diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md index 96cdb90536..de87a15942 100644 --- a/api/CHANGELOG.md +++ b/api/CHANGELOG.md @@ -13,9 +13,10 @@ All notable changes to the **Prowler API** are documented in this file. - Attack Paths: Queries definition now has short description and attribution [(#9983)](https://github.com/prowler-cloud/prowler/pull/9983) - Attack Paths: Internet node is created while scan [(#9992)](https://github.com/prowler-cloud/prowler/pull/9992) - Attack Paths: Add full paths set from [pathfinding.cloud](https://pathfinding.cloud/) [(#10008)](https://github.com/prowler-cloud/prowler/pull/10008) -- Support CSA CCM for the AWS provider [(#10018)](https://github.com/prowler-cloud/prowler/pull/10018) +- Support CSA CCM 4.0 for the AWS provider [(#10018)](https://github.com/prowler-cloud/prowler/pull/10018) - Support CSA CCM 4.0 for the GCP provider [(#10042)](https://github.com/prowler-cloud/prowler/pull/10042) -- Support CSA CCM for the Azure provider [(#10039)](https://github.com/prowler-cloud/prowler/pull/10039) +- Support CSA CCM 4.0 for the Azure provider [(#10039)](https://github.com/prowler-cloud/prowler/pull/10039) +- Support CSA CCM 4.0 for the Oracle Cloud provider [(#10057)](https://github.com/prowler-cloud/prowler/pull/10057) ### 🔐 Security diff --git a/api/src/backend/tasks/jobs/export.py b/api/src/backend/tasks/jobs/export.py index 3bf02e12f6..48b0260468 100644 --- a/api/src/backend/tasks/jobs/export.py +++ b/api/src/backend/tasks/jobs/export.py @@ -36,8 +36,9 @@ from prowler.lib.outputs.compliance.cis.cis_kubernetes import KubernetesCIS from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS from prowler.lib.outputs.compliance.csa.csa_aws import AWSCSA -from prowler.lib.outputs.compliance.csa.csa_gcp import GCPCSA from prowler.lib.outputs.compliance.csa.csa_azure import AzureCSA +from prowler.lib.outputs.compliance.csa.csa_gcp import GCPCSA +from prowler.lib.outputs.compliance.csa.csa_oraclecloud import OracleCloudCSA from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS from prowler.lib.outputs.compliance.ens.ens_gcp import GCPENS @@ -137,6 +138,7 @@ COMPLIANCE_CLASS_MAP = { ], "oraclecloud": [ (lambda name: name.startswith("cis_"), OracleCloudCIS), + (lambda name: name.startswith("csa_"), OracleCloudCSA), ], "alibabacloud": [ (lambda name: name.startswith("cis_"), AlibabaCloudCIS), diff --git a/dashboard/compliance/csa_ccm_4_0_oraclecloud.py b/dashboard/compliance/csa_ccm_4_0_oraclecloud.py new file mode 100644 index 0000000000..346576729d --- /dev/null +++ b/dashboard/compliance/csa_ccm_4_0_oraclecloud.py @@ -0,0 +1,31 @@ +import warnings + +from dashboard.common_methods import get_section_containers_kisa_ismsp + +warnings.filterwarnings("ignore") + + +def get_table(data): + data["REQUIREMENTS_ID"] = ( + data["REQUIREMENTS_ID"] + " - " + data["REQUIREMENTS_DESCRIPTION"] + ) + + data["REQUIREMENTS_ID"] = data["REQUIREMENTS_ID"].apply( + lambda x: x[:150] + "..." if len(str(x)) > 150 else x + ) + + aux = data[ + [ + "REQUIREMENTS_ID", + "REQUIREMENTS_ATTRIBUTES_SECTION", + "CHECKID", + "STATUS", + "REGION", + "ACCOUNTID", + "RESOURCEID", + ] + ].copy() + + return get_section_containers_kisa_ismsp( + aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID" + ) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index c4c53ef93b..abc3abf684 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -12,7 +12,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - AI Skills: Added a skill for creating new Attack Paths queries in openCypher, compatible with Neo4j and Neptune [(#9975)](https://github.com/prowler-cloud/prowler/pull/9975) - CSA CCM 4.0 for the AWS provider [(#10018)](https://github.com/prowler-cloud/prowler/pull/10018) - CSA CCM 4.0 for the GCP provider [(#10042)](https://github.com/prowler-cloud/prowler/pull/10042) -- CSA CCM for the Azure provider [(#10039)](https://github.com/prowler-cloud/prowler/pull/10039) +- CSA CCM 4.0 for the Azure provider [(#10039)](https://github.com/prowler-cloud/prowler/pull/10039) +- CSA CCM 4.0 for the Oracle Cloud provider [(#10057)](https://github.com/prowler-cloud/prowler/pull/10057) - OCI regions updater script and CI workflow [(#10020)](https://github.com/prowler-cloud/prowler/pull/10020) - `image` provider for container image scanning with Trivy integration [(#9984)](https://github.com/prowler-cloud/prowler/pull/9984) diff --git a/prowler/__main__.py b/prowler/__main__.py index 2d7f7df1cb..3b2b32d9be 100644 --- a/prowler/__main__.py +++ b/prowler/__main__.py @@ -67,8 +67,9 @@ from prowler.lib.outputs.compliance.cis.cis_m365 import M365CIS from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS from prowler.lib.outputs.compliance.compliance import display_compliance_table from prowler.lib.outputs.compliance.csa.csa_aws import AWSCSA -from prowler.lib.outputs.compliance.csa.csa_gcp import GCPCSA from prowler.lib.outputs.compliance.csa.csa_azure import AzureCSA +from prowler.lib.outputs.compliance.csa.csa_gcp import GCPCSA +from prowler.lib.outputs.compliance.csa.csa_oraclecloud import OracleCloudCSA from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS from prowler.lib.outputs.compliance.ens.ens_gcp import GCPENS @@ -1072,6 +1073,18 @@ def prowler(): ) generated_outputs["compliance"].append(cis) cis.batch_write_data_to_file() + elif compliance_name == "csa_ccm_4.0_oraclecloud": + filename = ( + f"{output_options.output_directory}/compliance/" + f"{output_options.output_filename}_{compliance_name}.csv" + ) + csa_ccm_4_0_oraclecloud = OracleCloudCSA( + findings=finding_outputs, + compliance=bulk_compliance_frameworks[compliance_name], + file_path=filename, + ) + generated_outputs["compliance"].append(csa_ccm_4_0_oraclecloud) + csa_ccm_4_0_oraclecloud.batch_write_data_to_file() else: filename = ( f"{output_options.output_directory}/compliance/" diff --git a/prowler/compliance/oraclecloud/csa_ccm_4.0_oraclecloud.json b/prowler/compliance/oraclecloud/csa_ccm_4.0_oraclecloud.json new file mode 100644 index 0000000000..300e32788d --- /dev/null +++ b/prowler/compliance/oraclecloud/csa_ccm_4.0_oraclecloud.json @@ -0,0 +1,7307 @@ +{ + "Framework": "CSA-CCM", + "Name": "CSA Cloud Controls Matrix (CCM) v4.0.13", + "Version": "4.0", + "Provider": "OracleCloud", + "Description": "The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains covering all key aspects of cloud technology. The CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.", + "Requirements": [ + { + "Id": "A&A-02", + "Description": "Conduct independent audit and assurance assessments according to relevant standards at least annually.", + "Name": "Independent Assessments", + "Attributes": [ + { + "Section": "Audit & Assurance", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC4.