Compliance Manager frameworks

This document provides reference content for the built-in cloud frameworks that are included in Compliance Manager.

Google Recommended AI Essentials - Vertex AI

Supported cloud provider: Google Cloud

This framework outlines Google recommended security best practices for Vertex AI workloads, providing a prescriptive collection of essential preventative and detective policies. Upon activation of AI Protection within the Security Command Center, a detailed security compliance assessment against this framework will be automatically displayed on the AI Security dashboard.

This framework includes the following cloud controls:

CIS GKE 1.7

Supported cloud provider: Google Cloud

The CIS GKE Benchmark is a set of security recommendations and best practices specifically tailored for Google Kubernetes Engine (GKE) clusters. The benchmark aims to enhance the security posture of GKE environments.

This framework includes the following cloud controls:

CIS Critical Security Controls v8

Supported cloud provider: Google Cloud

A prioritized set of safeguards to protect against prevalent cyber threats. It offers a practical approach to cyber defense, tiered into Implementation Groups (IG1, IG2, IG3) to suit organizations of varying maturity.

This framework includes the cloud control groups and cloud controls in the following sections.

cis-controls-1-1

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.

cis-controls-10-2

Configure automatic updates for anti-malware signature files on all enterprise assets.

cis-controls-10-3

Disable autorun and autoplay auto-execute functionality for removable media.

cis-controls-10-6

Centrally manage anti-malware software.

cis-controls-11-1

Establish and maintain a documented data recovery process that includes detailed backup procedures. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-11-2

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.

cis-controls-11-3

Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.

cis-controls-11-4

Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.

cis-controls-11-5

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

cis-controls-12-2

Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components.

cis-controls-12-3

Securely manage network infrastructure. Example implementations include version-controlled Infrastructure-as-Code (IaC), and the use of secure network protocols, such as SSH and HTTPS.

cis-controls-12-5

Centralize network AAA.

cis-controls-12-6

Adopt secure network management protocols (e.g., 802.1X) and secure communication protocols (e.g., Wi-Fi Protected Access 2 (WPA2) Enterprise or more secure alternatives).

cis-controls-12-7

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.

cis-controls-13-1

Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.

cis-controls-13-2

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

cis-controls-13-3

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

cis-controls-13-4

Perform traffic filtering between network segments, where appropriate.

cis-controls-13-5

Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-date.

cis-controls-13-6

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

cis-controls-13-7

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

cis-controls-13-8

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

cis-controls-13-9

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.

cis-controls-14-1

Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-14-3

Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.

cis-controls-14-5

Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.

cis-controls-16-1

Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-16-11

Leverage vetted modules or services for application security components, such as identity management, encryption, auditing, and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.

cis-controls-16-12

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

cis-controls-16-13

Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. 

cis-controls-16-2

Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.

cis-controls-16-3

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise.

cis-controls-16-7

Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening.

cis-controls-17-2

Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.

cis-controls-17-4

Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-17-9

Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-18-1

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

cis-controls-18-2

Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

cis-controls-18-5

Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.

cis-controls-2-7

Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1 and .py files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

cis-controls-3-1

Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-3-11

Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.

cis-controls-3-14

Log sensitive data access, including modification and disposal.

cis-controls-3-2

Establish and maintain a data inventory based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

cis-controls-3-3

Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.

cis-controls-3-4

Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines.

cis-controls-3-5

Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.

cis-controls-3-6

Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

cis-controls-3-7

Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-3-8

Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-3-9

Encrypt data on removable media.

cis-controls-4-1

Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-4-2

Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-4-3

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.

cis-controls-4-4

Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.

cis-controls-4-5

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

cis-controls-4-6

Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.

cis-controls-4-7

Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.

cis-controls-4-8

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.

cis-controls-5-1

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator, and service accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

cis-controls-5-2

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. 

cis-controls-5-4

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

cis-controls-5-5

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

cis-controls-5-6

Centralize account management through a directory or identity service.

cis-controls-6-1

Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.

cis-controls-6-2

Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

cis-controls-6-3

Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

cis-controls-6-5

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.

cis-controls-6-6

Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.

cis-controls-6-7

Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

cis-controls-6-8

Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

cis-controls-7-2

Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.

cis-controls-7-7

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

cis-controls-8-1

Establish and maintain a documented audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

cis-controls-8-11

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

cis-controls-8-2

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

cis-controls-8-3

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.

cis-controls-8-4

Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.

cis-controls-8-5

Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

cis-controls-8-6

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

cis-controls-8-7

Collect URL request audit logs on enterprise assets, where appropriate and supported.

cis-controls-8-8

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.

cis-controls-8-9

Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations primarily include leveraging a SIEM tool to centralize multiple log sources.

cis-controls-9-1

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.

cis-controls-9-2

Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains.

cis-controls-9-3

Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

cis-controls-9-4

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.

CSA Cloud Controls Matrix v4.0.11

Supported cloud provider: Google Cloud

A cybersecurity control framework designed specifically for the cloud computing environment. It provides a comprehensive set of controls across key domains to help you assess the security posture of your cloud services.

This framework includes the cloud control groups and cloud controls in the following sections.

ccm-aa-01

Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually.

ccm-aa-02

Conduct independent audit and assurance assessments according to relevant standards at least annually.

ccm-ais-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually.

ccm-ais-02

Establish, document and maintain baseline requirements for securing different applications.

ccm-ais-03

Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations.

ccm-ais-04

Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization.

ccm-ais-05

Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible.

ccm-bcr-03

Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite.

ccm-bcr-07

Establish communication with stakeholders and participants in the course of business continuity and resilience procedures.

ccm-bcr-08

Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.

ccm-bcr-09

Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes.

ccm-bcr-10

Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities.

ccm-bcr-11

Supplement business-critical equipment with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards.

ccm-ccc-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc. The policies and procedures must be managed, regardless of whether the assets are managed internally or externally. Review and update the policies and procedures at least annually.

ccm-ccc-02

Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards.

ccm-ccc-07

Implement detection measures with proactive notification in case of changes deviating from the established baseline.

ccm-cek-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually.

ccm-cek-02

Define and implement cryptographic, encryption and key management roles and responsibilities.

ccm-cek-03

Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.

ccm-cek-04

Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology.

ccm-cek-05

Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.

ccm-cek-08

CSPs must provide the capability for CSCs to manage their own data encryption keys.

ccm-cek-10

Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.

ccm-cek-11

Manage cryptographic secret and private keys that are provisioned for a unique purpose.

ccm-cek-18

Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements.

ccm-cek-21

Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements.

ccm-dcs-07

Implement physical security perimeters to safeguard personnel, data, and information systems. Establish physical security perimeters between the administrative and business areas and the data storage and processing facilities areas.

ccm-dcs-09

Allow only authorized personnel access to secure areas, with all ingress and egress points restricted, documented, and monitored by physical access control mechanisms. Retain access control records on a periodic basis as deemed appropriate by the organization.

ccm-dsp-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.

ccm-dsp-02

Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.

ccm-dsp-07

Develop systems, products, and business practices based upon a principle of security by design and industry best practices.

ccm-dsp-08

Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations.

ccm-dsp-10

Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.

ccm-dsp-16

Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.

ccm-dsp-17

Define and implement, processes, procedures and technical measures to protect sensitive data throughout its lifecycle.

ccm-grc-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually.

ccm-grc-03

Review all relevant organizational policies and associated procedures at least annually or when a substantial change occurs within the organization.

ccm-grc-07

Identify and document all relevant standards, regulations, legal, contractual, and statutory requirements, which are applicable to your organization.

ccm-iam-01

Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.

ccm-iam-03

Manage, store, and review the information of system identities, and level of access.

ccm-iam-04

Employ the separation of duties principle when implementing information system access.

ccm-iam-05

Employ the least privilege principle when implementing information system access.

ccm-iam-07

De-provision or respectively modify access of movers, leavers, or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

ccm-iam-09

Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated.

ccm-iam-10

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

ccm-iam-11

Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk privileged access roles as defined by the organizational risk assessment.

ccm-iam-12

Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

ccm-iam-13

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.

ccm-iam-14

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

ccm-iam-16

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.

ccm-ivs-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for infrastructure and virtualization security. Review and update the policies and procedures at least annually.

ccm-ivs-03

Monitor, encrypt and restrict communications between environments to only authenticated and authorized connections, as justified by the business. Review these configurations at least annually, and support them by a documented justification of all allowed services, protocols, ports, and compensating controls.

ccm-ivs-04

Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline.

ccm-ivs-06

Design, develop, deploy and configure applications and infrastructures such that CSP and CSC (tenant) user access and intra-tenant access is appropriately segmented and segregated, monitored and restricted from other tenants.

ccm-ivs-07

Use secure and encrypted communication channels when migrating servers, services, applications, or data to cloud environments. Such channels must include only up-to-date and approved protocols.

ccm-ivs-09

Define, implement and evaluate processes, procedures and defense-in-depth techniques for protection, detection, and timely response to network-based attacks.

ccm-log-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for logging and monitoring. Review and update the policies and procedures at least annually.

ccm-log-02

Define, implement and evaluate processes, procedures and technical measures to ensure the security and retention of audit logs.

ccm-log-03

Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics.

ccm-log-04

Restrict audit logs access to authorized personnel and maintain records that provide unique access accountability.

ccm-log-05

Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.

ccm-log-07

Establish, document and implement which information metadata and data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.

ccm-log-08

Generate audit records containing relevant security information.

ccm-log-12

Monitor and log physical access using an auditable access control system.

ccm-sef-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review and update the policies and procedures at least annually.

ccm-sef-02

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the timely management of security incidents. Review and update the policies and procedures at least annually.

ccm-sef-08

Maintain points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities.

ccm-sta-04

Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.

ccm-sta-08

CSPs periodically review risk factors associated with all organizations within their supply chain.

ccm-sta-09

Service agreements between CSPs and CSCs (tenants) must incorporate at least the mutually-agreed upon provisions and terms that include Scope, characteristics and location of business relationship and services offered, Information security requirements (including SSRM), Change management process, Logging and monitoring capability, Incident management and communication procedures, Right to audit and third party assessment, Service termination, Interoperability and portability requirements, and Data privacy.

ccm-tvm-01

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report and prioritize the remediation of vulnerabilities, in order to protect systems against vulnerability exploitation. Review and update the policies and procedures at least annually.

ccm-tvm-02

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets. Review and update the policies and procedures at least annually.

ccm-tvm-03

Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.

ccm-tvm-06

Define, implement and evaluate processes, procedures and technical measures for the periodic performance of penetration testing by independent third parties.

ccm-uem-04

Maintain an inventory of all endpoints used to store and access company data.

ccm-uem-07

Manage changes to endpoint operating systems, patch levels, and applications through the company's change management processes.

ccm-uem-10

Configure managed endpoints with properly configured software firewalls.

ccm-uem-11

Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in accordance with a risk assessment.

