance such as ISO27001, SOC 2 Type II, FEDRAMP (NIST) or IRAP. Supply Chain Australia Y
AUISM 141 The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers. When a data breach occurs, affected customers, organizations, and the relevant authorities, are notified as soon as possible after a data breach is discovered and given all relevant details (including affected individuals and what information was disclosed). Detect & Respond Australia Y
AUISM 1163 Systems have a continuous monitoring plan that includes:[ul][li]conducting vulnerability scans for systems at least monthly[/li][li]conducting vulnerability assessments or penetration tests for systems at least annually[/li][li]analysing identified security vulnerabilities to determine their potential impact[/li][li]using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost.[/li] The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Detect & Respond Australia
AUISM 1296 Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. Access Control Australia Y
AUISM 252 Cyber security awareness training is undertaken annually by all personnel and covers:[ul][li]the purpose of the cyber security awareness training[/li][li]security appointments and contacts[/li][li]authorised use of systems and their resources[/li][li]protection of systems and their resources[/li][li]reporting of cyber security incidents and suspected compromises of systems and their resources.[/li] The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. Personnel Australia Y
AUISM 434 Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to a system and its resources. All vendor staff, external contractors and associates who have access to user data or user content undergo employment screening (e.g., criminal history checks, working with children checks) as per applicable regulatory requirements. Personnel Australia Y
AUISM 414 Personnel granted access to a system and its resources are uniquely identifiable. All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. Access Control Australia
AUISM 405 Requests for unprivileged access to systems, applications and data repositories are validated when first requested. All vendor staff, external contractors or associates with access to systems, applications and information including audit logs, validated and approved by appropriate personnel. Personnel are periodically reviewed, at least annually, and revalidated or revoked; reviewed and revalidated or revoked due to changes in role employment and/or inactivity, or are appropriate security notices provided when they access the system. Access Control Australia
AUISM 430 Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access. All vendor staff, external contractors or associates with access to systems, applications and information including audit logs, validated and approved by appropriate personnel. Personnel are periodically reviewed, at least annually, and revalidated or revoked; reviewed and revalidated or revoked due to changes in role employment and/or inactivity, or are appropriate security notices provided when they access the system. Access Control Australia Y
AUISM 1591 Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities. There is documented and implemented process to remove access to systems, applications and data repositories for personnel (vendor staff, external contractors and associates) that no longer have a legitimate requirement for access (implemented on the same day); and are detected undertaking malicious activities (implemented immediately). Personnel Australia Y
AUISM 1404 Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity. All vendor staff, external contractors or associates with access to systems, applications and information including audit logs, validated and approved by appropriate personnel. Personnel are periodically reviewed, at least annually, and revalidated or revoked; reviewed and revalidated or revoked due to changes in role employment and/or inactivity, or are appropriate security notices provided when they access the system. Access Control Australia
AUISM 336 An ICT equipment register is developed, implemented, maintained and verified on a regular basis. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Asset & Risk Management Australia Y
AUISM 1406 SOEs are used for workstations and servers. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Platform Security Australia
AUISM 1588 SOEs are reviewed and updated at least annually. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Platform Security Australia
AUISM 1584 Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems. Vendor staff, external contractors or associates with non-privileged accounts are restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints. Platform Security Australia
AUISM 1491 Unprivileged users are prevented from running script execution engines, including:
  • Windows Script Host (cscript.exe and wscript.exe)
  • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
  • Command Prompt (cmd.exe)
  • Windows Management Instrumentation (wmic.exe)
  • Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).
Vendor staff, external contractors or associates with non-privileged accounts are restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints. Platform Security Australia
AUISM 843 Application control is implemented on workstations. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1490 Application control is implemented on internet-facing servers. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1656 Application control is implemented on non-internet-facing servers. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1657 Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1658 Application control restricts the execution of drivers to an organisation-approved set. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 955 Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1582 Application control rulesets are validated on an annual or more frequent basis. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1471 When implementing application control using publisher certificate rules, both publisher names and product names are used. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance Platform Security Australia Y
AUISM 1341 A HIPS is implemented on workstations. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. Platform Security Australia
AUISM 1034 A HIPS is implemented on critical servers and high-value servers. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. Platform Security Australia
AUISM 1416 A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. Platform Security Australia
AUISM 1417 Antivirus software is implemented on workstations and servers with:[ul][li]signature-based detection functionality enabled and set to a high level[/li][li]heuristic-based detection functionality enabled and set to a high level[/li][li]reputation rating functionality enabled[/li][li]ransomware protection functionality enabled[/li][li]detection signatures configured to update on at least a daily basis[/li][li]regular scanning configured for all fixed disks and removable media.[/li] Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. Platform Security Australia
AUISM 1585 Web browser, Microsoft Office and PDF software security settings cannot be changed by users. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Platform Security Australia
AUISM 1488 Microsoft Office macros in files originating from the internet are blocked. Use of macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) is controls as follows: - internal use is blocked except for users that have a demonstrated business requirement; - macros and scripts in files originating from the internet are blocked; - macros and scripts are subject to antivirus scanning; and - macro and script security settings can't be changed by users. Platform Security Australia Y
AUISM 1487 Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations. Use of macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) is controls as follows: - internal use is blocked except for users that have a demonstrated business requirement; - macros and scripts in files originating from the internet are blocked; - macros and scripts are subject to antivirus scanning; and - macro and script security settings can't be changed by users. Platform Security Australia Y
AUISM 1489 Microsoft Office macro security settings cannot be changed by users. Use of macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) is controls as follows: - internal use is blocked except for users that have a demonstrated business requirement; - macros and scripts in files originating from the internet are blocked; - macros and scripts are subject to antivirus scanning; and - macro and script security settings can't be changed by users. Platform Security Australia Y
AUISM 974 Multi-factor authentication is used to authenticate unprivileged users of systems. The service offers multi-factor authentication for end users. Access Control Australia
AUISM 1173 Multi-factor authentication is used to authenticate privileged users of systems. The service requires additional authorization protocols to execute privileged commands remotely, compare to on-site. Access Control Australia
AUISM 1559 Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply. If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. Access Control Australia
AUISM 421 Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply. If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. Access Control Australia
AUISM 1593 Users provide sufficient evidence to verify their identity when requesting new credentials. When a password reset is requested by the user or enforced by the service, are: the newly assigned passwords (e.g., temporary initial passwords) randomly generated; users required to provide verification of their identity (e.g., answering a set of challenge-response questions); new passwords provided via a secure communication channel or split into parts; and users required to change their assigned temporary password on first use. Access Control Australia
AUISM 1227 Credentials set for user accounts are randomly generated. When a password reset is requested by the user or enforced by the service, are: the newly assigned passwords (e.g., temporary initial passwords) randomly generated; users required to provide verification of their identity (e.g., answering a set of challenge-response questions); new passwords provided via a secure communication channel or split into parts; and users required to change their assigned temporary password on first use. Access Control Australia
AUISM 1594 Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors. When a password reset is requested by the user or enforced by the service, are: the newly assigned passwords (e.g., temporary initial passwords) randomly generated; users required to provide verification of their identity (e.g., answering a set of challenge-response questions); new passwords provided via a secure communication channel or split into parts; and users required to change their assigned temporary password on first use. Access Control Australia