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "AAC-02" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.5.2", + "5.2.6" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "AS1.1", + "AS2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.18.2.1", + "27002: 18.2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.35", + "27001: A.5.36" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CA-2", + "CA-2(1)", + "CA-2(2)", + "CA-7", + "CA-7(1)" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.IM-01" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled" + ] + }, + { + "Id": "A&A-04", + "Description": "Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit.", + "Name": "Requirements Compliance", + "Attributes": [ + { + "Section": "Audit & Assurance", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC3.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "GRM-01", + "GRM-03" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "7.1.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "AS1.1", + "AS2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 9.3.2", + "27001: A.18.2.2", + "27002: 18.2.2", + "27001: A.18.2.3", + "27002: 18.2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 9.3.2", + "27001: A.5.31", + "27001: A.5.32", + "27001: A.5.33", + "27001: A.5.34", + "27001: A.5.36" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CA-1" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.GV-3", + "DE.DP-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.IM-01" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled" + ] + }, + { + "Id": "AIS-04", + "Description": "Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization.", + "Name": "Secure Application Design and Development", + "Attributes": [ + { + "Section": "Application & Interface Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.8", + "CC8.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "AIS-01", + "AIS-03" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "16.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.3.4", + "5.3.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SD1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.14.1.1", + "27002: 14.1.1", + "27017: 14.1.1", + "27001: A.14.1.2", + "27002: 14.1.2", + "27017: 14.1.2", + "27001: A.14.2.1", + "27002: 14.2.1", + "27017: 14.2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.8", + "27001: A.8.25", + "27001: A.8.26", + "27001: A.8.28" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PL-2", + "PL-8", + "PL-8(1)", + "SA-3", + "SA-3(1)", + "SA-4", + "SA-4(2)", + "SA-4(3)", + "SA-4(8)", + "SA-4(9)", + "SA-5", + "SA-8", + "SA-8(1)-(7)", + "SA-8(9)-(13)", + "SA-8(15)-(20)", + "SA-8(22)", + "SA-8(24)-(28)", + "SA-8(30)-(33)", + "SA-17", + "SA-17(1)-(9)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-6", + "PR.DS-7", + "PR.IP-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-08", + "PR.IR-01", + "PR.PS-01", + "PR.PS-02", + "PR.PS-06" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.3" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.2.1", + "6.2.3", + "6.5.2" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "AIS-05", + "Description": "Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible.", + "Name": "Automated Application Security Testing", + "Attributes": [ + { + "Section": "Application & Interface Security", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.8", + "CC8.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "AIS-01", + "AIS-03" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "16.12", + "16.13" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SD2.3", + "SD2.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.14.2.8", + "27001: A.14.2.9", + "27001: A.12.1.2", + "27002: 12.1.2", + "27001: A.14.1.1", + "27002: 14.1.1", + "27001: A.14.2.2", + "27002: 14.2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.25", + "27001: A.8.29", + "27001: A.8.32", + "27002: 8.25 (e)", + "27002: 8.32 (d)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SA-11", + "SA-11(1)-(9)", + "SI-6", + "SI-6(2)", + "SI-6(3)", + "SI-10", + "SI-10(1)-(6)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-2", + "PR.PT-3", + "PR.IP-12", + "DE.CM-8" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-08", + "ID.RA-01", + "PR.PS-01", + "PR.PS-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "A.3.2.2", + "A.3.2.2.1", + "6.6" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.2.4", + "6.4.1", + "6.4.2", + "6.5.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "AIS-07", + "Description": "Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.", + "Name": "Application Vulnerability Remediation", + "Attributes": [ + { + "Section": "Application & Interface Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.1", + "CC7.4", + "CC8.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "TVM-02" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "16.2", + "16.6" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.16.1.5", + "27002: 16.1.5", + "27017: 16.1.5", + "27001: A.12.6.1", + "27002: 12.6.1", + "27017: 12.6.1", + "27018: 12.6.