Data Security and Privacy Essentials

Supported cloud provider: Google Cloud

Google recommended cloud controls for Data Security and Privacy

This framework includes the following cloud controls:

Data Security Framework Template

Supported cloud provider: Google Cloud

Google built-in framework to deploy advance DSPM Cloud Controls.

This framework includes the following cloud controls:

FedRAMP Low 20x

Supported cloud provider: Google Cloud

A Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies. FedRAMP Low impact is most appropriate for CSOs where the loss of confidentiality, integrity and availability would result in limited adverse effect on an agency's operations, assets or individuals.

This framework includes the cloud control groups and cloud controls in the following sections.

ksi-cmt-1

Log and monitor system modifications. Ensure that all system changes are documented and configuration baselines are updated.

ksi-cna-1

Configure all information resources to limit inbound and outbound traffic.

ksi-cna-2

Design systems to help reduce the attack surface and minimize lateral movement if compromised.

ksi-cna-4

Use immutable infrastructure with strictly defined functionality and privileges.

ksi-cna-6

Design information systems with high availability and rapid recovery capabilities to help prevent data loss.

ksi-cna-7

Implement cloud-first information resources that are based on the host provider's best practices and documented guidance.

ksi-iam-3

Enforce secure authentication methods for all non-user accounts and services within Google Cloud to help protect data and resources from unauthorized access.

ksi-iam-4

Implement a security authorization model that is least-privileged, role and attribute-based, and just-in-time. Use this model for all user and non-user accounts and services to help reduce the risk of unauthorized access or misuse.

ksi-mla-2

Regularly review the audit logs of your applications and services.

ksi-mla-3

Detect vulnerabilities and promptly remediate or mitigate them to help reduce the risk impact on applications and services.

ksi-piy-1

Maintain an updated information resource inventory or code that defines all deployed assets, software, and services.

ksi-piy-4

Build security considerations into the Software Development Lifecycle (SDLC) and align with Cybersecurity and Infrastructure Security Agency's (CISA's) Secure By Design principles.

ksi-svc-1

Regularly review and strengthen the network and system configurations to help ensure a secure baseline.

ksi-svc-2

Encrypt all core content data that is exchanged between machines that connect to Google Cloud, or alternatively, secure all network traffic to help protect data.

ksi-svc-6

Use automated key management systems to help protect, manage, and regularly rotate digital keys and certificates.

ksi-svc-7

Implement a consistent, risk-informed approach for applying security patches to your applications and services.

ISO 27001:2022

Supported cloud provider: Google Cloud

The international standard for an Information Security Management System (ISMS). It provides a systematic, risk-based approach to managing sensitive information by specifying requirements for establishing and improving security controls.

This framework includes the cloud control groups and cloud controls in the following sections.

iso-27001-2022-a-5-1

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

iso-27001-2022-a-5-10

Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

iso-27001-2022-a-5-12

Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

iso-27001-2022-a-5-14

Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

iso-27001-2022-a-5-15

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

iso-27001-2022-a-5-17

Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

iso-27001-2022-a-5-18

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

iso-27001-2022-a-5-19

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

iso-27001-2022-a-5-20

Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

iso-27001-2022-a-5-23

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

iso-27001-2022-a-5-24

The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

iso-27001-2022-a-5-25

The organization shall assess information security events and decide if they are to be categorized as information security incidents.

iso-27001-2022-a-5-28

The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

iso-27001-2022-a-5-30

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

iso-27001-2022-a-5-33

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

iso-27001-2022-a-5-5

The organization shall establish and maintain contact with relevant authorities.

iso-27001-2022-a-5-6

The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

iso-27001-2022-a-5-9

An inventory of information and other associated assets, including owners, shall be developed and maintained.

iso-27001-2022-a-6-7

Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

iso-27001-2022-a-8-1

Information stored on, processed by or accessible using user end point devices shall be protected.

iso-27001-2022-a-8-10

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

iso-27001-2022-a-8-13

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

iso-27001-2022-a-8-14

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

iso-27001-2022-a-8-15

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

iso-27001-2022-a-8-16

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

iso-27001-2022-a-8-17

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

iso-27001-2022-a-8-2

The allocation and use of privileged access rights shall be restricted and managed.

iso-27001-2022-a-8-20

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

iso-27001-2022-a-8-21

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

iso-27001-2022-a-8-22

Groups of information services, users and information systems shall be segregated in the organization’s networks.

iso-27001-2022-a-8-23

Access to external websites shall be managed to reduce exposure to malicious content.

iso-27001-2022-a-8-24

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

iso-27001-2022-a-8-25

Rules for the secure development of software and systems shall be established and applied.

iso-27001-2022-a-8-26

Information security requirements shall be identified, specified and approved when developing or acquiring applications.

iso-27001-2022-a-8-27

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

iso-27001-2022-a-8-28

Secure coding principles shall be applied to software development.

iso-27001-2022-a-8-29

Security testing processes shall be defined and implemented in the development life cycle.

iso-27001-2022-a-8-3

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

iso-27001-2022-a-8-30

The organization shall direct, monitor and review the activities related to outsourced system development.

iso-27001-2022-a-8-4

Read and write access to source code, development tools and software libraries shall be appropriately managed.

iso-27001-2022-a-8-5

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

iso-27001-2022-a-8-6

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

iso-27001-2022-a-8-7

Protection against malware shall be implemented and supported by appropriate user awareness.

iso-27001-2022-a-8-8

Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.

iso-27001-2022-a-8-9

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

Qatar National Information Assurance Standard v2.1

Supported cloud provider: Google Cloud

Qatar NIAS is intended to provide organizations within the State of Qatar with the necessary foundation and the relevant tools to enable the implementation of a full-fledged Information Security Management System within organizations.

This framework includes the cloud control groups and cloud controls in the following sections.

qa-nias-2-1-am-1

Users are provided access based on the concept of least privilege and governed by a Need to Know or a Need to Have basis.

qa-nias-2-1-am-11

Centralized authentication repositories such as LDAP and authentication databases are protected from denial-of-service attacks and use secure and authenticated channels for retrieval of authentication data. Such repositories shall log the following events: unauthorized update or access; start and end date and time of activity (together with system identifier); user identification (for illegal logon); sign-on and sign-off activity (for illegal logon); and session, terminal, or remote connection.

qa-nias-2-1-am-12

Organizations must develop and maintain a set of policies, plans and procedures, derived from the National Data Classification Policy (IAP-NAT-DCLS) that covers system users' identification, authentication, and authorization.

qa-nias-2-1-am-14

All system users are uniquely identifiable and authenticated on each occasion that access is granted to a system.

qa-nias-2-1-am-17

Unprotected authentication information that grants system access, or decrypts an encrypted device is located on, or with the system or device, to which the authentication information grants access to.

qa-nias-2-1-am-18

System authentication data while in use is not susceptible to attacks including, but not limited to, replay, man-in-the-middle, and session hijacking.

qa-nias-2-1-am-2

Access is managed and controlled through system access controls, identification and authentication, and audit trails based on the sensitivity of the information. These requests for access shall be authorized by a staff member's supervisor or manager.

qa-nias-2-1-am-20

Passwords are changed at least every 90 days.

qa-nias-2-1-am-23

Screen and session locks are configured as follows: activate after a maximum of 15 minutes of system user inactivity; activate standardly by the system user, if desired; lock to completely conceal all information on the screen; ensure the screen does not appear to be turned off while in the locked state; have the system user re-authenticate to unlock the system; and deny system users the ability to disable the locking mechanism.

qa-nias-2-1-am-24

Access to a system is suspended after a specified number of failed logon attempts or as soon as possible after the staff member no longer needs access, due to changing roles or leaving the organization.

qa-nias-2-1-am-3

Access rights of a user or entity to create, read, update, delete or transmit an organization's information assets shall be based on a matrix (hierarchical) model of rights defined by business rules that are established by the owners of that information.

qa-nias-2-1-am-31

The use of privileged accounts is documented, controlled, accountable, and kept to a minimum. Privileged accounts shall only be used for administrative work.