AUISM 1595 Credentials provided to users are changed on first use. When a password reset is requested by the user or enforced by the service, are: the newly assigned passwords (e.g., temporary initial passwords) randomly generated; users required to provide verification of their identity (e.g., answering a set of challenge-response questions); new passwords provided via a secure communication channel or split into parts; and users required to change their assigned temporary password on first use. Access Control Australia
AUISM 428 Systems are configured with a session or screen lock that:[ul][li]activates after a maximum of 15 minutes of user inactivity, or if manually activated by users[/li][li]conceals all session content on the screen[/li][li]ensures that the screen does not enter a power saving state before the session or screen lock is activated[/li][li]requires users to authenticate to unlock the session[/li][li]denies users the ability to disable the session or screen locking mechanism.[/li] All internal organization systems configured with a session or screen lock that activates after a maximum of 15 minutes of user inactivity or if manually activated by the user. If on a mobile device are all internal organization systems configured with a session or screen lock that activates after a maximum of 2 minutes of user inactivity or if manually activated by the user. In both cases requires the user to reauthenticate to unlock the system. Access Control Australia
AUISM 1605 When using a software-based isolation mechanism to share a physical serverís hardware, the underlying operating system is hardened. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Platform Security Australia
AUISM 1211 System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized Platform Security Australia Y
AUISM 298 A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware. Your organization use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly. Platform Security Australia Y
AUISM 1690 Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1691 Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1692 Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists. Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1693 Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release. Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release. Platform Security Australia Y
AUISM 1694 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1695 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1696 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1751 Patches, updates or vendor mitigations for security vulnerabilities in operating systems of other ICT equipment are applied within two weeks of release, or within 48 hours if an exploit exists. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1697 Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Platform Security Australia Y
AUISM 1510 A digital preservation policy is developed, implemented and maintained. The organization has a documented and implemented Business Continuity Plan for the service, which is updated annually and when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; - And the security of backed up data. Data Security Australia Y
AUISM 1547 Data backup processes, and supporting data backup procedures, are developed, implemented and maintained. The organization has a documented and implemented Business Continuity Plan for the service, which is updated annually and when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; - And the security of backed up data. Data Security Australia Y
AUISM 1548 Data restoration processes, and supporting data restoration procedures, are developed, implemented and maintained. The organization has a documented and implemented Business Continuity Plan for the service, which is updated annually and when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; - And the security of backed up data. Data Security Australia Y
AUISM 1511 Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. All data backups are stored for a minimum of 3 months. Data Security Australia Y
AUISM 1515 Restoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exercises. Full restoration of backups is tested at least once initially implemented and each time major information technology infrastructure changes occur, (e.g., technology stack changes, vendor changes, or platform changes) or at least annually. Data Security Australia Y
AUISM 585 For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Platform Security Australia Y
AUISM 1405 A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. The organization has implemented a centralized logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times. Platform Security Australia Y
AUISM 109 Event logs are analysed in a timely manner to detect cyber security events. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Platform Security Australia Y
AUISM 1420 Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment. Any non-production environments storing or processing production data have the same security controls as the production environment. Data Security Australia Y
AUISM 1536 The following events are logged for web applications: attempted access that is denied, crashes and error messages, and search queries initiated by users. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Platform Security Australia Y
AUISM 1277 Data communicated between database servers and web servers is encrypted. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Data Security Australia
AUISM 1273 Development and testing environments do not use the same database servers as production environments. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1246 DBMS software is configured according to vendor guidance. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1247 Unneeded accounts, components, services and functionality of DBMS software are disabled or removed. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1249 DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1250 The account under which DBMS software runs has limited access to non-essential areas of the database serverís file system. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1260 Default database administrator accounts are disabled, renamed or have their credentials changed. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1262 Database administrators have unique and identifiable accounts. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1263 Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. Data Security Australia
AUISM 1537 The following events are logged for databases:[ul][li]access or modification of particularly important content[/li][li]addition of new users, especially privileged users[/li][li]changes to user roles or privileges[/li][li]attempts to elevate user privileges[/li][li]queries containing comments[/li][li]queries containing multiple embedded queries[/li][li]database and query alerts or failures[/li][li]database structure changes[/li][li]database administrator actions[/li][li]use of executable commands[/li][li]database logons and logoffs.[/li] The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Platform Security Australia
AUISM 1181 Networks are segregated into multiple network zones according to the criticality of servers, services and data. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1577 An organisationís networks are segregated from their service providersí networks. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1532 VLANs are not used to separate network traffic between an organisationís networks and public network infrastructure. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 529 VLANs are not used to separate network traffic between networks belonging to different security domains. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 530 Network devices managing VLANs are administered from the most trusted security domain. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 535 Network devices managing VLANs belonging to different security domains do not share VLAN trunks. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1364 Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 520 Network access controls are implemented on networks to prevent the connection of unauthorised network devices. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1182 Network access controls are implemented to limit network traffic within and between network segments to only those required for business purposes. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 385 Servers maintain effective functional separation with other servers allowing them to operate independently. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1479 Servers minimise communications with other servers at both the network and file system level. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1006 Security measures are implemented to prevent unauthorised access to network management traffic. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1437 Cloud service providers are used for hosting online services. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1578 An organisation is notified by cloud service providers of any change to configured regions or availability zones for online services. Customers are notified in advance of any relocation or expansion (i.e. change of country) of: - the cloud infrastructure, including system components, user data and related data; and - any person (vendor or cloud infrastructure staff, external contractors or associates) with access to unencrypted customer data or any person with a means of accessing or extracting unencrypted data (e.g., those with access to encryption keys and encrypted customer data). Supply Chain Australia Y
AUISM 1435 Availability monitoring with real-time alerting is implemented for online services to detect denial-of-service attacks and measure their impact. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Platform Security Australia Y
AUISM 1436 Critical online services are segregated from other online services that are more likely to be targeted. If a multi-tenancy model is used to store and process customer data, partitioning controls are implemented to securely separate each customer's data from that of other customers. Data Security Australia
AUISM 471 Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Data Security Australia
AUISM 994 ECDH and ECDSA are used in preference to DH and DSA. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Data Security Australia
AUISM 472 When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits. Customer data uploaded to the service, if any, is encrypted with an algorithm at least as strong as AES-192. Data Security Australia