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.26", + "27001: A.8.8", + "27002: 5.26 (j)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SI-2", + "SI-2(2)-(6)", + "SA-11", + "SA-11(2)", + "SA-15", + "SA-15(1)-(3)", + "SA-15(5)-(8)", + "SA-15(10)-(12)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-2", + "PR.IP-12", + "DE.CM-8", + "RS.AN-5", + "RS.MI-3", + "PR.DS-6" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-08", + "ID.RA-01", + "ID.RA-06", + "ID.RA-08", + "PR.PS-02", + "PR.PS-06" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.2", + "6.5", + "6.5.1-10" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.3.1", + "11.3.1", + "11.3.1.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "BCR-08", + "Description": "Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.", + "Name": "Backup", + "Attributes": [ + { + "Section": "Business Continuity Management and Operational Resilience", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "A1.2", + "A1.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "BCR-11" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "11.1", + "11.2", + "11.3", + "11.4", + "11.5" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.8", + "5.2.9" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SY2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.3", + "27017: 12.3", + "27018: 12.3.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.13", + "27001: A.5.23", + "27001: A.5.30", + "27002: 8.13", + "27002: 5.23 2nd (i)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CP-4", + "CP-4(4)", + "CP-6", + "CP-6(1)-(3)", + "CP-9", + "CP-9(1)", + "CP-9(2)", + "CP-10", + "CP-10(2)", + "CP-10(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-4", + "PR.DS-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-01", + "PR.DS-11", + "RC.RP-03" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "9.5.1", + "12.10.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "12.10.1", + "10.3.3" + ] + } + ] + } + ], + "Checks": [ + "objectstorage_bucket_versioning_enabled" + ] + }, + { + "Id": "BCR-09", + "Description": "Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes.", + "Name": "Disaster Response Plan", + "Attributes": [ + { + "Section": "Business Continuity Management and Operational Resilience", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "A1.2", + "CC3.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.8", + "5.2.9", + "1.6.1", + "1.6.2", + "1.6.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "BC1.4", + "BC2.1", + "BC2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.29", + "27001: A.5.30", + "27002: 5.29", + "27002: 5.30" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CP-2(1)", + "CP-2(2)", + "CP-2(3)", + "CP-2(5)", + "CP-2(6)", + "CP-2(7)", + "CP-2(8)", + "PE-13", + "PE-13(1)", + "PE-13(2)", + "PE-13(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-9", + "PR.IP-10", + "RC.IM-1", + "RC.IM-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.IM-04" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "BCR-11", + "Description": "Supplement business-critical equipment with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards.", + "Name": "Equipment Redundancy", + "Attributes": [ + { + "Section": "Business Continuity Management and Operational Resilience", + "CCMLite": "No", + "IaaS": "CSP-Owned", + "PaaS": "CSP-Owned", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "A1.2", + "CC3.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "BCR-06" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.8" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "BC1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.20", + "27001: A.7.11", + "27001: A.8.14", + "27002: 5.20 (t)", + "27002: 8.14 (c)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CP-2", + "CP-2(2)", + "CP-4(3)", + "CP-6", + "CP-6(1)", + "CP-7", + "CP-8", + "CP-8(1)-(3)", + "CP-9", + "CP-9(6)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.BE-4", + "ID.BE-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.OC-04", + "GV.OC-05", + "PR.IR-03" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "CCC-04", + "Description": "Restrict the unauthorized addition, removal, update, and management of organization assets.", + "Name": "Unauthorized Change Protection", + "Attributes": [ + { + "Section": "Change Control and Configuration Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC8.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "CCC-04" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.1", + "1.3.4", + "5.3.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SY2.4", + "SM2.6" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.1.4", + "27002: 12.1.4", + "27001: A.12.4.2", + "27002: 12.4.2", + "27001: A.14.2.2", + "27017: 14.2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.3", + "27001: A.8.4", + "27001: A.8.15", + "27001: A.8.31", + "27001: A.8.32" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CA-7", + "CA-7(4)", + "CM-3", + "CM-3(1)", + "CM-3(5)", + "CM-3(7)", + "CM-3(8)", + "CM-5", + "CM-5(1)", + "CM-5(4)", + "CM-5(5)", + "CM-6", + "CM-6(1)", + "CM-6(2)", + "CM-7", + "CM-7(1)", + "CM-7(4)", + "CM-7(5)", + "CM-7(9)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.AM-1", + "ID.AM-2", + "ID.AM-4", + "PR.MA-1", + "PR.MA-2", + "PR.AC-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-01", + "ID.AM-02", + "ID.AM-04", + "ID.AM-08", + "PR.PS-02", + "PR.PS-03", + "PR.PS-05", + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.4.5.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.5.1", + "6.5.2" + ] + } + ] + } + ], + "Checks": [ + "events_rule_iam_group_changes", + "events_rule_iam_policy_changes", + "events_rule_user_changes", + "events_rule_vcn_changes" + ] + }, + { + "Id": "CCC-07", + "Description": "Implement detection measures with proactive notification in case of changes deviating from the established baseline.", + "Name": "Detection of Baseline Deviation", + "Attributes": [ + { + "Section": "Change Control and Configuration Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC8.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "GRM-01" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.5.1", + "1.5.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SY2.