qa-nias-2-1-am-32

System administrators are assigned an individual account for undertaking their administration tasks.

qa-nias-2-1-am-34

The system management log is updated to record the following information: sanitization activities; system start-up and shutdown; component or system failures; maintenance activities; backup and archival activities; system recovery activities; and special or out of hours activities.

qa-nias-2-1-am-35

Remote access shall not be provided unless authorized explicitly by the department head and only if it is warranted by business requirements and only after due diligence has been performed to analyse associated risks and suitable controls are implemented to mitigate the identified risks.

qa-nias-2-1-am-36

Two-factor authentication, using a hardware token, biometric control or similar is used when accessing systems processing data classified at C3 or above.

qa-nias-2-1-am-37

Remote access sessions are secured by using suitable end-to-end encryption as specified in section C-10, Cryptographic Security (CY).

qa-nias-2-1-am-6

Any unauthorized effort to circumvent the organization's access control shall be perceived as a security incident and shall be handled in accordance with established incident handling procedure and appropriate human resources policies and procedures.

qa-nias-2-1-am-7

Audit logs shall be enabled and maintained in such a manner as to allow compliance monitoring with government policy and to assist in Incident Management.

qa-nias-2-1-am-8

Logical access to organization networks is technically controlled. This may be by using Network Admission Control (NAC) services and devices.

qa-nias-2-1-cy-1

Cryptographic algorithms, encryption hardware or software, key management systems, and digital signatures shall demonstrate compliance with the Approved Encryption/Cryptographic Algorithms and Systems as specified by the competent authority within the Law No. (16) of 2010 on the Promulgation of the Electronic Commerce and Transactions Law.

qa-nias-2-1-cy-2

The lifetime of the key shall be determined primarily by the application and the information infrastructure it is used in. Keys shall be immediately revoked and replaced if they have been or suspected of being compromised.

qa-nias-2-1-cy-3

Information assets classified as C3 (IAP-NAT-DCLS) are encrypted and protected against unauthorized disclosure when stored and in transit regardless of the storing format or media. Organizations may apply these cryptographic controls to assets with lower confidentiality requirements, if determined necessary by their risk assessment.

qa-nias-2-1-cy-4

Information assets classified as I3 (IAP-NAT-DCLS) have assured integrity using cryptographic hashing. Organizations may apply these cryptographic controls to assets with lower integrity requirements, if determined necessary by their risk assessment.

qa-nias-2-1-cy-5

The following protocols or better, with approved algorithms outlined in Qatar National Cryptographic Standard - English v1.0 (or higher) issued by the competent authority, are used for securing data classified as C3 when in transit: for securing web traffic: TLS (+128 bits) (RFC4346); for securing file transfers: SFTP (SFTP); for secure remote access: SSH v2 (RFC4253) or IPSEC (RFC 4301); and only S/MIME v3 (RFC3851) or better are used for securing emails. See CY11 for the associated requirement.

qa-nias-2-1-cy-6

Passwords must always be encrypted or hashed and protected against unauthorized disclosure when they are stored or in transit, regardless of the storing format or media. Privileged passwords shall be encrypted and stored off-site with backup files each time the password is changed to ensure complete recovery.

qa-nias-2-1-cy-7

Where Hardware Security Modules (HSMs) are used, they are certified to at least FIPS 2-140 Level 2 (FIPS2-140) or Common Criteria (CC3.1) EAL4.

qa-nias-2-1-cy-9

Suitable key management processes are defined, as per (ISO1-11770) and used to manage the lifecycle of cryptographic keys, covering the following functions: Key Custodians Roles and Responsibilities, Key Generation, Dual Control and Split Knowledge, Secure Key Storage, Key Usage, Secure Key Distribution and in Transit, Key Backup and Recovery, Periodic Key Status Checking, Key Compromise, Key Revocation and Destruction, and Audit Trails and Documentation.

qa-nias-2-1-gs-1

Networks are protected from other networks by gateways and data flows are properly controlled.

qa-nias-2-1-gs-13

Export of data to a less classified system is restricted by filtering data using at least checks on classification labels.

qa-nias-2-1-gs-2

Gateways connecting organization networks to other organization networks, or to uncontrolled public networks, are implemented as follows: with an appropriate network device to control data flow, with all data flows appropriately controlled, and with gateway components physically located within an appropriately secured server room.

qa-nias-2-1-gs-6

Demilitarized zones (DMZs) are used to separate externally accessible systems from uncontrolled public networks and internal networks through usage of firewalls and other network security capable equipment.

qa-nias-2-1-gs-7

Gateways must: be the only communications paths into and out of internal networks; by default, deny all connections into and out of the network; allow only explicitly authorised connections; be managed using a secure path isolated from all connected networks; provide sufficient audit capability to detect gateway security breaches and attempted network intrusions; and provide real-time alarms.

qa-nias-2-1-gs-8

Gateways are hardened prior to any implementation on production site and are protected against the following: malicious code and vulnerabilities, wrong or poor configurations, account compromise and privilege escalation, rogue network monitoring, denial of service (DoS) attacks, and information or data leakage.

qa-nias-2-1-gs-9

Monitoring and supervision of gateways is in place and includes threat prevention mechanisms, logging, alerts, and surveillance of equipment. See section B-10, Logging and Security Monitoring (SM).

qa-nias-2-1-ie-12

Ensure information exchanged between systems is secured against misuse, unauthorized access, or data corruption. For transmitting information classified at C2, I2 or above, authenticated, and encrypted channels shall be used as specified in CY5, section C-10, Cryptographic Security (CY).

qa-nias-2-1-ie-3

Ensure that necessary agreements (specifically confidentiality agreements) between the entities exchanging information have been established prior to information exchange. Agreements shall provide information on responsibilities, information exchange notification procedure, technical standards for transmission, identification of couriers, liabilities, ownership, and controls. For vendors and third-parties a formal Non-Disclosure Agreement (NDA) shall be used. Appendix D provides an NDA template.

qa-nias-2-1-ie-4

The organization must ensure media which is used to exchange information is protected against unauthorized access, manipulation, or misuse within or outside the organization environment.

qa-nias-2-1-ie-8

Protect information exchanged using electronic messaging from unauthorized access, change, or interruption of service.

qa-nias-2-1-ms-20

Media, including faulty media, containing classified information is sanitised to the extent possible prior to disposal.

qa-nias-2-1-ns-1

Details of internal network and system configuration, employee or device-related directory services, and other sensitive technology are not publicly disclosed or enumerable by unauthorized personnel.

qa-nias-2-1-ns-17

A separate internal DNS server is set up and placed in the internal network for internal domain information that is not disclosed to the Internet.

qa-nias-2-1-ns-2

The organization removes or disables all the default accounts (for example, root or administrator) or changes the password as specified in section C-6, Software Security (SS).

qa-nias-2-1-ns-20

Zones files are digitally signed, and cryptographic mutual authentication and data integrity of zone transfers and dynamic updates is provided.

qa-nias-2-1-ns-21

Cryptographic origin authentication and integrity assurance of DNS data is provided.

qa-nias-2-1-ns-22

DNS services including zone transfers are provided to authorized users only.

qa-nias-2-1-ns-25

The Internet gateway denies all Internet services unless specifically enabled.

qa-nias-2-1-ns-27

The organization has the capability needed to monitor the traffic, deduce traffic patterns, usage, and so. See section B-10, Logging and Security Monitoring (SM) for more information.

qa-nias-2-1-ns-29

TLS protection is used with the SMTP mail server in line with section C-10, Cryptographic Security (CY).

qa-nias-2-1-ns-3

Network configuration is kept under the control of the network manager or similar and all changes to the configurations are as follows: approved through a formal change control process as defined in section B-5, Change Management (CM); documented, and comply with the network security policy and security plan as defined in section B- 12, Documentation (DC); and regularly reviewed. Old configurations as mandated by the organization's procedures are maintained as part of change revision. The frequency of reviewing configuration shall depend on the organization's risk and processes.

qa-nias-2-1-ns-5

Networks are designed and configured to limit opportunities of unauthorized access to information transiting the network infrastructure. Organizations should use the following technologies to meet this requirement: switches instead of hubs; port security on switches to limit access and disable all unused ports; routers and firewalls segregating parts of the network on a need-to-know basis; IPsec or IP version 6; application-level encryption; an automated tool that compares the running configuration of network devices against the documented configuration; network edge authentication; restrict and manage end-user devices communicating to organization network through techniques such as MAC address filtering; IPS or IDS to detect and prevent malicious activity within the network; and time and day restrictions.

qa-nias-2-1-ns-53

Voice and data are separate networks. The separation should be physical, but use of Virtual LANS is permitted. The voice gateway, which interfaces with the PSTN, segregates H.323, SIP, or other VoIP protocols from the data network.

qa-nias-2-1-ns-6

Management networks adopt the following protection measures: dedicated networks are used for management devices by implementing a separate management VLAN or physically separate infrastructure; and secure channels are used, for example, by using VPNs or SSH.

qa-nias-2-1-ns-7

VLANs are used to separate IP telephone traffic in business critical networks.

qa-nias-2-1-ns-8

Administrative access is only permitted from the most highly classified VLAN to one at the same level of classification or of lower classification.

qa-nias-2-1-pr-5

Security evaluation of the product is done on a dedicated evaluation configuration including functionality tests, security tests, and patching to protect against potential threats and vulnerabilities.