AUISM 1759 When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits. Customer data uploaded to the service, if any, is encrypted with an algorithm at least as strong as AES-192. Data Security Australia
AUISM 474 When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve. Customer data uploaded to the service, if any, is encrypted with an algorithm at least as strong as AES-192. Data Security Australia
AUISM 1761 When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve. Customer data uploaded to the service, if any, is encrypted with an algorithm at least as strong as AES-192. Data Security Australia
AUISM 1139 Only the latest version of TLS is used for TLS connections. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) Data Security Australia
AUISM 628 Gateways are implemented between networks belonging to different security domains. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. Platform Security Australia
AUISM 1528 Evaluated firewalls are used between an organisationís networks and public network infrastructure. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Platform Security Australia Y
AUISM 657 When manually importing data to systems, the data is scanned for malicious and active content. The following features built into the file download functionality available within the service: All files are scanned for Malware/Viruses during download; All files are scanned for Malware/Viruses while at rest; and All files found to contain Malware/Viruses are deleted or quarantined. Detect & Respond Australia Y
CIS 1.1 Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices,†MDM type tools can support this process, where appropriate. This inventory includes assets†connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterpriseís network infrastructure, even if they are†not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Devices Asset & Risk Management United States 1
CIS 1.2 Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Devices Asset & Risk Management United States 1
CIS 2.1 Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. Applications Asset & Risk Management United States 1
CIS 2.2 Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterpriseís mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. Your organization use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly. Applications Platform Security United States 1
CIS 2.3 Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Applications Platform Security United States 1
CIS 3.1 Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. The organization has a documented and implemented data management policy that outlines the following at a minimum: - Identification of data assets; - recording of data assets in a data inventory; - data asset ownership; - tracking of data sensitivity; - handling of data procedures; - data retention limits; - disposal requirements informed by data sensitivity and retention standards; and - is reviewed and updated annually with a priority on sensitive data. Data Data Security United States 1
CIS 3.2 Establish and maintain a data inventory, based on the enterpriseís data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. The organization has a documented and implemented data management policy that outlines the following at a minimum: - Identification of data assets; - recording of data assets in a data inventory; - data asset ownership; - tracking of data sensitivity; - handling of data procedures; - data retention limits; - disposal requirements informed by data sensitivity and retention standards; and - is reviewed and updated annually with a priority on sensitive data. Data Data Security United States 1
CIS 3.3 Configure data access control lists based on a userís need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. In your organization, data access control lists implemented and configured based on a user's need to know and are these controls applied to local and remote file systems, databases and applications. Data Access Control United States 1
CIS 3.4 Retain data according to the enterpriseís data management process. Data retention must include both minimum and maximum timelines. There exists a documented and implemented data retention policy including: minimum data retention period; maximum data retention period; and the deletion of identifying or sensitive data no longer required. Data Data Security United States 1
CIS 3.5 Securely dispose of data as outlined in the enterpriseís data management process. Ensure the disposal process and method are commensurate with the data sensitivity. Deletion of data from the service is performed securely commensurate with the data's sensitivity and certified. Data Data Security United States 1
CIS 4.1 Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Applications Platform Security United States 1
CIS 4.2 Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; Network Platform Security United States 1
CIS 4.3 Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. All internal organization systems configured with a session or screen lock that activates after a maximum of 15 minutes of user inactivity or if manually activated by the user. If on a mobile device are all internal organization systems configured with a session or screen lock that activates after a maximum of 2 minutes of user inactivity or if manually activated by the user. In both cases requires the user to reauthenticate to unlock the system. Users Access Control United States 1
CIS 4.4 Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Devices Platform Security United States 1
CIS 4.5 Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Devices Platform Security United States 1
CIS 4.6 Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. Enterprise assets and software are securely managed via one or more of the following; Version controlled infrastructure as code or accessing administrative interfaces securely via SSH or HTTPS. Network Platform Security United States 1
CIS 5.1 Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the personís name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. Within the organization there an inventory of all user, administrator and service accounts, which includes details of the person's name (if applicable), username/identifier, start/stop dates, and department (if an employee), and is this inventory of accounts validated at least every 3 months. Users Access Control United States 1
CIS 5.2 Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. Users Access Control United States 1
CIS 5.3 Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. Within the organization, All accounts are disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time. Users Access Control United States 1
CIS 5.4 Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the userís primary, non-privileged account. Within your organization and within the service super user privileged accounts restricted by policy to only those functions that require such access and only for the duration required. Users Access Control United States 1
CIS 6.1 Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. There is a documented and implemented process to grant access to systems, applications and data repositories for new personnel (vendor staff, external contractors and associates) or when a user changes roles. Users Access Control United States 1
CIS 6.3 Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. The service requires externally exposed enterprise or third-party applications to enforce multi-factor authentication. Users Access Control United States 1
CIS 6.4 Require MFA for remote network access. The service requires additional authorization protocols to execute privileged commands remotely, compare to on-site. Users Access Control United States 1
CIS 6.5 Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. The service requires additional authorization protocols to execute privileged commands remotely, compare to on-site. Users Access Control United States 1
CIS 7.1 Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Applications Detect & Respond United States 1
CIS 7.2 Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Applications Detect & Respond United States 1
CIS 7.3 Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. Your organization use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly. Applications Platform Security United States 1
CIS 7.4 Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. Your organization use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly. Applications Platform Security United States 1
CIS 8.1 Establish and maintain an audit log management process that defines the enterpriseís logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. Network Platform Security United States 1
CIS 8.3 Ensure that logging destinations maintain adequate storage to comply with the enterpriseís audit log management process. The organization has implemented a centralized logging facility to store logs which: Ensure logs cannot be tampered with; Triggers an alert in case a logging transaction fails; Supports audit reduction and report generation for analysis; and Ensures adequate storage to comply with specified retention times. Network Platform Security United States 1
CIS 9.1 Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. The organization have a documented and implemented maintenance policy that outlines the following at a minimum: management direction and support for maintenance; requirement to comply with applicable laws and regulations; governs the development of a maintenance plan for the organization’s software, hardware, and firmware; ensures that any software no longer supported with updates is either removed as unauthorized, or else documented as an exception with mitigating controls and risk acceptance; ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise; and the policy is reviewed regularly and in response to security incidents. Applications Platform Security United States 1
CIS 10.1 Deploy and maintain anti-malware software on all enterprise assets. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. Devices Platform Security United States 1
CIS 10.2 Configure automatic updates for anti-malware signature files on all enterprise assets. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. Devices Detect & Respond United States 1
CIS 10.3 Disable autorun and autoplay auto-execute functionality for removable media. All of the organization's desktop computers, laptops, tablets, mobile phones and other devices are protected from viruses and malware by: Having anti-virus and anti-malware installed; Limiting the applications and services which can be installed to a documented approved set; Updating anti-virus and anti-malware signatures at least daily; Scanning files automatically before access; and blocking access to malicious sites before they are accessed. Devices Platform Security United States 1