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.14.2.2", + "27001: A.14.2.4", + "27001: A.12.4.1", + "27002: 12.4.1 (g)", + "27001: A.5.1.1", + "27017: 5.1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.9", + "27001: A.8.15", + "27002: 8.9" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CM-6", + "CM-6(2)", + "SI-2", + "SI-2(2)-(6)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.MA-1", + "PR.IP-1", + "DE.DP-4", + "PR.IP-3" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-01", + "DE.CM-09", + "DE.AE-06" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.4.5.3", + "6.4.5.4", + "11.5", + "11.5.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "11.5.2", + "11.6.1" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled", + "events_rule_cloudguard_problems", + "events_rule_network_gateway_changes", + "events_rule_network_security_group_changes", + "events_rule_route_table_changes", + "events_rule_security_list_changes", + "events_rule_vcn_changes" + ] + }, + { + "Id": "CEK-03", + "Description": "Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.", + "Name": "Data Encryption", + "Attributes": [ + { + "Section": "Cryptography, Encryption & Key Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "EKM-03", + "EKM-04" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.6", + "3.1", + "3.11", + "11.3", + "16.11" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1", + "5.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.18.1.1", + "27001: A.18.1.2", + "27001: A.18.1.3", + "27001: A.18.1.4", + "27001: A.18.1.5", + "27001: A.10.1", + "27002: 10.1", + "27001: A.13.2.1", + "27002: 13.2.1", + "27001: A.18", + "27002: 18", + "27001: A.14.1.2", + "27002: 14.1.2", + "27001: A.14.1.3", + "27002 14.1.3 c)", + "27001 - A.10.1.1", + "27017 - 10.1.1", + "27001 - A.10.1.2", + "27017 - 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.14", + "27001: A.8.24", + "27002: 8.24 Other Information (a)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-19", + "AC-19(5)", + "SC-8", + "SC-8(1)", + "SC-8(3)", + "SC-8(4)", + "SC-12", + "SC-12(2)", + "SC-12(3)", + "SC-28", + "SC-28(1)-(3)", + "SI-4", + "SI-4(10)", + "SI-7", + "SI-7(6)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-1", + "PR.DS-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-01", + "PR.DS-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "Requirement 3", + "2.2.3", + "2.3", + "3.4", + "3.5.3", + "4.1", + "8.2.1", + "PCI Glossary - Strong Cryptography" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "2.2.7", + "3.5.1", + "4.2.1", + "4.2.1.2", + "4.2.2" + ] + } + ] + } + ], + "Checks": [ + "blockstorage_block_volume_encrypted_with_cmk", + "blockstorage_boot_volume_encrypted_with_cmk", + "compute_instance_in_transit_encryption_enabled", + "filestorage_file_system_encrypted_with_cmk", + "objectstorage_bucket_encrypted_with_cmk" + ] + }, + { + "Id": "CEK-04", + "Description": "Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology.", + "Name": "Encryption Algorithm", + "Attributes": [ + { + "Section": "Cryptography, Encryption & Key Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "EKM-04" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "16.11" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1", + "5.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 6.1.2", + "27001: 6.1.3", + "27001: A.8.2", + "27002: 8.2", + "27001: A.8.3", + "27001: A.10.1.1", + "27002: 10.1.1 (b)", + "27001: A.10.1.2", + "27002: 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 6.1.2", + "27001: 6.1.3", + "27001: A.8.24", + "27001: A.5.12", + "27001: A.5.13", + "27002: 8.24 General (b)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-12", + "SC-12(2)", + "SC-12(3)", + "SC-28", + "SC-28(1)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-1", + "PR.DS-2", + "ID.AM-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-01", + "PR.DS-02", + "ID.AM-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "A2", + "Requirement 3", + "2.3", + "2.2.3", + "3.4", + "3.5.3", + "4.1", + "8.2.1", + "PCI Glossary - Strong Cryptography" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "2.2.7", + "3.5.1", + "4.2.1", + "4.2.1.2", + "4.2.2" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "CEK-08", + "Description": "CSPs must provide the capability for CSCs to manage their own data encryption keys.", + "Name": "CSC Key Management Capability", + "Attributes": [ + { + "Section": "Cryptography, Encryption & Key Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.2", + "SC2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.10.1", + "27017: 10.1", + "27001: A.10.1.1", + "27017: 10.1.1", + "27001: A.10.1.2", + "27017: 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.23", + "27001: A.8.24" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CP-9", + "CP-9(8)", + "SA-9", + "SA-9(6)", + "SC-12", + "SC-12(6)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.SC-3", + "ID.AM-6", + "PR.AC-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.SC-05" + ] + } + ] + } + ], + "Checks": [ + "blockstorage_block_volume_encrypted_with_cmk", + "blockstorage_boot_volume_encrypted_with_cmk", + "filestorage_file_system_encrypted_with_cmk", + "objectstorage_bucket_encrypted_with_cmk" + ] + }, + { + "Id": "CEK-10", + "Description": "Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.", + "Name": "Key Generation", + "Attributes": [ + { + "Section": "Cryptography, Encryption & Key Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "EKM-04" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "16.11" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.2", + "TS2.3", + "SY1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.10.1.1", + "27002: 10.1.1 (e)", + "27017: 10.1.1", + "27001: A.10.1.2", + "27002: 10.1.2", + "27002: 10.1.2 (a)", + "27017: 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.24", + "27002: 8.24 (d), Key management (a)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-12", + "SC-12(2)", + "SC-12(3)", + "SC-13" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "2.2.3", + "3.6.1", + "PCI Glossary - Cryptographic Key Generation" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.6.1", + "3.6.1.1", + "3.7.