qa-nias-2-1-pr-6

Delivery of products is consistent with the organization's security practice for secure delivery.

qa-nias-2-1-pr-7

Secure delivery procedures shall include measures to detect tampering or masquerading.

qa-nias-2-1-pr-8

Products have been purchased from developers that have made a commitment to the ongoing maintenance of the assurance of their product.

qa-nias-2-1-pr-9

Product patching and updating processes are in place. Updates of products shall follow the change management policies specified in section B-5, Change Management (CM).

qa-nias-2-1-ss-13

Workstations use a hardened standard operating environment (SOE) covering the following: removal of unwanted software; disabling of unused or undesired functionality in installed software and operating systems; implementation of access controls on relevant objects to limit system users and programs to the minimum access needed to perform their duties; installation of software-based firewalls limiting inbound and outbound network connections; and configuration of either remote logging or the transfer of local event logs to a central server.

qa-nias-2-1-ss-14

Potential vulnerabilities in their SOEs and systems are reduced by the following: removing unnecessary file shares; ensuring patching is up to date; disabling access to all unnecessary input and output functionality; removing unused accounts; renaming default accounts; and replacing default passwords.

qa-nias-2-1-ss-15

High-risk servers, such as web, email, file, and Internet Protocol telephony servers, having connectivity to uncontrolled public networks meet the following guidelines: maintain effective functional separation between servers allowing them to operate independently; minimise communications between servers at both the network and file system level, as appropriate; and limit system users and programs to the minimum access needed to perform their duties.

qa-nias-2-1-ss-16

Check the integrity of all servers whose functions are critical to the organization, and those identified as being at a high risk of compromise. Wherever possible these checks should be performed from a trusted environment rather than the system itself.

qa-nias-2-1-ss-17

Store the integrity information securely off the server in a manner that maintains integrity.

qa-nias-2-1-ss-19

As part of the organization's ongoing audit schedule, compare the stored integrity information against current integrity information to determine whether a compromise, or a legitimate but incorrectly completed system modification, has occurred.

qa-nias-2-1-ss-2

All applications (including new and developed) are classified using the National Data Classification Policy (IAP-NAT-DCLS) and accorded security protection appropriate to its Confidentiality, Integrity, and Availability ratings.

qa-nias-2-1-ss-20

The organization must resolve any detected changes in accordance with the organization's information and communications technology (ICT) security incident management procedures.

qa-nias-2-1-ss-21

All software applications are reviewed to determine whether they attempt to establish any external connections. If automated outbound connection functionality is included, organizations should make a business decision to determine whether to permit or deny these connections, including an assessment of the risks involved in doing so.

qa-nias-2-1-ss-23

Connectivity and access between each web application component is minimized.

qa-nias-2-1-ss-24

Personal information and sensitive data is protected while in storage and in transmission using appropriate cryptographic controls.

qa-nias-2-1-ss-29

Database files are protected from access that bypasses the database's normal access controls.

qa-nias-2-1-ss-3

Security requirements, including functional, technical, and assurance requirements, are developed and implemented as part of system requirements.

qa-nias-2-1-ss-30

Databases provide functionality to allow for auditing of system users' actions.

qa-nias-2-1-ss-31

System users who do not have sufficient privilege to view database contents cannot see associated metadata in a list of results from a search engine query. If results from database queries cannot be appropriately filtered, organizations must ensure that all query results are appropriately sanitized to meet the minimum-security privilege of system users.

qa-nias-2-1-ss-4

Dedicated test and development infrastructure, including systems and data, are available and separate from production systems. Furthermore, information flow between the environments shall be strictly limited according to a defined and documented policy, with access granted only to system users with a clear business requirement and write access to the authoritative source for the software shall be disabled.

qa-nias-2-1-ss-5

All applications, whether acquired or developed, are available for production use only after appropriate quality and security assurance tests and checks to ensure that the system confirms and complies with the intended security requirements.

qa-nias-2-1-ss-6

Software developers use secure programming practices when writing code, including the following: complying with best practices, for example, the Mitre top 25 most dangerous programming errors (Mitre); designing software to use the lowest privilege level needed to achieve its task; denying access by default; checking return values of all system calls; and validating all inputs.

qa-nias-2-1-ss-7

Software should be reviewed and/or tested for vulnerabilities before it is used in a production environment. Software should be reviewed and/or tested by an independent party and not by the developer.

qa-nias-2-1-vl-1

Emergency destruction, locking plan, remote wipe, or auto destruct is in place for any MDs and laptops.

qa-nias-2-1-vl-2

Harden the hypervisor, administrative layer, the virtual machine and related components as per the industry accepted best practices and security guidelines and the vendor recommendations.

qa-nias-2-1-vl-3

Enforce least privilege and separation of duties for managing the virtual environment, as follows: define specific roles and granular privileges for each administrator in the central virtualization management software; limit direct administrative access to the hypervisor to the extent possible; and depending on the risk and the classification of the information processed, organizations should consider the use of multi factor authentication or dual or split control of administrative passwords between multiple administrators. For more information, refer to section C9 Access Management.

qa-nias-2-1-vl-5

Virtualized technology environment should be augmented by third party security technology to provide layered security controls, such as defence in depth approach, to complement the controls provided by the vendor and technology itself.

qa-nias-2-1-vl-6

Segregate virtual machines based on the classification of data they process or store.

qa-nias-2-1-vl-7

A change management process encompasses the virtual technology environment. It includes the following: ensure that virtual machine profile is updated, and the integrity of the virtual machine image is maintained at all times; and care should be taken to maintain and update VMs which are not in an active state (dormant or no longer used). For more information, refer to Section B6- Change Management.

qa-nias-2-1-vl-8

Logs from the virtual technology environment shall be logged and monitored along with other IT infrastructure. Refer to Section B10 Logging and Security Monitoring.

NIST 800-53 Revision 5

Supported cloud provider: Google Cloud

A comprehensive catalog of security and privacy controls for building a robust security program. Mandated for U.S. federal systems, it is now a best-practice framework used by organizations across all sectors.

This framework includes the cloud control groups and cloud controls in the following sections.

nist-r5-ac-02

A. Define and document the types of accounts allowed and specifically prohibited for use within the system. B. Assign account managers. C. Require organization-defined prerequisites and criteria for group and role membership. D. Specify: a. Authorized users of the system. b. Group and role membership. c. Access authorizations or privileges and organization-defined attributes for each account. E. Require approvals by organization-defined personnel or roles for requests to create accounts. F. Create, enable, modify, disable, and remove accounts in accordance with organization-defined policy, procedures, prerequisites, and criteria. G. Monitor the use of accounts. H. Notify account managers and organization-defined personnel or roles within: a. An organization-defined time period when accounts are no longer required. b. An organization-defined time period when users are terminated or transferred. c. An organization-defined time period when system usage or need-to-know changes for an individual. I. Authorize access to the system based on: a. A valid access authorization. b. Intended system usage. c. Organization-defined attributes. J. Review accounts for compliance with account management requirements as per organization-defined frequency. K. Establish and implement a process for changing shared or group account authenticators when individuals are removed from the group. L. Align account management processes with personnel termination and transfer processes.

nist-r5-ac-03

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

nist-r5-ac-04

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on organization-defined information flow control policies.

nist-r5-ac-05

Identify and document organization-defined duties of individuals requiring separation. Define system access authorizations to support separation of duties.

nist-r5-ac-06

Employ the principle of least privilege, allowing only authorized accesses for users or processes acting on behalf of users that are necessary to accomplish assigned organizational tasks.

nist-r5-ac-06-05

Restrict privileged accounts on the system to organization-defined personnel or roles.

nist-r5-ac-07

Enforce a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period. When the maximum number of unsuccessful attempts exceed, automatically, lock the account or node for an organization-defined time period; lock the account or node until released by an administrator; delay next logon prompt per organization-defined delay algorithm; notify system administrator; take other organization-defined action.

nist-r5-ac-12

Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

nist-r5-ac-17

Establish and document usage restrictions, configuration and connection requirements, and implementation guidance for each type of remote access allowed. Authorize each type of remote access to the system prior to allowing such connections.

nist-r5-ac-17-03

Route remote accesses through authorized and managed network access control points.

nist-r5-ac-17-04

Authorize the execution of privileged commands and access to security-relevant information using remote access only in a format that provides assessable evidence and for organization-defined needs. Document the rationale for remote access in the security plan for the system.

nist-r5-ac-18

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access. Authorize each type of wireless access to the system prior to allowing such connections.

nist-r5-ac-19

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas. Authorize the connection of mobile devices to organizational systems.

nist-r5-au-01

Develop, document, and disseminate a compliant audit and accountability policy and the procedures for its implementation, ensuring the policy addresses its purpose, scope, roles, and responsibilities. Designate a specific official to manage this documentation, and regularly review and update the policy and procedures based on a defined schedule or in response to specific events.

nist-r5-au-02

A. Identify the types of events that the system is capable of logging in support of the audit function: B. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged. C. Specify the organization-defined event types that are a subset of the event types defined in AU-02a, along with the frequency of; or situation requiring logging for each identified event type. D. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents. E. Review and update the event types selected for logging as per organization-defined frequency.

nist-r5-au-03

Ensure that audit records contain information that establishes the following: A. What type of event occurred. B. When the event occurred. C. Where the event occurred. D. Source of the event. D. Outcome of the event. F. Identity of any individuals, subjects, or objects and entities associated with the event.