CIS 11.1 Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. The organization has a documented and implemented Business Continuity Plan for the service, which is updated annually and when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; - And the security of backed up data. Data Data Security United States 1
CIS 11.2 Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. The organization has a documented and implemented Business Continuity Plan for the service, which is updated annually and when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; - And the security of backed up data. Data Data Security United States 1
CIS 12.1 Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. Patches, updates or vendor mitigations for security vulnerabilities in internet facing services (including operating systems of internet-facing services), workstation, server and network device operating systems; operating systems of other ICT equipment; drivers and firmware; are applied within two weeks of release, or within 48 hours if an exploit exists. Network Platform Security United States 1
CIS 14.1 Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.2 Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.Ü The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.3 Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.4 Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.5 Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.6 Train workforce members to be able to recognize a potential incident and be able to report such an incident.Ü The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.7 Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 14.8 Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
CIS 15.1 Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. The Organization has an inventory of all third-party service providers; regularly assess and manage the risks associated with these third-party providers; has contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies; ensures that the contractual agreements include notification of the transfer or termination of any personnel authorized to use your organization's systems; monitors third party providers for compliance; has defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance - has a classification system for these third party providers; and - has a designated internal organization contact for each provider. NULL Supply Chain United States 1
CIS 17.1 Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. As part of your organization’s incident handling process your organization: has one key person and at least one backup tasked with managing the organization’s incident handling process; and has contact information for all parties that need to be informed of security incidents (e.g. staff, third party vendors, law enforcement, insurance providers, government agencies etc); and contacts are updated annually. NULL Detect & Respond United States 1
CIS 17.2 Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. Your organization has a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: Identified, following a clear definition; Reported by staff (if internal); Proactively monitored; Contained; Investigated; Remediated; Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: Date incident occurred; Date incident discovered; Description of the incident; Actions taken in response to the incident; and Name of person to whom the incident was reported. NULL Detect & Respond United States 1
CIS 17.3 Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Your organization has a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: Identified, following a clear definition; Reported by staff (if internal); Proactively monitored; Contained; Investigated; Remediated; Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: Date incident occurred; Date incident discovered; Description of the incident; Actions taken in response to the incident; and Name of person to whom the incident was reported. NULL Detect & Respond United States 1
CIS 18.1 Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United States 1
CIS 9.2 Use DNS filtering services on all enterprise assets to block access to known malicious domains. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources Network Platform Security United States 1
CIS 3.6 Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. A documented and implemented security policy is in place that governs the management and connectivity of mobile devices, including: use of a Mobile Device Management solution applied to all mobile devices and encryption of any sensitive information transferred to mobile devices Devices Governance United States 1
NIST 800-53 AC-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance United States 1
NIST 800-53 AT-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] awareness and training policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. The organization has a documented and implemented security training and awareness policy that outlines the following at a minimum: management direction and support for information security; requirement to comply with applicable laws and regulations; security training and awareness processes to be adopted; a requirement for communication to management to ensure they maintain an awareness of, and focus on, addressing privacy and security issues, and the policy is reviewed regularly and in response to security incidents. NULL Personnel United States 1
NIST 800-53 AT-4 a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for [Assignment: organization-defined time period]. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel United States 1
NIST 800-53 AU-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance United States 1
NIST 800-53 AU-2 a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. NULL Platform Security United States 1
NIST 800-53 AU-6 a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. The organization has a documented and implemented event log auditing procedure which outlines, at a minimum: Schedule of audits (annual or real-time for sensitive data); Definitions of security violations; Actions to be taken when violations are detected; and Reporting requirements. NULL Detect & Respond United States 1
NIST 800-53 CA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authorization, and monitoring policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c. Review and update the current assessment, authorization, and monitoring: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized NULL Platform Security United States 1
NIST 800-53 CA-3 a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: organization-defined frequency]. Written agreements are in place with any third party who may receive data from the service that enforce data privacy and security standards at least as strict as those committed in agreements with customers. NULL Supply Chain United States 1
NIST 800-53 CA-7 Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United States 1
NIST 800-53 CA-9 a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; NULL Platform Security United States 1
NIST 800-53 CM-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] configuration management policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and c. Review and update the current configuration management: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management United States 1
NIST 800-53 CM-2(1) [Withdrawn: Incorporated into CM-2.] A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; NULL Platform Security United States 1
NIST 800-53 CM-2(7) (a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. A documented and implemented system hardening process is in place which: Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices); Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services; Ensures only required ports, protocols, services and authorizations are enabled, whether for internal or external connections (all others are restricted); Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ; Results in security configurations being established and enforced for organization systems; Ensures only required and authorized software is installed and used; NULL Platform Security United States 1
NIST 800-53 CM-3(2) Test, validate, and document changes to the system before finalizing the implementation of the changes. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized NULL Platform Security United States 1
NIST 800-53 IR-8 [Withdrawn: Incorporated into SI-7.] Your organization has a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: Identified, following a clear definition; Reported by staff (if internal); Proactively monitored; Contained; Investigated; Remediated; Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: Date incident occurred; Date incident discovered; Description of the incident; Actions taken in response to the incident; and Name of person to whom the incident was reported. NULL Detect & Respond United States 1
NIST 800-53 CM-9 Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management United States 1
NIST 800-53 IR-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c. Review and update the current incident response: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance United States 1
NIST 800-53 PL-2(3) [Withdrawn: Incorporated into PL-2.] The organization has a documented and implemented security planning policy that outlines the following at a minimum: - management direction and support for planning around security; - requirement to comply with applicable laws and regulations; - policy that governs the development of security-related plans in the organization overall - requires coordination around the plans with other business units within the organization as appropriate; and - is the policy reviewed regularly and in response to security incidents. NULL Governance United States 1
NIST 800-53 PL-8 a. Develop security and privacy architectures for the system that: 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. Describe how the architectures are integrated into and support the enterprise architecture; and 4. Describe any assumptions about, and dependencies on, external systems and services; b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. The service's application development has the following characteristics: - Environments are separated into at least development, testing and production environments; - Development and modification of software only takes place in development environments; - Unauthorized access to the authoritative software source is prevented; - Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organization's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development); - Privacy-by-design principles; - Threat modelling is used in support of application development; and - Alignment to a security and privacy architecture that has been drawn up for the system NULL Platform Security United States 1
NIST 800-53 PS-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personnel security policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c. Review and update the current personnel security: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance United States 1