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "CEK-12", + "Description": "Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.", + "Name": "Key Rotation", + "Attributes": [ + { + "Section": "Cryptography, Encryption & Key Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.10.1.1", + "27017: 10.1.1", + "27001: A.10.1.2", + "27002: 10.1.2 e)", + "27017: 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.31", + "27001: A.8.24", + "27002: 5.31 Cryptography", + "27002: 8.24 Key management (e,m)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-12", + "SC-12(2)", + "SC-12(3)", + "SC-13" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "ID.GV-3" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-05", + "GV.OC-03" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.7.4", + "3.7.5" + ] + } + ] + } + ], + "Checks": [ + "kms_key_rotation_enabled", + "identity_user_api_keys_rotated_90_days", + "identity_user_auth_tokens_rotated_90_days", + "identity_user_customer_secret_keys_rotated_90_days", + "identity_user_db_passwords_rotated_90_days" + ] + }, + { + "Id": "CEK-14", + "Description": "Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements.", + "Name": "Key Destruction", + "Attributes": [ + { + "Section": "Cryptography, Encryption & Key Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.10.1.1", + "27017: 10.1.1", + "27017: 10.1.2", + "27001: A.10.1.2", + "27002: 10.1.2 (j)", + "27001: A.18.1.3", + "27002: 18.1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.31", + "27001: A.8.24", + "27002: 5.31 Cryptography", + "27002: 8.24 Key management (j,m)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-12", + "SC-12(2)", + "SC-12(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.IP-6", + "ID.GV-3", + "PR.DS-3" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-05", + "ID.AM-08", + "GV.OC-03" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "3.6.4", + "3.6.5" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.7.4", + "3.7.5" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "DCS-06", + "Description": "Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system.", + "Name": "Assets Cataloguing and Tracking", + "Attributes": [ + { + "Section": "Datacenter Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "DCS - 01" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "1.1", + "2.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.3.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SM2.6" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.8.1.1", + "27002: 8.1.1", + "27017: 8.1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.9" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CM-8", + "CM-8(1)", + "CM-8(2)", + "CM-8(4)", + "CM-8(7)", + "CM-8(8)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.AM-1", + "ID.AM-2", + "ID.AM-4", + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-01", + "ID.AM-02", + "ID.AM-04" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "2.4", + "9.7.1", + "9.9.1", + "9.9.1.a", + "9.9.1.b", + "9.9.1.c", + "12.3.3", + "12.3.4" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.6.1.1", + "6.3.2", + "9.4.2", + "9.4.3", + "12.5.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "DSP-02", + "Description": "Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.", + "Name": "Secure Disposal", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.2", + "CC6.3", + "CC6.4", + "CC6.5", + "CC6.7", + "P4.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "DSI-07" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.5" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1", + "5.3.3", + "7.1.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.1", + "IM1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.8.3.2", + "27002: 8.3.2", + "27001: A.11.2.7", + "27002: 11.2.7" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.7.10", + "27001: A.7.14", + "27001: A.8.10", + "27002: 7.10 (Secure reuse or disposal)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PM-22", + "SI-12", + "SI-12(3)", + "SI-18", + "SI-18(1)", + "SI-18(4)", + "SI-18(5)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-6" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.SC-10", + "PR.PS-02", + "PR.PS-03", + "ID.AM-08" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "3.1", + "9.8", + "9.8.1", + "9.8.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.2.1", + "3.7.5", + "9.4.7" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "DSP-03", + "Description": "Create and maintain a data inventory, at least for any sensitive data and personal data.", + "Name": "Data Inventory", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.3.1", + "1.3.2", + "1.3.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.1", + "IM2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.8.1.1", + "27002: 8.1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.9", + "27001: A.8.12" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CM-12", + "CM-12(1)", + "PM-5", + "PM-5(1)", + "SI-12", + "SI-12(1)", + "SI-19", + "SI-19(1)", + "SI-19(2)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.AM-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-07" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.2.1", + "9.4.5" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "DSP-04", + "Description": "Classify data according to its type and sensitivity level.", + "Name": "Data Classification", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "C1.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "DSI-01" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.7" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.3.1", + "1.3.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.8.2.1", + "27002: 8.2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.12" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-16", + "AC-16(9)", + "PM-22", + "PM-23", + "PT-2", + "PT-2(1)", + "SI-18", + "SI-18(2)", + "SI-19", + "SI-19(6)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.AM-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-05", + "ID.AM-07" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "9.6.