nist-r5-au-03-01

Generate audit records containing organization-defined additional information.

nist-r5-au-04

Allocate audit log storage capacity to accommodate organization-defined audit log retention requirements.

nist-r5-au-05

Alert organization-defined personnel or roles within organization-defined time period in the event of an audit logging process failure. Take organization-defined additional actions.

nist-r5-au-05-02

Provide an alert within organization-defined real-time period to organization-defined personnel, roles, or locations, when organization-defined audit logging failure events requiring real-time alerts occur.

nist-r5-au-06

Review and analyze system audit records as per organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity. Report findings to organization-defined personnel or roles. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

nist-r5-au-07

Provide and implement an audit record reduction and report generation capability that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents. The capability must not alter the original content or time ordering of audit records.

nist-r5-au-11

Retain audit records for organization-defined time period consistent with records retention policy to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

nist-r5-au-12

A. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on organization-defined system components. B. Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system. C. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

nist-r5-ca-2-2

Include as part of control assessments, as per organization-defined frequency, announced or unannounced: in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment or organization-defined other forms of assessment.

nist-r5-ca-7

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: A. Establishing the organization-defined system-level metrics. B. Establishing organization-defined frequencies for monitoring and assessment of control effectiveness. C. Ongoing control assessments in accordance with the continuous monitoring strategy. D. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy. E. Correlation and analysis of information generated by control assessments and monitoring. F. Response actions to address results of the analysis of control assessment and monitoring information. G. Reporting the security and privacy status of the system to organization-defined personnel or roles as per organization-defined frequency.

nist-r5-ca-9

A. Authorize internal connections of organization-defined system components or classes of components to the system. B. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated. C. Terminate internal system connections after organization-defined conditions. D. Review as per organization-defined frequency, the continued need for each internal connection.

nist-r5-cm-01

A. Develop, document, and disseminate to organization-defined personnel or roles: a. A configuration management policy that is defined at an organization-level, mission or business process-level, or at system-level. The policy must address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy must be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. b. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls. B. Designate an organization-defined official to manage the development, documentation, and dissemination of the configuration management policy and procedures. C. Review and update the current configuration management policies, and procedures as per organization-defined frequencies and events.

nist-r5-cm-02

A. Develop, document, and maintain under configuration control, a current baseline configuration of the system. B. Review and update the baseline configuration of the system: a. As per organization-defined frequency. b. When required due to organization-defined circumstances. c. When system components are installed or upgraded.

nist-r5-cm-06

A. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using organization-defined common secure configurations. B. Implement the configuration settings. C. Identify, document, and approve any deviations from established configuration settings for organization-defined system components based on organization-defined operational requirements. D. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

nist-r5-cm-07

Configure the system to provide only organization-defined mission essential capabilities. Prohibit or restrict the use of organization-defined functions, ports, protocols, software, or services.

nist-r5-cm-09

Develop, document, and implement a configuration management plan for the system that: A. Addresses roles, responsibilities, and configuration management processes and procedures. B. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. C. Defines the configuration items for the system and places the configuration items under configuration management. D. Is reviewed and approved by organization-defined personnel or roles. E. Protects the configuration management plan from unauthorized disclosure and modification.

nist-r5-cp-06

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information. Ensure that the alternate storage site provides controls equivalent to that of the primary site.

nist-r5-cp-07

A. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of organization-defined system operations for essential mission and business functions within organization-defined time period consistent with recovery time and recovery point objectives, when the primary processing capabilities are unavailable. B. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption. C. Provide controls at the alternate processing site that are equivalent to those at the primary site.

nist-r5-ia-04

Manage system identifiers by: A. Receiving authorization from organization-defined personnel or roles to assign an individual, group, role, service, or device identifier. B. Selecting an identifier that identifies an individual, group, role, service, or device. C. Assigning the identifier to the intended individual, group, role, service, or device. D. Preventing reuse of identifiers for organization-defined time period.

nist-r5-ia-05

Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator. b. Establishing initial authenticator content for any authenticators issued by the organization. c. Ensuring that authenticators have sufficient strength of mechanism for their intended use. d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators. e. Changing default authenticators prior to first use. f. Changing or refreshing authenticators as per organization-defined time period by authenticator type or when organization-defined events occur. g. Protecting authenticator content from unauthorized disclosure and modification. h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators. i. Changing authenticators for group or role accounts when membership to those accounts changes.

nist-r5-ia-08

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

nist-r5-ma-04

A. Approve and monitor nonlocal maintenance and diagnostic activities. B. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system. C. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. D. Maintain records for nonlocal maintenance and diagnostic activities. E. Terminate session and network connections when nonlocal maintenance is completed.

nist-r5-mp-02

Restrict access to organization-defined types of digital or non-digital media to organization-defined personnel or roles.

nist-r5-pe-01

A. Develop, document, and disseminate to organization-defined personnel or roles: a. A physical and environmental protection policy that is defined at an organization-level, mission or business process-level, or at system-level. The policy must address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy must be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. b. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls. B. Designate an organization-defined official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures. C. Review and update the current physical and environmental protection policies and procedures as per organization-defined frequencies and events.

nist-r5-pl-08

A. Develop security and privacy architectures for the system: a. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information. b. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals. c. Describe how the architectures are integrated into and support the enterprise architecture. d. Describe any assumptions about, and dependencies on, external systems and services. B. Review and update the architectures at an organization-defined frequency to reflect changes in the enterprise architecture. C. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

nist-r5-ra-03

A. Conduct a risk assessment, including: a. Identifying threats to and vulnerabilities in the system. b. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information. c. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information. B. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; C. Document risk assessment results in security and privacy plans, risk assessment report, and organization-defined document. D. Review risk assessment results at an organization-defined frequency. E. Disseminate risk assessment results to organization-defined personnel or roles. F Update the risk assessment at an organization-defined frequency or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

nist-r5-ra-05

A. Monitor and scan for vulnerabilities in the system and hosted applications at organization-defined frequency or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported; B. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: a. Enumerating platforms, software flaws, and improper configurations. b. Formatting checklists and test procedures. c. Measuring vulnerability impact. C. Analyze vulnerability scan reports and results from vulnerability monitoring. D. Remediate legitimate vulnerabilities at organization-defined response times in accordance with an organizational assessment of risk. E. Share information obtained from the vulnerability monitoring process and control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other systems. F. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

nist-r5-sa-03

Acquire, develop, and manage the system using an organization-defined system development life cycle that incorporates information security and privacy considerations. Define and document information security and privacy roles and responsibilities throughout the system development life cycle. Identify individuals having information security and privacy roles and responsibilities. Integrate the organizational information security and privacy risk management process into system development life cycle activities.

nist-r5-sa-08

Apply organization-defined security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components.

nist-r5-sa-10

Require the developer of the system, system component, or system service to: A. Perform configuration management during system, component, or service; design, development, implementation, operation. or disposal. B. Document, manage, and control the integrity of changes to organization-defined configuration items under configuration management. C. Implement only organization-approved changes to the system, component, or service. D. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes. E. Track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel.

nist-r5-sa-11

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: A. Develop and implement a plan for ongoing security and privacy assessments; B. Perform unit, integration, system, regression, testing as per organization-defined frequency and at organization-defined depth and coverage. C. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation. D. Implement a verifiable flaw remediation process. E. Correct flaws identified during testing and evaluation.

nist-r5-sa-15

Require the developer of the system, system component, or system service to follow a documented development process that: explicitly addresses security and privacy requirements, identifies the standards and tools used in the development process, documents the specific tool options and tool configurations used in the development process, and documents, manages, and ensures the integrity of changes to the process and tools used in development. Review the development process, standards, tools, tool options, and tool configurations as per organization-defined frequency, to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the organization-defined security and privacy requirements.

nist-r5-sa-21

Require that the developer of an organization-defined system, system component, or system service has appropriate access authorizations as determined by assigned organization-defined official government duties. The developer must satisfy the additional organization-defined additional personnel screening criteria.

nist-r5-sc-03

Isolate security functions from nonsecurity functions.

nist-r5-sc-05

Protect against the effects of organization-defined denial-of-service events. Employ organization-defined controls by type of denial-of-service event.

nist-r5-sc-07

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. Implement subnetworks for publicly accessible system components that are physically and logically separated from internal organizational networks. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

nist-r5-sc-07-05

Deny network communications traffic by default and allow by exception at managed interfaces for organization-defined systems.

nist-r5-sc-08

Protect the confidentiality and integrity of transmitted information.

nist-r5-sc-10

Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

nist-r5-sc-12

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with key management requirements such as organization-defined requirements for key generation, distribution, storage, access, and destruction.

nist-r5-sc-13

Determine the required uses for cryptography and implement the specific types of cryptography needed for each of those defined uses.

nist-r5-sc-23

Protect the authenticity of communications sessions.

nist-r5-sc-28

Protect the confidentiality and integrity of the organization-defined information at rest.

nist-r5-sc-28-01

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the organization-defined information at rest on organization-defined system components.

nist-r5-si-01

A. Develop, document, and disseminate to organization-defined personnel or roles: a. A system and information integrity policy that is defined at an organization-level, mission or business process-level, or at system-level. The policy must address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy must be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. b. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls. B. Designate an organization-defined official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures. C. Review and update the current system and information integrity policies and procedures as per organization-defined frequencies and events.