NIST 800-53 PS-7 a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and e. Monitor provider compliance with personnel security requirements. The Organization has an inventory of all third-party service providers; regularly assess and manage the risks associated with these third-party providers; has contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies; ensures that the contractual agreements include notification of the transfer or termination of any personnel authorized to use your organization's systems; monitors third party providers for compliance; has defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance - has a classification system for these third party providers; and - has a designated internal organization contact for each provider. NULL Supply Chain United States 1
NIST 800-53 PS-8 a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. Agreements are required to be signed by vendor staff, external contractors and associates who have access to user data or user content; the individuals are required to re-sign those agreements when they are updated; and those agreements provide for sanctions for failure to comply; and there is formal notification given when a sanctions process is initiated. NULL Personnel United States 1
NIST 800-53 RA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] risk assessment policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c. Review and update the current risk assessment: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization has a documented and implemented security, privacy, and online safety risk management framework along with supporting processes. This framework includes: scope and categorization of information assets and systems, periodic or continuous risk assessments including those related to the supply chain, implemented controls recorded in a risk register with details such as identified risks, categories, risk ratings, owners, mitigation actions, accepted risks, and residual risk ratings post-mitigation. It also includes proactive monitoring and testing of assets and systems to maintain security posture, with regular reviews and updates in response to security incidents. NULL Asset & Risk Management United States 1
NIST 800-53 RA-5(1) [Withdrawn: Incorporated into RA-5.] The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United States 1
NIST 800-53 RA-5(2) Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United States 1
NIST 800-53 SA-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and services acquisition policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and c. Review and update the current system and services acquisition: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized NULL Platform Security United States 1
NIST 800-53 SA-2 a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. Security and privacy requirements are factored into the organization's planning and budget and there a discrete line item in the budget for security and privacy NULL Governance United States 1
NIST 800-53 SA-3 a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; c. Identify individuals having information security and privacy roles and responsibilities; and d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. The service's application development has the following characteristics: - Environments are separated into at least development, testing and production environments; - Development and modification of software only takes place in development environments; - Unauthorized access to the authoritative software source is prevented; - Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organization's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development); - Privacy-by-design principles; - Threat modelling is used in support of application development; and - Alignment to a security and privacy architecture that has been drawn up for the system NULL Platform Security United States 1
NIST 800-53 SA-9 a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques]. The Organization has an inventory of all third-party service providers; regularly assess and manage the risks associated with these third-party providers; has contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies; ensures that the contractual agreements include notification of the transfer or termination of any personnel authorized to use your organization's systems; monitors third party providers for compliance; has defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance - has a classification system for these third party providers; and - has a designated internal organization contact for each provider. NULL Supply Chain United States 1
NIST 800-53 SA-9(2) Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United States 1
NIST 800-53 SA-10 Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management United States 1
NIST 800-53 SC-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and communications protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and c. Review and update the current system and communications protection: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization has a documented and implemented security, privacy, and online safety risk management framework along with supporting processes. This framework includes: scope and categorization of information assets and systems, periodic or continuous risk assessments including those related to the supply chain, implemented controls recorded in a risk register with details such as identified risks, categories, risk ratings, owners, mitigation actions, accepted risks, and residual risk ratings post-mitigation. It also includes proactive monitoring and testing of assets and systems to maintain security posture, with regular reviews and updates in response to security incidents. NULL Asset & Risk Management United States 1
NIST 800-53 SC-7(3) Limit the number of external network connections to the system. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United States 1
NIST 800-53 SC-7(4) (a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United States 1
NIST 800-53 SI-1 a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance United States 1
NIST 800-53 SI-4(5) Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United States 1
NIST 800-53 SI-16 Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. System memory is protected from unauthorized code execution. NULL Data Security United States 1
UKCE A2.7 Please provide a list of your networks that will be in the scope for this assessment. Any non-production environments storing or processing production data have the same security controls as the production environment. NULL Data Security United Kingdom
UKCE A2.8 Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United Kingdom
UKCE A2.9 Please list all of your cloud services that are in use by your organisation and provided by a third party. Please note cloud services cannot be excluded from the scope of CE. This service relies on another IT service to operate as intended, such as using YouTube embeds or requiring Facebook logins? Specifically, it utilize third-party or outsourced components like plugins, browser extensions, hosting services, video streaming platforms (e.g., YouTube, Vimeo), image hosting services, or publishing services. NULL Supply Chain United Kingdom
UKCE A3.2 If you have answered "yes" to the last question then your organisation is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element please opt out here. " Your organization have a current insurance policy of at least $1M with claims for data breach/loss. NULL Supply Chain United Kingdom
UKCE A3.4 What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance. Your organization have a current insurance policy of at least $1M with claims for data breach/loss. NULL Supply Chain United Kingdom
UKCE A4.2 When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A4.4 Do you change your firewall password when you know or suspect it has been compromised? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A4.5 Do you have any services enabled that can be accessed externally through your internet router, hardware firewall or software firewall? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? A description of the process is required. Within the organization, All accounts are disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time. NULL Access Control United Kingdom
UKCE A4.7 Have you configured your boundary firewalls so that they block all other services from being advertised to the internet? The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United Kingdom
UKCE A4.8 Are your boundary firewalls configured to allow access to their configuration settings over the internet? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A4.9 If you answered yes in question A4.8, is there a documented business requirement for this access? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A4.10 If you answered yes in question A4.8, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A4.11 Do you have software firewalls enabled on all of your computers, laptops and servers? The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United Kingdom
UKCE A4.12 If you answered no to question A4.11, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United Kingdom
UKCE A5.1 Where you are able to do so, have you removed or disabled all the software and services that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services? Describe how you achieve this. A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media NULL Governance United Kingdom
UKCE A5.3 Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones that follow the Password-based authentication requirements of Cyber Essentials? A documented and implemented security policy is in place that governs the management and use of externally owned systems and devices, such as personally owned computers, portable storage devices and removable media (including media used for system maintenance); and includes: physically controlling and securely storing all media (paper and digital) containing sensitive data; restricting access to media containing sensitive data to authorized staff; encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home); logging any transport of media outside secure areas; marking media containing sensitive data with applicable distribution limitations; requiring all removable portable storage devices to have an identifiable owner disabling all autorun and auto-play functionality on removable media NULL Governance United Kingdom
UKCE A5.6 Describe the process in place for changing passwords on your external services when you believe they have been compromised. When a password reset is requested by the user or enforced by the service, are: the newly assigned passwords (e.g., temporary initial passwords) randomly generated; users required to provide verification of their identity (e.g., answering a set of challenge-response questions); new passwords provided via a secure communication channel or split into parts; and users required to change their assigned temporary password on first use. NULL Access Control United Kingdom