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "9.4.2", + "9.4.3" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "DSP-07", + "Description": "Develop systems, products, and business practices based upon a principle of security by design and industry best practices.", + "Name": "Data Protection by Design and Default", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "PI1.2", + "PI1.3" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "16.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.3.1", + "5.3.2", + "5.3.3", + "5.3.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SD2.2", + "IM1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.14.1.1", + "27002:14.1.1", + "27001: A.14.2.5", + "27002:14.2.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.27", + "27001: A.8.28", + "27001: A.8.29", + "27002: 5.8 (Information security requirements a-i)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PM-17", + "PM-24", + "PM-25", + "PT-2", + "PT-2(2)", + "SA-3", + "SA-4", + "SA-5", + "SA-8", + "SA-8(9)", + "SA-8(13)", + "SA-8(18)", + "SA-8(20)", + "SA-8(22)", + "SA-8(23)", + "SA-8(33)", + "SA-15", + "SA-15(12)", + "SC-3", + "SC-3(3)", + "SC-7", + "SC-7(24)", + "SC-8", + "SC-8(1)-(4)", + "SC-28", + "SC-28(1)", + "SI-12", + "SI-12(1)-(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-2", + "PR.PT-3", + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-08", + "PR.PS-06" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.2.1" + ] + } + ] + } + ], + "Checks": [ + "objectstorage_bucket_not_publicly_accessible", + "database_autonomous_database_access_restricted", + "analytics_instance_access_restricted", + "integration_instance_access_restricted" + ] + }, + { + "Id": "DSP-10", + "Description": "Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.", + "Name": "Sensitive Data Transfer", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "GRM-02", + "EKM-03" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.1", + "3.12", + "3.13" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.2", + "9.5.1", + "9.5.2", + "9.5.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.4", + "IM2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.13.2.1", + "27002: 13.2.1", + "27001: A.8.3.3", + "27002: 8.3.3", + "27001: A.13.2.3", + "27002: 13.2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.14", + "27001: A.7.10" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-4", + "AC-4(23)-(25)", + "CA-3", + "CA-3(6)", + "CA-6", + "CA-6(1)", + "CA-6(2)", + "SC-4", + "SC-4(2)", + "SC-7", + "SC-7(10)", + "SC-7(24)", + "SC-8", + "SC-8(1)-(5)", + "SC-16", + "SC-16(1)-(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-2", + "PR.DS-5", + "PR.PT-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-02", + "PR.IR-01", + "ID.AM-03", + "GV.OC-03", + "ID.AM-07" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "4.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "4.1.1", + "4.2.1", + "4.2.2" + ] + } + ] + } + ], + "Checks": [ + "compute_instance_in_transit_encryption_enabled" + ] + }, + { + "Id": "DSP-16", + "Description": "Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.", + "Name": "Data Retention and Deletion", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "C1.1", + "C1.2", + "CC3.1", + "P4.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "GRM-02", + "BCR-11" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.4", + "3.5" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1", + "5.3.1", + "7.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.1", + "IM2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.18.1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.33", + "27001: A.8.10", + "27002: 5.33 (b)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SI-12", + "SI-12(1)-(3)", + "SI-18", + "SI-18(1)", + "SI-18(4)", + "SI-18(5)", + "SI-19", + "SI-19(2)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-3", + "PR.IP-6", + "ID.GV-3" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-08", + "GV.OC-03", + "GV.SC-10", + "PR.DS-11" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "3.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.2.1" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days" + ] + }, + { + "Id": "DSP-17", + "Description": "Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle.", + "Name": "Sensitive Data Protection", + "Attributes": [ + { + "Section": "Data Security and Privacy Lifecycle Management", + "CCMLite": "Yes", + "IaaS": "CSP-Owned", + "PaaS": "CSP-Owned", + "SaaS": "CSC-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC2.1", + "CC6.1", + "CC6.3", + "CC6.7", + "CC8.1", + "C1.1", + "P2.0", + "P3.0", + "P4.0", + "P5.0", + "P6.0" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.1", + "3.1", + "3.14" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.3.3", + "9.1.1", + "9.2.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.1", + "IM2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.18.1.3", + "27002: 18.1.3", + "27001:A.18.1.4", + "27002:18.1.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.11", + "27001: A.8.12" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PL-2", + "PM-22", + "PM-24", + "PT-7", + "PT-7(1)", + "PT-7(2)", + "PT-8", + "SC-8", + "SC-8(1)-(5)", + "SC-28", + "SC-28(1)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-1", + "PR.DS-2", + "PR.DS-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-01", + "PR.DS-02", + "PR.DS-10" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "3.0 (including all subsections)", + "4.0 (including all subsections)" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.1.1", + "4.1.1" + ] + } + ] + } + ], + "Checks": [ + "objectstorage_bucket_not_publicly_accessible", + "objectstorage_bucket_encrypted_with_cmk", + "database_autonomous_database_access_restricted", + "blockstorage_block_volume_encrypted_with_cmk", + "blockstorage_boot_volume_encrypted_with_cmk" + ] + }, + { + "Id": "GRC-05", + "Description": "Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM.", + "Name": "Information Security Program", + "Attributes": [ + { + "Section": "Governance, Risk and Compliance", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "GRM-04" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "14.