nist-r5-si-02

Identify, report, and correct system flaws. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation. Install security-relevant software and firmware updates within an organization-defined time period of the release of the updates. Incorporate flaw remediation into the organizational configuration management process.

nist-r5-si-02-02

Determine if system components have applicable security-relevant software and firmware updates installed using organization-defined automated mechanisms at an organization-defined frequency.

nist-r5-si-03

A. Implement signature or non-signature based malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. B. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. C. Configure malicious code protection mechanisms to: a. Perform periodic scans of the system at organization-defined frequency and real-time scans of files from external sources at endpoint; network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy. b. Block malicious code; quarantine malicious code; take organization-defined action, and send alerts to organization-defined personnel or roles in response to malicious code detection. D. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

nist-r5-si-04

A. Monitor the system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives. b. Unauthorized local, network, and remote connections. B. Identify unauthorized use of the system through organization-defined techniques and methods. C. Invoke internal monitoring capabilities or deploy monitoring devices: a. Strategically within the system to collect organization-determined essential information. b. At ad hoc locations within the system to track specific types of transactions of interest to the organization. D. Analyze detected events and anomalies. E. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation. F. Obtain legal opinion regarding system monitoring activities. G. Provide organization-defined system monitoring information to organization-defined personnel or roles as needed or as per organization-defined frequency.

nist-r5-si-04-02

Employ automated tools and mechanisms to support near real-time analysis of events.

nist-r5-si-04-04

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic. Monitor inbound and outbound communications traffic at an organization-defined frequency for organization-defined unusual or unauthorized activities or conditions.

nist-r5-si-07

a. Employ integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information. b. Take organization-defined actions when unauthorized changes to the software, firmware, and information are detected.

nist-r5-si-07-01

Perform an integrity check of organization-defined software, firmware, and information, at startup and organization-defined transitional states or security-relevant events, at an organization-defined frequency.

nist-r5-si-07-02

Employ automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.

nist-r5-si-12

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

NIST AI 600-1 Privacy Controls

Supported cloud provider: Google Cloud

NIST AI 600-1 based privacy controls for GenAI adoption

This framework includes the cloud control groups and cloud controls in the following sections.

nist-600-1-gv-6.1-001

Categorize different types of generative AI (GAI) content with associated third-party rights. For example, category copyrights, intellectual properties, and data privacy.

nist-600-1-mg-2.2-002

Document training data sources to trace the origin and provenance of AI-generated content.

nist-600-1-mg-2.2-007

Use real-time auditing tools where they can be demonstrated to aid in the tracking and validation of the lineage and authenticity of AI-generated data.

nist-600-1-mg-2.2-009

Consider opportunities to responsibly use synthetic data and other privacy enhancing techniques in GAI development, where appropriate and applicable, match the statistical properties of real-world data without disclosing personally identifiable information or contributing to homogenization.

nist-600-1-mg-3.2-003

Document sources and types of training data and their origins, potential biases present in the data related to the GAI application and its content provenance, architecture, training process of the pre-trained model including information on hyperparameters, training duration, and any fine-tuning processes applied.

nist-600-1-mp-2.1-002

Institute test and evaluation for data and content flows within the GAI system, including but not limited to, original data sources, data transformations, and decision-making criteria.

nist-600-1-mp-4.1-001

Conduct periodic monitoring of AI-generated content for privacy risks; address any possible instances of PII or sensitive data exposure.

nist-600-1-mp-4.1-004

Document training data curation policies, to the extent possible and according to applicable laws and policies.

nist-600-1-mp-4.1-005

Establish policies for collection, retention, and minimum quality of data, in consideration of the following risks: Disclosure of inappropriate CBRN information; Use of Illegal or dangerous content; Offensive cyber capabilities; Training data imbalances that could give rise to harmful biases; Leak of personally identifiable information, including facial likenesses of individuals.

nist-600-1-mp-4.1-009

Leverage approaches to detect the presence of PII or sensitive data in generated output text, image, video, or audio.

nist-600-1-mp-4.1-010

Conduct appropriate diligence on training data use to assess intellectual property, and privacy, risks, including to examine whether use of proprietary or sensitive training data is consistent with applicable laws.

nist-600-1-ms-1.1-002

Integrate tools designed to analyze content provenance and detect data anomalies, verify the authenticity of digital signatures, and identify patterns associated with misinformation or manipulation.

nist-600-1-ms-2.2-004

Use techniques such as anonymization, differential privacy or other privacy enhancing technologies to help minimize the risks associated with linking AI-generated content back to individual human subjects.

nist-600-1-ms-2.5-005

Verify that the Generative Artificial Intelligence (GAI) system training data and test, evaluation, verification, and validation (TEVV) data provenance, and fine-tuning or retrieval-augmented generation data is grounded.

nist-600-1-ms-2.6-002

Assess existence or levels of harmful bias, intellectual property infringement, data privacy violations, obscenity, extremism, violence, or CBRN information in system training data.

nist-600-1-ms-2.9-002

Document GAI model details including: proposed use and organizational value; assumptions and limitations, data collection methodologies; data provenance; data quality; model architecture (for example, convolutional neural network and transformers); optimization objectives; training algorithms; RLHF approaches; fine-tuning or retrieval-augmented generation approaches; evaluation data; ethical considerations; legal and regulatory requirements.

NIST Cybersecurity Framework 1.1

Supported cloud provider: Google Cloud

A strategic framework to help organizations manage cybersecurity risk. It organizes activities into five core functions: Identify, Protect, Detect, Respond, and Recover, providing a high-level view of your security posture.

This framework includes the cloud control groups and cloud controls in the following sections.

nist-csf-de-ae

Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood.

nist-csf-de-ae-1

A baseline of network operations and expected data flows for users and systems is established and managed.

nist-csf-de-ae-2

Detected events are analyzed to understand attack targets and methods.

nist-csf-de-ae-3

Event data are collected and correlated from multiple sources and sensors.

nist-csf-de-ae-4

Impact of events is determined.

nist-csf-de-ae-5

Incident alert thresholds are established.

nist-csf-de-cm

Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

nist-csf-de-cm-1

The network is monitored to detect potential cybersecurity events.

nist-csf-de-cm-2

The physical environment is monitored to detect potential cybersecurity events.

nist-csf-de-cm-3

Personnel activity is monitored to detect potential cybersecurity events.

nist-csf-de-cm-4

Malicious code is detected.

nist-csf-de-cm-5

Unauthorized mobile code is detected.

nist-csf-de-cm-6

External service provider activity is monitored to detect potential cybersecurity events.

nist-csf-de-cm-7

Monitoring for unauthorized personnel, connections, devices, and software is performed.

nist-csf-de-cm-8

Vulnerability scans are performed.

nist-csf-de-dp-1

Roles and responsibilities for detection are well defined to ensure accountability.

nist-csf-de-dp-4

Event detection information is communicated.

nist-csf-id-am

Asset Management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy.

nist-csf-id-am-1

Physical devices and systems within the organization are inventoried.

nist-csf-id-am-4

External information systems are catalogued.

nist-csf-id-am-6

Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (for example, suppliers, customers, partners) are established.

nist-csf-id-gv-1

Organizational cybersecurity policy is established and communicated.

nist-csf-id-gv-3

Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.

nist-csf-id-gv-4

Governance and risk management processes address cybersecurity risks.

nist-csf-id-ra-1

Asset vulnerabilities are identified and documented.

nist-csf-id-ra-2

Cyber threat intelligence is received from information sharing forums and sources.

nist-csf-id-ra-3

Threats, both internal and external, are identified and documented.

nist-csf-id-sc-3

Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan.

nist-csf-pr-ac

Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

nist-csf-pr-ac-1

Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.

nist-csf-pr-ac-2

Physical access to assets is managed and protected.

nist-csf-pr-ac-3

Remote access is managed.

nist-csf-pr-ac-4

Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

nist-csf-pr-ac-5

Network integrity is protected (for example, network segregation, network segmentation).

nist-csf-pr-ac-6

Identities are proofed and bound to credentials and asserted in interactions.

nist-csf-pr-ac-7

Users, devices, and other assets are authenticated (for example, single-factor, multi-factor) commensurate with the risk of the transaction (for example, individuals' security and privacy risks and other organizational risks).

nist-csf-pr-ds-1

Data-at-rest is protected.

nist-csf-pr-ds-2

Data-in-transit is protected.

nist-csf-pr-ds-3

Assets are formally managed throughout removal, transfers, and disposition.

nist-csf-pr-ds-4

Adequate capacity to ensure availability is maintained.

nist-csf-pr-ds-5

Protections against data leaks are implemented.

nist-csf-pr-ip

Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

nist-csf-pr-ip-1

A baseline configuration of information technology or industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).

nist-csf-pr-ip-10

Response and recovery plans are tested.

nist-csf-pr-ip-12

A vulnerability management plan is developed and implemented.

nist-csf-pr-ip-2

A System Development Life Cycle to manage systems is implemented.

nist-csf-pr-ip-3

Configuration change control processes are in place.

nist-csf-pr-ip-4

Backups of information are conducted, maintained, and tested.

nist-csf-pr-ip-6

Data is destroyed according to policy.

nist-csf-pr-ip-9

Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.

nist-csf-pr-ma-1

Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools.

nist-csf-pr-pt

Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

nist-csf-pr-pt-1

Audit and log records are determined, documented, implemented, and reviewed in accordance with policy.

nist-csf-pr-pt-3

The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.

nist-csf-pr-pt-4

Communications and control networks are protected.

nist-csf-pr-pt-5

Mechanisms (for example, failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.

nist-csf-rc-im

Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.

nist-csf-rc-rp-1

Recovery plan is executed during or after a cybersecurity incident.

nist-csf-rs-an

Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities.

nist-csf-rs-an-1

Notifications from detection systems are investigated.

nist-csf-rs-an-5

Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (for example internal testing, security bulletins, or security researchers).

nist-csf-rs-co-1

Personnel know their roles and order of operations when a response is needed.

nist-csf-rs-co-4

Coordination with stakeholders occurs consistent with response plans.

nist-csf-rs-im-2

Response strategies are updated.

nist-csf-rs-mi-2

Incidents are mitigated.

nist-csf-rs-rp-1

Response plan is executed during or after an incident.