UKCE A5.9 When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A5.10 Which method do you use to unlock the devices? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A6.4 Are all high-risk or critical security updates for operating systems and router and firewall firmware installed within 14 days of release? The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Java, Adobe Reader and .Net.) installed within 14 days of release? The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process. All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.2 Are all user and administrative accounts accessed by entering a unique username and password? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.6 How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)? Within the organization there an inventory of all user, administrator and service accounts, which includes details of the person's name (if applicable), username/identifier, start/stop dates, and department (if an employee), and is this inventory of accounts validated at least every 3 months. NULL Access Control United Kingdom
UKCE A7.7 How does your organisation prevent administrator accounts from being used to carry out every day tasks like browsing the web or accessing email? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.8 Do you formally track which users have administrator accounts in your organisation? Within the organization there an inventory of all user, administrator and service accounts, which includes details of the person's name (if applicable), username/identifier, start/stop dates, and department (if an employee), and is this inventory of accounts validated at least every 3 months. NULL Access Control United Kingdom
UKCE A7.9 Do you review who should have administrative access on a regular basis? Within the organization there an inventory of all user, administrator and service accounts, which includes details of the person's name (if applicable), username/identifier, start/stop dates, and department (if an employee), and is this inventory of accounts validated at least every 3 months. NULL Access Control United Kingdom
UKCE A7.10 Describe how you protect accounts from brute-force password guessing in your organisation? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.11 Which technical controls are used to manage the quality of your passwords within your organisation? If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. NULL Access Control United Kingdom
UKCE A7.12 Please explain how you encourage people to use unique and strong passwords. All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.13 Do you have a documented password policy that includes a process for when you believe that passwords or accounts have been compromised? If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. NULL Access Control United Kingdom
UKCE A7.14 Do all of your cloud services have multi-factor authentication(MFA) available as part of the service? All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control United Kingdom
UKCE A7.16 Has MFA been applied to all administrators of your cloud services? If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. NULL Access Control United Kingdom
UKCE A7.17 Has MFA been applied to all users of your cloud services? If using single factor authentication, password requirements a minimum of 14 characters with complexity and if using multi-factor authentication passwords are a minimum of eight characters with complexity for vendor staff, external contractors or associates with access to your organization's systems and the service. NULL Access Control United Kingdom
UKCE A8.1 Are all of your desktop computers, laptops, tablets and mobile phones protected from malware by either: A - Having anti-malware software installed and/or B - Limiting installation of applications by application allow listing (For example, using an app store and a list of approved applications, using a Mobile Device Management(MDM solution)) or C - None of the above, please describe The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A8.2 If Option A has been selected: Where you have anti-malware software installed, is it set to update in line with the vendor's guidelines and prevent malware from running on detection? The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A8.3 If Option A has been selected: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites? The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A8.4 If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications? The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A8.5 If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you maintain this list of approved applications? The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond United Kingdom
UKCE A2.4 Please list the quantities and operating systems for your laptops, desktops and virtual desktops within the scope of this assessment. Please Note: You must include make and operating system versions for all devices.  All user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. Devices that are connecting to cloud services must be included. A scope that does not include end user devices is not acceptable. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. NULL Access Control United Kingdom
UKCE A3.1 What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance. Your organization have a current insurance policy of at least $1M with claims for data breach/loss. Supply Chain United Kingdom
UKCE A3.3 What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance. Your organization have a current insurance policy of at least $1M with claims for data breach/loss. Supply Chain United Kingdom
UKCE A4.1 Do you have firewalls at the boundaries between your organisation’s internal networks, laptops, desktops, servers and the internet? The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United Kingdom
UKCE A4.2 When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices? The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. NULL Access Control United Kingdom
UKCE A4.3 Is your new firewall password configured to meet the ‘Password-based authentication’ requirements? Please select the option being used A. Multi-factor authentication, with a minimum password length 8 characters and no maximum length B. Automatic blocking of common passwords, with a minimum password length 8 characters and no maximum length C. A password minimum length of 12 characters and no maximum length D. None of the above, please describe The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security United Kingdom
NZISM 3.2 The Chief Information Security Officer (CISO) sets the strategic direction for information security within their agency. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel New Zealand Y 3.6
NZISM 3.3 Information Technology Security Managers (ITSM) provide information security leadership and management within their agency. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel New Zealand Y 3.6
NZISM 3.4 All systems are allocated a system owner who has responsibility for the overall operation, including obtaining and maintaining any certification and accreditation, of the allocated system(s). The responsibility for and ownership and accountability of critical system assets has been assigned to individual/s in the organization. NULL Asset & Risk Management New Zealand 3.6
NZISM 4.1 Executivesand Security Practitioners understand and enforce the use of the Certification and Accreditation (C&A) process and its role in information security governance and assurance. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond New Zealand Y 3.6
NZISM 4.3 The effectivenessof information security measures for systems is periodically reviewed and validated. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond New Zealand Y 3.6
NZISM 5.1 Informationsecurity documentation is produced for systems, to support and demonstrate good governance. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance New Zealand Y 3.6
NZISM 5.2 Information security policies (SecPol) set the strategic direction for information security. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. NULL Governance New Zealand Y 3.6
NZISM 5.6 Incident Response Plans (IRP) outline actions to take in response to an information security incident. Your organization has a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be: Identified, following a clear definition; Reported by staff (if internal); Proactively monitored; Contained; Investigated; Remediated; Tracked with metrics, to measure response effectiveness; and Recorded in a register with the following information at a minimum: Date incident occurred; Date incident discovered; Description of the incident; Actions taken in response to the incident; and Name of person to whom the incident was reported. NULL Detect & Respond New Zealand Y 3.6
NZISM 6.1 Information security reviews maintain the security of agency systems and detect gaps and deficiencies. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond New Zealand Y 3.6
NZISM 6.2 Exploitable information system weaknesses can be identified by vulnerability analyses and inform assessmentsand controls selection. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond New Zealand Y 3.6
NZISM 6.3 To ensure information security is an integral part of the change management process, it should be incorporated into the agency's IT maintenance governance and management activities. The organization has a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum: - Applicable criteria for entry to and exit from the change management process - Categorization of IT change (e.g., Standard, Pre-Approved, Emergency, etc.); - Approval requirements for each category of IT change; - Assessment of potential security impacts; - Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment); - Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.); - Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.); - IT change communication processes (e.g., notifications to users); and - Validations are required for all changes to systems before they are finalized NULL Platform Security New Zealand Y 3.6
NZISM 6.4 To ensure business continuity and disaster recovery processes are established to assist in meeting the agency's business requirements, minimise any disruption to the availability of information and systems, and assist recoverability. The organization has a documented and implemented Business Continuity Plan for the service, which is updated annually and when significant changes occur, covering: - Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected); - Restoration strategies (e.g., disaster recovery), including prioritization; - Preservation strategies; - And the security of backed up data. NULL Data Security New Zealand Y 3.6