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SG2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 4.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 4.3" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PM-1", + "PM-3", + "PM-14", + "PL-2", + "PM-18", + "PM-31" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "12.4.1", + "A.3.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "12.4.1", + "A3.1.1" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled" + ] + }, + { + "Id": "IAM-02", + "Description": "Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.", + "Name": "Strong Password Policy and Procedures", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-02", + "IAM-12", + "GRM-06", + "GRM-09" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.1.1", + "1.5.1", + "4.1.2", + "4.1.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.1", + "SA1.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 5.1", + "27001: 5.2", + "27001: 7.3", + "27001: 7.4", + "27001: 7.5", + "27001: 9.1", + "27001: 9.3", + "27001: A.5", + "27002: 5", + "27001: A.9.4.3", + "27002: 9.4.3", + "27017: 9.4.3", + "27018: 9.4.3", + "27001: A.9.2.4", + "27002: 9.2.4", + "27017: 9.2.4", + "27001: A.7.2.2", + "27002: 7.2.2", + "27001: A.9.2.6", + "27002: 9.2.6", + "27001: A.9.2.3", + "27002: 9.2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 5.1", + "27001: 5.2", + "27001: 7.3", + "27001: 7.4", + "27001: 7.5", + "27001: 9.1", + "27001: 9.3", + "27001: A.5.1", + "27001: A.5.4", + "27001: A.5.17", + "27001: A.6.3", + "27001: A.8.5", + "27001: A.5.37" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-2", + "AC-2(3)", + "AC-2(11)", + "AC-3", + "AC-3(3)", + "AC-12", + "AC-12(1)", + "IA-2", + "IA-2(10)", + "IA-5", + "IA-5(1)", + "IA-5(18)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.GV-1", + "PR.AC-1", + "PR.AC-7" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.PO-01", + "GV.PO-02", + "ID.IM-03", + "PR.AA-03" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "8.4", + "12.1", + "12.1.1", + "12.11" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "8.1.1", + "8.3.8" + ] + } + ] + } + ], + "Checks": [ + "identity_password_policy_minimum_length_14", + "identity_password_policy_expires_within_365_days", + "identity_password_policy_prevents_reuse" + ] + }, + { + "Id": "IAM-03", + "Description": "Manage, store, and review the information of system identities, and level of access.", + "Name": "Identity Inventory", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-04", + "IAM-08", + "IAM-10" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.1", + "5.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.1.3", + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 9.2 (c)", + "27001: A.8.1.1", + "27002: 8.1.1", + "27001: A.9.4.1", + "27002: 9.4.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 9.2 (c)", + "27001: A.5.15", + "27001: A.5.16", + "27001: A.5.18", + "27001: A.7.4", + "27001: A.8.15", + "27001: A.8.2", + "27001: A.8.3" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-10", + "AU-10(1)", + "AU-10(2)", + "AU-16", + "AU-16(1)", + "IA-4", + "IA-4(8)", + "IA-4(9)", + "IA-5", + "IA-5(5)", + "IA-8", + "IA-8(4)", + "PM-5(1)", + "SA-8", + "SA-8(22)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-6", + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-02", + "PR.AA-04", + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "2.4.a" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "7.2.5", + "7.2.5.1" + ] + } + ] + } + ], + "Checks": [ + "identity_user_api_keys_rotated_90_days", + "identity_user_auth_tokens_rotated_90_days", + "identity_user_customer_secret_keys_rotated_90_days", + "identity_user_valid_email_address" + ] + }, + { + "Id": "IAM-04", + "Description": "Employ the separation of duties principle when implementing information system access.", + "Name": "Separation of Duties", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC1.3", + "CC5.1", + "CC6.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-05" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "6.8" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.2.2", + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.6.1.2", + "27002: 6.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.15", + "27001: A.5.18", + "27001: A.5.3", + "27001: A.8.2" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-2", + "AC-2(3)", + "AC-2(11)", + "AC-6", + "AC-6(1)-(10)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.4", + "6.4.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.5.3", + "6.5.4", + "7.2.1", + "7.2.2" + ] + } + ] + } + ], + "Checks": [ + "identity_service_level_admins_exist", + "identity_iam_admins_cannot_update_tenancy_admins", + "identity_tenancy_admin_permissions_limited" + ] + }, + { + "Id": "IAM-05", + "Description": "Employ the least privilege principle when implementing information system access.", + "Name": "Least Privilege", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-02", + "IAM-06", + "IVS-11" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "6.8" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.1.1", + "27002: 9.1.1", + "27001: A.9.1.2", + "27002: 9.1.2", + "27001: A.9.2.3", + "27002: 9.2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.15", + "27001: A.8.2", + "27002: 5.15 (Other information 2nd (a))" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-6", + "AC-6(4)", + "IA-12", + "IA-12(2)", + "IA-12(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "7.1", + "7.1.1", + "7.1.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "7.2.1", + "7.2.2", + "7.2.5", + "7.2.6" + ] + } + ] + } + ], + "Checks": [ + "identity_tenancy_admin_permissions_limited", + "identity_service_level_admins_exist", + "identity_no_resources_in_root_compartment", + "identity_non_root_compartment_exists" + ] + }, + { + "Id": "IAM-07", + "Description": "De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.", + "Name": "User Access Changes and Revocation", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC5.3", + "CC6.