PCI DSS v4.0.1

Supported cloud provider: Google Cloud

A regulatory framework that defines the mandatory PCI Data Security Standard (DSS) for businesses that process, store, or transmit cardholder data. PCI DSS defines specific technical and operational requirements to help protect cardholder data wherever it is processed, stored, or transmitted. PCI DSS provides a set of prescriptive technical and operational requirements to help prevent fraud. The framework aligns with PCI DSS v4.0.1.

This framework includes the cloud control groups and cloud controls in the following sections.

pci-dss-v4-1-2-1

Configuration standards for NSC rule sets must be defined, implemented, and maintained.

pci-dss-v4-1-2-6

Security features must be defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.

pci-dss-v4-1-3-1

Inbound traffic to the CDE must be restricted to only traffic that is necessary and all other traffic must be specifically denied.

pci-dss-v4-1-3-2

Outbound traffic from the CDE must be restricted to only traffic that is necessary and all other traffic must be specifically denied.

pci-dss-v4-1-4-1

NSCs are implemented between trusted and untrusted networks.

pci-dss-v4-1-4-2

Inbound traffic from untrusted networks to trusted networks must be restricted to the following: communications with system components that are authorized to provide publicly accessible services, protocols, and ports; stateful responses to communications initiated by system components in a trusted network; and all other traffic must be denied.

pci-dss-v4-1-4-3

Anti-spoofing measures must be implemented to detect and block forged source IP addresses from entering the trusted network.

pci-dss-v4-1-4-4

System components that store cardholder data must not be directly accessible from untrusted networks.

pci-dss-v4-10-1-1

All security policies and operational procedures that are identified in Requirement 10 are documented, kept up to date, in use, and known to all affected parties.

pci-dss-v4-10-2-1

Audit logs are enabled and active for all system components and cardholder data.

pci-dss-v4-10-2-1-1

Audit logs capture all individual user access to cardholder data.

pci-dss-v4-10-2-1-2

Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

pci-dss-v4-10-2-1-4

Audit logs capture all invalid logical access attempts.

pci-dss-v4-10-3-3

Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log servers, or other media that is difficult to modify.

pci-dss-v4-10-4-1-1

Automated mechanisms are used to perform audit log reviews.

pci-dss-v4-10-5-1

Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

pci-dss-v4-11-5-1

Intrusion-detection and intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: all traffic is monitored at the perimeter of the CDE; all traffic is monitored at critical points in the CDE; personnel are alerted to suspected compromises; all intrusion-detection and prevention engines, baselines, and signatures are kept up to date.

pci-dss-v4-12-10-5

The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: intrusion-detection and intrusion-prevention systems; network security controls; change-detection mechanisms for critical files; the change-and tamper-detection mechanism for payment pages; detection of unauthorized wireless access points.

pci-dss-v4-12-5-1

An inventory of system components that are in scope for PCI DSS, including a description of function and use, is maintained and kept current.

pci-dss-v4-2-2-1

Configuration standards must be developed, implemented, and maintained to ensure that they cover all system components, address all known security vulnerabilities, are consistent with industry-accepted system hardening standards or vendor hardening recommendations, are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1, and are applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.

pci-dss-v4-2-2-3

Primary functions requiring different security levels must be managed to ensure the following: only one primary function exists on a system component, or primary functions with different security levels that exist on the same system component are isolated from each other, or primary functions with different security levels on the same system component are all secured to the level required by the function with the highest security need.

pci-dss-v4-2-2-4

Only necessary services, protocols, daemons, and functions must be enabled, and all unnecessary functionality must be removed or disabled.

pci-dss-v4-2-2-5

If any insecure services, protocols, or daemons are present, ensure that the business justification is documented and additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

pci-dss-v4-2-2-6

System security parameters must be configured to prevent misuse.

pci-dss-v4-2-2-7

All non-console administrative access must be encrypted using strong cryptography.

pci-dss-v4-3-2-1

Account data storage must be kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that must include at least the following: coverage for all locations of stored account data; coverage for any sensitive authentication data (SAD) stored prior to completion of authorization; limiting data storage amount and retention time to that which is required for legal or regulatory, and business requirements; specific retention requirements for stored account data that defines length of retention period and includes a documented business justification; processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy; and a process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.

pci-dss-v4-3-3-2

SAD that is stored electronically prior to completion of authorization must be encrypted using strong cryptography.

pci-dss-v4-3-3-3

Issuers and companies that support issuing services and store sensitive authentication data must ensure that any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need and is secured and encrypted using strong cryptography.

pci-dss-v4-3-5-1

PAN is rendered unreadable anywhere it is stored by using any of the following approaches: one-way hashes based on strong cryptography of the entire PAN; truncation (hashing cannot be used to replace the truncated segment of PAN); if hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN; index tokens; and strong cryptography with associated key-management processes and procedures.

pci-dss-v4-3-5-1-3

If disk-level or partition-level encryption is used (rather than file-, column-, or field-level database encryption) to render PAN unreadable, ensure the following: logical access is managed separately and independently of native operating system authentication and access control mechanisms; decryption keys are not associated with user accounts; and authentication factors (such as, passwords, passphrases, or cryptographic keys) that allow access to unencrypted data are stored securely.

pci-dss-v4-3-6-1

Procedures must be defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include access to keys is restricted to the fewest number of custodians necessary.

pci-dss-v4-3-6-1-2

Secret and private keys used to protect stored account data must be stored in one (or more) of the following forms at all times: encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key; within a secure cryptographic device (SCD) (for example, a hardware security module (HSM) or PTS-approved point-of-interaction device); and as at least two full-length key components or key shares, in accordance with an industry-accepted method.

pci-dss-v4-3-7-1

Key-management policies and procedures must be implemented to include generation of strong cryptographic keys used to protect stored account data.

pci-dss-v4-3-7-2

Key-management policies and procedures must be implemented to include secure distribution of cryptographic keys used to protect stored account data.

pci-dss-v4-3-7-3

Key-management policies and procedures must be implemented to include secure storage of cryptographic keys used to protect stored account data.

pci-dss-v4-3-7-5

Key management policies and procedures must be implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: the key has reached the end of its defined cryptoperiod; the integrity of the key has been weakened (including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known); the key is suspected of or known to be compromised; and retired or replaced keys are not used for encryption operations.

pci-dss-v4-4-2-1

Strong cryptography and security protocols must be implemented to safeguard PAN during transmission over open, public networks to ensure the following: only trusted keys and certificates are accepted; certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked; the protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations; and the encryption strength is appropriate for the encryption methodology in use.

pci-dss-v4-5-2-1

An anti-malware solution(s) must be deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

pci-dss-v4-5-2-2

The deployed anti-malware solution(s) must detect all known types of malware and remove, block, or contain all known types of malware.

pci-dss-v4-6-2-3

Bespoke and custom software must be reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows: code reviews ensure code is developed according to secure coding guidelines; code reviews look for both existing and emerging software vulnerabilities; and appropriate corrections are implemented prior to release.

pci-dss-v4-6-3-1

Security vulnerabilities must be identified and managed to ensure the following: new security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs); vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact; risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment; and vulnerabilities for bespoke and custom, and third-party software (for example, operating systems and databases) are covered.

pci-dss-v4-6-3-3

All system components must be protected from known vulnerabilities by installing applicable security patches or updates to ensure the following: patches or updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release; and all other applicable security patches or updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1.

pci-dss-v4-6-4-1

For public-facing web applications, new threats and vulnerabilities must be addressed on an ongoing basis and these applications must be protected against known attacks using either of the following two methods: Reviewing public-facing web applications using manual or automated application vulnerability security assessment tools or methods as follows: at least once every 12 months and after significant changes; by an entity that specializes in application security; including, at a minimum, all common software attacks in Requirement 6.2.4; all vulnerabilities are ranked in accordance with Requirement 6.3.1; all vulnerabilities are corrected; and the application is re-evaluated after the corrections. Or, Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: installed in front of public-facing web applications to detect and prevent web- based attacks; actively running and up-to-date as applicable; generating audit logs; and configured to either block web-based attacks or generate an alert that is immediately investigated.

pci-dss-v4-6-4-2

For public-facing web applications, an automated technical solution must be deployed that continually detects and prevents web-based attacks, with these minimum checks: installed in front of public-facing web applications and is configured to detect and prevent web-based attacks; actively running and up-to-date as applicable; generating audit logs; and configured to either block web-based attacks or generate an alert that is immediately investigated.

pci-dss-v4-7-2-1

An access control model must be defined and include granting access as follows: appropriate access depending on the entity’s business and access needs; access to system components and data resources that is based on users’ job classification and functions; and the least privileges required (for example, user, administrator) to perform a job function.