NZISM 7.1 Toensure that appropriate tools, processes and procedures are implemented to detect information security incidents, in order to minimise the impact of such incidents and as part of the suite of good IT governance activities. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel New Zealand Y 3.6
NZISM 7.2 To ensure reporting information security incidents is incorporated as an essential part of incident management, whether the reporting is within an agency or reports are provided to another government agency. When a data breach occurs, affected customers, organizations, and the relevant authorities, are notified as soon as possible after a data breach is discovered and given all relevant details (including affected individuals and what information was disclosed). NULL Detect & Respond New Zealand Y 3.6
NZISM 8.1 Physical security measures are applied to facilities in order to protect systemsand their infrastructure. The following physical access controls are in place at the locations were data is stored: No public access, Visitor access only for visitors with a need to know and with a close escort; Restricted access for authorized personnel with appropriate security clearance; Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors); Single factor authentication for access control using secure swipe card, biometrics, coded access, other; Control and management of any physical access control devices, such as secure swipe cards. The security alarm system includes the following: Physical surveillance (e.g. video cameras); Logging of visitors and of any visitor activity, with reporting of any identified anomalies; Logging of any physical access to locations where data is stored; and Logging of any delivery and removal of physical system components. NULL Access Control New Zealand Y 3.6
NZISM 8.4 IT equipment is secured outside of normal working hours, is non-operational or when work areas are unoccupied. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management New Zealand Y 3.6
NZISM 9.1 A security cultureis fostered through induction training and ongoing security education tailored to roles, responsibilities, changing threat environment and sensitivity of information, systems and operations. The organization runs, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following: Identification of who the awareness training needs to be delivered to, with records kept of training for each individual; Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.); Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.); The content to be delivered for each awareness session such as: Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure; Actions to maintain security, privacy and online safety, including practical office/desktop practices; Actions to respond to suspected security, privacy and online safety incidents; Applicable policies and laws; o Practical security, privacy and online safety awareness exercises; Data identification and storage, including the safe transfer of data, archival and destruction; Disciplinary actions for significant security and privacy breaches by staff; How to recognise and report indicators of potential insider threats to security by staff.; Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and Covers authentication best practices including MFA, password composition and managing credentials; Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. NULL Personnel New Zealand Y 3.6
NZISM 10.8 IP Address architecture, allocation and addressing schemes enable and support system security and data protection. If a multi-tenancy model is used to store and process customer data, partitioning controls are implemented to securely separate each customer's data from that of other customers. NULL Data Security New Zealand Y 3.6
NZISM 12.4 To ensure security patches are applied in a timely fashion to manage software and firmware corrections, vulnerabilities andperformance risks. Your organization use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring: - the integrity and authenticity of patches; - successful application of patches; - that patches remain in place; and - that the list of supported software for updates is reviewed regularly. NULL Platform Security New Zealand Y 3.6
NZISM 12.6 All IT equipment is sanitised and disposed of in an approved and secure manner. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management New Zealand Y 3.6
NZISM 12.7 Technologysupply chains are established and managed to ensure continuity of supply and protection of sensitive related information. This service relies on another IT service to operate as intended, such as using YouTube embeds or requiring Facebook logins? Specifically, it utilize third-party or outsourced components like plugins, browser extensions, hosting services, video streaming platforms (e.g., YouTube, Vimeo), image hosting services, or publishing services. NULL Supply Chain New Zealand Y 3.6
NZISM 13.1 To ensure systemsare safely decommissioned and that software, system logic and data are properly transitioned to new systems or archived in accordance with agency, legal and statutory requirements. Deletion of data from the service is performed securely commensurate with the data's sensitivity and certified. NULL Data Security New Zealand Y 3.6
NZISM 13.4 Media and IT Equipment that is to be redeployed or is no longer required is sanitised. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management New Zealand Y 3.6
NZISM 13.5 To ensure media and IT equipment that cannot be sanitised is safely destroyed before disposal in an environmentally responsible manner. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management New Zealand Y 3.6
NZISM 13.6 Media and IT equipment is declassified and approved by the CISO, or delegate, for release before disposal into the public domain. The organization has a documented and implemented IT Asset management process including: - A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organization's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date); - An ICT equipment and media register that is maintained and regularly audited; - A directive that ICT equipment and media are secured when not in use; - The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding); - A register of all baseline configurations associated with components, that is updated in line with the organization's system hardening process, with each component tracked only once. - Documentation of security and privacy impacts of asset changes; and - Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. NULL Asset & Risk Management New Zealand Y 3.6
NZISM 14.1 Standard Operating Environments (SOE) are hardened in order to minimise attacks and compromise through known vulnerabilities and attack vectors. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. NULL Platform Security New Zealand Y 3.6
NZISM 14.2 Only approved applications are used on agency controlled systems. Within the organization all the following application controls are in place on all workstations and on all servers; - restricting the execution of drivers to an organization-approved set - implemented using cryptographic hash rules, publisher certificate rules or path rules - rulesets are validated on an annual or more frequent basis - when implementing application control using publisher certificate rules, both publisher names and product names are used - extended to tools and applications used in system and software maintenance NULL Platform Security New Zealand Y 3.6
NZISM 14.4 Secure programming methods and testing are used for application development in order to minimise the number of coding errors and introduction of security vulnerabilities. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. NULL Data Security New Zealand Y 3.6
NZISM 14.5 Security mechanisms are incorporated into all Web applications by design and implementation. The organization conducts vulnerability scans for production systems at least monthly. The organization conducts application penetration tests at least annually. The organization has a process in place to analyze identified security vulnerabilities to determine their potential impact, mitigate the vulnerabilities in a timely manner, and monitor the status of security vulnerability mitigation. NULL Detect & Respond New Zealand Y 3.6
NZISM 16.1 Identificationand authentication requirements are implemented in order to provide a secure means of access to information and systems. All users identified by individual identifiers assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. NULL Access Control New Zealand Y 3.6
NZISM 16.2 Access to information on systems is controlled in accordance with agency policy and this manual. The service provides role-based access control (RBAC) and this is this process documented for all systems including the service. NULL Access Control New Zealand Y 3.6
NZISM 16.3 Only trusted personnel are granted privileged access to systems. All vendor staff, external contractors or associates with access to systems, applications and information including audit logs, validated and approved by appropriate personnel. Personnel are periodically reviewed, at least annually, and revalidated or revoked; reviewed and revalidated or revoked due to changes in role employment and/or inactivity, or are appropriate security notices provided when they access the system. NULL Access Control New Zealand Y 3.6
NZISM 16.4 To ensure Privileged Access Management (PAM) is incorporated into IT Governance and that privileged accounts are managed in accordance with agency's PAM policy. The service provides role-based access control (RBAC) and this is this process documented for all systems including the service. NULL Access Control New Zealand Y 3.6
NZISM 16.5 Remote access to systems is minimised, secure, controlled, authorised and authenticated. All vendor staff, external contractors or associates with access to systems, applications and information including audit logs, validated and approved by appropriate personnel. Personnel are periodically reviewed, at least annually, and revalidated or revoked; reviewed and revalidated or revoked due to changes in role employment and/or inactivity, or are appropriate security notices provided when they access the system. NULL Access Control New Zealand Y 3.6
NZISM 16.6 Information security related events are logged and audited for accountability, incident management, forensic andsystem monitoring purposes. The organization has a documented and implemented logging procedure, covering the collection, review and retention of logs, which is reviewed annually and which requires all systems in the organization (e.g., servers, storage, network, applications, etc.) to log the following and synchronize logs to a consistent time source: - Authentication logs (e.g., successful login, unsuccessful login, logoff) - Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources) - User administration logs (e.g., addition/ removal of users, changes to accounts, password changes) - System logs (e.g., system shutdown/ restarts, application crashes and error messages) - And uses or ascribes a unique identifier of the user who has performed the activity being logged. NULL Platform Security New Zealand Y 3.6