pci-dss-v4-7-2-2

Access must be assigned to users (including privileged users) based on the job classification and function, and least privileges necessary to perform job responsibilities.

pci-dss-v4-7-2-5

All application and system accounts and related access privileges must be assigned and managed based on the least privileges necessary for the operability of the system or application and ensure that access is limited to the systems, applications, or processes that specifically require their use.

pci-dss-v4-7-3-1

An access control system(s) must be in place that restricts access based on a user’s need to know and covers all system components.

pci-dss-v4-7-3-2

The access control system(s) must be configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.

pci-dss-v4-7-3-3

The access control system(s) must be set to deny all by default.

pci-dss-v4-8-2-1

All users must be assigned a unique ID before access to system components or cardholder data is allowed.

pci-dss-v4-8-2-3

Service providers with remote access to customer premises must use unique authentication factors for each customer premises.

pci-dss-v4-8-2-5

Access for terminated users must be immediately revoked.

pci-dss-v4-8-2-8

If a user session has been idle for more than 15 minutes, the user must re-authenticate to reactivate the terminal or session.

pci-dss-v4-8-3-1

All user access to system components for users and administrators must be authenticated using at least one of the following authentication factors: something you know (for example, a password or passphrase); something you have (for example, a token device or smart card); and something you are (for example, a biometric element).

pci-dss-v4-8-3-2

Strong cryptography must be used to render all authentication factors unreadable during transmission and storage on all system components.

pci-dss-v4-8-3-9

If passwords or passphrases are used as the only authentication factor for user access (in any single-factor authentication implementation) then they must be changed at least once every 90 days, or the security posture of accounts must be dynamically analyzed, and real-time access to resources must be automatically determined accordingly.

pci-dss-v4-8-6-2

Passwords or passphrases for any application and system accounts that can be used for interactive login must not be hard coded in scripts, configuration or property files, or bespoke and custom source code.

pci-dss-v4-8-6-3

Passwords or passphrases for any application and system accounts must be protected against misuse by ensuring the following: passwords or passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise; and passwords or passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords or passphrases.

Security Essentials

Supported cloud provider: Google Cloud

Google Cloud Security Essentials provides a foundational security and compliance baseline for Google Cloud customers.The framework is built on Google's extensive threat intelligence and best practices,giving you visibility into your security posture and helping you meet common compliance requirements right from the start.

This framework includes the following cloud controls:

SOC2 2017

Supported cloud provider: Google Cloud

A regulatory framework that an independent auditor can use to evaluate and report on your organization's controls that are relevant to the AICPA's Trust Services Criteria, such as Security and Availability. The resulting audit report provides you with an evaluation of your organization's systems and the data that they handle.The framework aligns with SOC 2 2017 (With Revised Points of Focus - 2022).

This framework includes the cloud control groups and cloud controls in the following sections.

soc2-2017-a-1-2-11

Management identifies threats to data recoverability (such as, ransomware attacks) that could impair the availability of the system and related data and implements mitigation procedures.

soc2-2017-a-1-2-8

Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur.

soc2-2017-c-1-1-2

Confidential information is retained for no longer than necessary to fulfill the identified purpose, unless a law or regulation specifically requires otherwise.

soc2-2017-c-1-1-3

Policies and procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.

soc2-2017-c-1-2-2

Policies and procedures are in place to automatically or manually erase or otherwise destroy confidential information that has been identified for destruction.

soc2-2017-cc-1-3-3

Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization.

soc2-2017-cc-2-1-2

Information systems capture internal and external sources of data.

soc2-2017-cc-2-1-6

The entity identifies, documents, and maintains records of system components such as infrastructure, software, and other information assets. Information assets include physical endpoint devices and systems, virtual systems, data and data flows, external information systems, and organizational roles.

soc2-2017-cc-2-2-1

A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.

soc2-2017-cc-3-2-5

Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.

soc2-2017-cc-3-2-7

The entity identifies the vulnerabilities of system components, including system processes, infrastructure, software,

soc2-2017-cc-4-1-1

Management includes a balance of ongoing and separate evaluations.

soc2-2017-cc-4-1-5

Ongoing evaluations are built into the business processes and adjust to changing conditions.

soc2-2017-cc-4-1-8

Management uses a variety of ongoing and separate risk and control evaluations to determine whether internal controls are present and functioning. Depending on the entity’s objectives, such risk and control evaluations may include first- and second-line monitoring and control testing, internal audit assessments, compliance assessments, resilience assessments, vulnerability scans, security assessment, penetration testing, and third-party assessments.

soc2-2017-cc-4-2-2

Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.

soc2-2017-cc-5-2-2

Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.

soc2-2017-cc-5-2-3

Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.

soc2-2017-cc-5-3-1

Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.

soc2-2017-cc-6-1-10

The entity uses encryption to protect data at rest, during processing, or in transmission, when such protections are deemed appropriate based on the entity’s risk mitigation strategy.

soc2-2017-cc-6-1-11

The entity protects cryptographic keys during generation, storage, use, and destruction. Cryptographic modules, algorithms, key lengths, and architectures are appropriate based on the entity’s risk mitigation strategy.

soc2-2017-cc-6-1-12

Logical access to and use of confidential information is restricted to identified purposes.

soc2-2017-cc-6-1-3

The entity restricts logical access to information assets, including: infrastructure, for example server, storage, network elements, APIs, and endpoint devices; software; and data at rest, during processing, or in transmission, through the use of access control software, rule sets, and standard configuration hardening processes.

soc2-2017-cc-6-1-4

The entity identifies and authenticates persons, infrastructure, and software prior to accessing information assets, whether locally or remotely. The entity uses more complex or advanced user authentication techniques such as multifactor authentication when such protections are deemed appropriate based on its risk mitigation strategy.

soc2-2017-cc-6-1-5

The entity uses network segmentation, zero trust architectures, and other techniques to isolate unrelated portions of the entity's information technology from each other based on the entity’s risk mitigation strategy.

soc2-2017-cc-6-1-7

Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules and configuration standards for information assets.

soc2-2017-cc-6-1-9

New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.

soc2-2017-cc-6-2-3

Processes are in place to disable, destroy, or otherwise prevent the use of access credentials when no longer valid.

soc2-2017-cc-6-3-2

Processes are in place to remove access to protected information assets when no longer required.

soc2-2017-cc-6-3-3

The entity uses access control structures, such as role-based access controls, to restrict access to protected information assets, limit privileges, and support segregation of incompatible functions.

soc2-2017-cc-6-5-1

Procedures are in place to remove, delete, or otherwise render data and software inaccessible from physical assets and other devices owned by the entity, its vendors, and employees when the data and software are no longer required on the asset or the asset will no longer be under the control of the entity.

soc2-2017-cc-6-6

The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

soc2-2017-cc-6-6-1

The types of activities that can occur through a communication channel, for example FTP site, router port, are restricted.

soc2-2017-cc-6-6-4

Boundary protection systems, for example, firewalls, demilitarized zones, intrusion detection or prevention systems, and endpoint detection and response systems, are configured, implemented, and maintained to protect external access points.

soc2-2017-cc-6-7-1

Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information.

soc2-2017-cc-6-7-2

Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points.

soc2-2017-cc-6-8-1

The ability to install and modify applications and software is restricted to authorized individuals. Utility software capable of bypassing normal operating or security procedures is limited to use by authorized individuals and is monitored regularly.

soc2-2017-cc-6-8-2

Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software.

soc2-2017-cc-7-1-1

The entity has defined configuration standards to be used for hardening systems.

soc2-2017-cc-7-1-3

The IT system includes a change-detection mechanism, for example, file integrity monitoring tools, to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.

soc2-2017-cc-7-1-5

The entity conducts infrastructure and software vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after significant changes are made to the environment. Action is taken to remediate identified deficiencies in a timely manner to support the achievement of the entity’s objectives.

soc2-2017-cc-7-2-1

Detection policies, procedures, and tools are defined and implemented on infrastructure and software to identify potential intrusions, inappropriate access, and anomalies in the operation of or unusual activity on systems. Procedures may include a defined governance process for security event detection and management, use of intelligence sources to identify newly discovered threats and vulnerabilities, and logging of unusual system activities.

soc2-2017-cc-7-2-2

Detection measures are designed to identify anomalies that could result from actual or attempted compromise of physical barriers, unauthorized actions of authorized personnel, use of compromised identification and authentication credentials, unauthorized access from outside the system boundaries, compromise of authorized external parties, and implementation or connection of unauthorized hardware and software.

soc2-2017-cc-7-3-2

Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program, and actions are taken, if necessary.

soc2-2017-cc-8-1-1

A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and manual and automated procedures) is used to support the achievement of entity objectives.

soc2-2017-cc-8-1-14

A process is in place to identify, evaluate, test, approve, and implement patches in a timely manner on infrastructure and software.

soc2-2017-cc-8-1-5

A process is in place to track system changes prior to implementation.

soc2-2017-p-4-2-1

Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise.

soc2-2017-p-4-2-2

Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.

soc2-2017-pi-1-2-3

Records of system input activities are created and maintained completely and accurately in a timely manner.

soc2-2017-pi-1-3-4

System processing activities are recorded completely and accurately in a timely manner.

soc2-2017-pi-1-5

The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.

soc2-2017-pi-1-5-1

Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.

soc2-2017-pi-1-5-2

System records are archived, and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.

What's next