NZISM 16.7 To ensure authentication systems incorporate Multi-Factor Authentication mechanisms to secure Privileged Accounts and in accordance with the Agency's Privileged Access Management (PAM) policy. The service requires additional authorization protocols to execute privileged commands remotely, compare to on-site. NULL Access Control New Zealand Y 3.6
NZISM 17.1 Agencies use cryptographic products, algorithms and protocols that are approved by the GCSB and are implemented in accordance with this guidance. The services web services, if any, are secured with valid digital certificates signed by a reputable certificate authority. NULL Access Control New Zealand Y 3.6
NZISM 17.2 Informationis protected by a properly implemented, Approved Cryptographic Algorithm. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) NULL Data Security New Zealand Y 3.6
NZISM 17.3 Classified information in transit is protected by an Approved Cryptographic Protocol implementing an Approved Cryptographic Algorithm. Data is protected in transit, including between the user, web applications and other system components, at minimum with the following encryption algorithms: Encryption: AES 192 GCM/CCM, CHACHA20 POLY 1305 or above only (AES 256 GCM/CCM recommended); Hashing: SHA-256 or above only (SHA-384 recommended); Digital Signatures: DSA (2048+) FIPS 186-4, ECDSA (224+) using NIST P-384 curve or RSA (2048+); Key Exchange: DH (3072+), ECDH (256+) using NIST P-384 curve and/or RSA (3072+); Protocol: TLS 1.2 or above only (TLS 1.3 recommended) NULL Data Security New Zealand Y 3.6
NZISM 17.9 Cryptographic keying material is protected by key management procedures. The organization has a standardized, documented key management process which describes the full lifecycle of each key used in the operation of the production environment. NULL Access Control New Zealand Y 3.6
NZISM 18.4 An intrusion detection and prevention strategy is implemented for systems in order to respond promptly to incidents and preserve availability, confidentiality and integrity of systems. Production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless services and all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware are all of kept up to date with definitions and maintained. NULL Platform Security New Zealand Y 3.6
NZISM 19.1 To ensure that gateways are properly configured to protect agency systems and information transferred between systems from different security domains. Internet facing components (e.g., web servers) are separated from other online components (e.g. databases) using the following controls: Secure communication between network segments (e.g., using firewalls), including filtering between network segments DMZ for internet-facing components and separate trusted zones for other components Virtual (e.g., VLAN) or physical network segregation. NULL Platform Security New Zealand Y 3.6
NZISM 19.3 Agencies operating bi-directional gateways implement firewalls and traffic flow filters to provide a protective layer to their networks in both discrete and virtual environments. The following perimeter controls are in place: External firewall; Host based firewalls or port filtering on end-user devices with default-deny rules; IDS/IPS (Intrusion Detection System/Intrusion Prevention System); DMZ (Demilitarized Zone) for hosting external sites; Content filtering (including blocking of unnecessary file types); DoS/DDoS (Denial of Service/Distributed Denial of Service) defence; Web Application Firewall (WAF); Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content); Packet inspection; Network segmentation; VPN required for remote access; Detection and monitoring of unauthorized devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis; DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources DNS filtering and network URL based filters; and Organization assets are configured to use trusted DNS servers explicit restrictions on information transfer to external systems based on data structures and content, as well as authorization (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security) Authorization and encryption on the organization’s wireless network Restrictions on the use of portable storage devices to transfer information from organization systems to external systems Blocking of split tunnelling Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorized use of control plane traffic (e.g Border Gateway Protocol routing, Domain Name System) Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation Periodic scan of organizational file storage and real-time scans of files from external sources NULL Platform Security New Zealand 3.6
NZISM 20.1 Data transfers between systems are controlled and accountable. Your organization enforces the following controls on database management system (DBMS) software: Follow vendor guidance for securing the database; DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed; Least privileges; File-based access controls; Disable anonymous and default database administrator account; Unique username and password for each database administrator account; Use database administrator accounts for administrative tasks only; and Segregate test and production environment. NULL Data Security New Zealand Y 3.6
NZISM 20.3 The flowof data within gateways is examined and controls applied in accordance with the agency's security policy. To prevent unauthorised or malicious content crossing security domain boundaries. Use of macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) is controls as follows: - internal use is blocked except for users that have a demonstrated business requirement; - macros and scripts in files originating from the internet are blocked; - macros and scripts are subject to antivirus scanning; and - macro and script security settings can't be changed by users. NULL Platform Security New Zealand 3.6
NZISM 21.1 Informationon agency-owned mobile devices is protected from unauthorised disclosure. A documented and implemented security policy is in place that governs the management and connectivity of mobile devices, including: use of a Mobile Device Management solution applied to all mobile devices and encryption of any sensitive information transferred to mobile devices NULL Governance New Zealand 3.6
NZISM 21.4 Where an Agencypermits personnel to supply their own mobile devices (such as smartphones, tablets and laptops), Official Information and agency information systems are protected to a level equivalent to an agency provided and managed office environment. The service offers multi-factor authentication for end users. NULL Access Control New Zealand Y 3.6
NZISM 22.1 Cloud systems risks are identified and managed and that Official Information and agency information systems are protected in accordance with Cabinet Directives, the PSR, the New Zealand Government Security Classification System, the NZISM and with other government securityrequirements and guidance. Customers are notified in advance of any relocation or expansion (i.e. change of country) of: - the cloud infrastructure, including system components, user data and related data; and - any person (vendor or cloud infrastructure staff, external contractors or associates) with access to unencrypted customer data or any person with a means of accessing or extracting unencrypted data (e.g., those with access to encryption keys and encrypted customer data). NULL Supply Chain New Zealand Y 3.6
NZISM 22.2 To identify virtualisation specific risks and apply mitigations to minimise risk and secure the virtual environment. If a multi-tenancy model is used to store and process customer data, partitioning controls are implemented to securely separate each customer's data from that of other customers. NULL Data Security New Zealand Y 3.6
NIST 800-53 PE-1 Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. Your organization's information security policy documents and implements the following minimum requirements: management's support for information security, compliance with laws and regulations, information security roles with corresponding responsibilities, access controls for sensitive information aligned with roles, retention period for security logs, regular policy reviews and updates in response to security incidents, logging of specific events, incident response policies with a roadmap for implementation if needed, personnel security, physical and environmental protections, system boundaries and connections to other systems, and policies for preserving system and information integrity including monitoring. Governance United States 1
NIST 800-53 MA-1 Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. The organization has a documented and implemented security planning policy that outlines the following at a minimum: - management direction and support for planning around security; - requirement to comply with applicable laws and regulations; - policy that governs the development of security-related plans in the organization overall - requires coordination around the plans with other business units within the organization as appropriate; and - is the policy reviewed regularly and in response to security incidents. Governance United States 1
NIST 800-53 PL-1 Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. The organization has a documented and implemented security planning policy that outlines the following at a minimum: - management direction and support for planning around security; - requirement to comply with applicable laws and regulations; - policy that governs the development of security-related plans in the organization overall - requires coordination around the plans with other business units within the organization as appropriate; and - is the policy reviewed regularly and in response to security incidents. Governance United States 1
NIST 800-53 IA-1 Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. The organization has a documented and implemented identification and authentication policy that outlines the following at a minimum: - management direction and support for identification and authentication; - requirement to comply with applicable laws and regulations; - policy on user identifiers; - policy on passwords and password updates; - policy on one-factor and multi-factor authentication security and usage; and - is the policy reviewed regularly and in response to security incidents. Access Control United States 1
This page includes material that is © Copyright Education Services Australia Limited 2023. All rights reserved. This material must not be reproduced without permission.