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-11" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.3", + "6.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.15", + "27001: A.5.18" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-2", + "AC-2(1)", + "AC-2(2)", + "AC-2(6)", + "AC-2(8)", + "AC-3", + "AC-3(8)", + "AC-6", + "AC-6(7)", + "AU-10", + "AU-10(4)", + "AU-16", + "AU-16(1)", + "CM-7", + "CM-7(1)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-4", + "PR.IP-11" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.RR-04", + "GV.SC-10", + "PR.AA-01", + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "8.1.2", + "8.1.3" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "8.2.5", + "8.2.6" + ] + } + ] + } + ], + "Checks": [ + "identity_user_api_keys_rotated_90_days", + "identity_user_auth_tokens_rotated_90_days", + "identity_user_customer_secret_keys_rotated_90_days" + ] + }, + { + "Id": "IAM-08", + "Description": "Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.", + "Name": "User Access Review", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.2", + "CC6.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-10" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.2.5", + "27001: A.9.2.6", + "27001: A.9.4.1", + "27017: 9.4.1", + "27001: A.6.1.2", + "27001: A 9.2.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.3", + "27001: A.5.18", + "27001: A.8.3" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-6", + "AC-6(4)", + "AC-6(8)", + "IA-8", + "IA-8(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "12.5.5" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "7.2.5.1", + "7.2.5", + "7.2.4" + ] + } + ] + } + ], + "Checks": [ + "identity_user_api_keys_rotated_90_days", + "identity_user_auth_tokens_rotated_90_days", + "identity_user_customer_secret_keys_rotated_90_days", + "identity_user_db_passwords_rotated_90_days" + ] + }, + { + "Id": "IAM-09", + "Description": "Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated.", + "Name": "Segregation of Privileged Access Roles", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC5.1", + "CC6.1", + "CC6.3" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.2.3", + "27002: 9.2.3", + "27017: 9.2.3", + "27018: 9.2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.2", + "27001: A.8.18", + "27002: 8.2 (j)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-6", + "AC-3(7)", + "AC-6(4)", + "AC-6(8)", + "IA-5", + "IA-5(6)", + "IA-8", + "IA-8(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "2.3", + "3.5.2", + "7.1.2", + "7.1.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.6.1", + "3.7.6", + "6.5.3", + "6.5.4", + "7.2.1", + "7.2.2", + "10.3.1" + ] + } + ] + } + ], + "Checks": [ + "identity_tenancy_admin_permissions_limited", + "identity_iam_admins_cannot_update_tenancy_admins", + "identity_tenancy_admin_users_no_api_keys" + ] + }, + { + "Id": "IAM-10", + "Description": "Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.", + "Name": "Management of Privileged Access Roles", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.2", + "CC6.3" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.1", + "6.5" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.2.3", + "27002: 9.2.3", + "27017: 9.2.3", + "27018: 9.2.3", + "27001: A.9.4.4", + "27002: 9.4.4", + "27017: 9.4.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.2", + "27001: A.8.18", + "27002: 8.2 (i)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-2", + "AC-2(7)", + "AC-3", + "AC-3(4)", + "AC-3(11)", + "AC-3(13)", + "AC-3(14)", + "AC-6", + "AC-6(4)", + "AC-6(5)", + "AC-6(8)", + "AC-12", + "AC-12(3)", + "AC-17", + "AC-17(4)", + "IA-8", + "IA-8(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "7.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "7.2.1", + "7.2.2" + ] + } + ] + } + ], + "Checks": [ + "identity_tenancy_admin_permissions_limited", + "identity_tenancy_admin_users_no_api_keys", + "identity_iam_admins_cannot_update_tenancy_admins" + ] + }, + { + "Id": "IAM-12", + "Description": "Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.", + "Name": "Safeguard Logs Integrity", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.3" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1", + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.4.1", + "27002: 12.4.1", + "27017: 12.4.1", + "27018: 12.4.1", + "27001: A.12.4.2", + "27002: 12.4.2", + "27017: 12.4.2", + "27018: 12.4.2", + "27001: A.12.4.3", + "27002: 12.4.3", + "27017: 12.4.3", + "27018: 12.4.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.15", + "27001: A.8.18", + "27002: 8.15 Protection of Logs" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-2", + "AC-2(11)", + "AC-2(12)", + "IA-8", + "IA-8(4)", + "SA-8", + "SA-8(22)", + "SC-34", + "SC-34(1)", + "SC-34(2)", + "SC-36", + "SI-4", + "SI-4(5)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.5" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.3.1", + "10.3.2", + "10.3.3", + "10.3.4" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days" + ] + }, + { + "Id": "IAM-13", + "Description": "Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.", + "Name": "Uniquely Identifiable Users", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.1.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.2.1", + "27002: 9.2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.16" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-3", + "AC-3(14)", + "AC-24", + "AC-24(2)", + "AU-10", + "AU-10(1)", + "IA-2", + "IA-2(1)", + "IA-2(2)", + "IA-2(12)", + "IA-4", + "IA-4(1)", + "SA-8", + "SA-8(22)", + "SC-23", + "SC-23(3)", + "SC-40(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-6" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "8.1", + "8.2", + "8.6" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "8.2.1", + "8.2.2", + "8.2.4" + ] + } + ] + } + ], + "Checks": [ + "identity_user_mfa_enabled_console_access", + "identity_user_valid_email_address" + ] + }, + { + "Id": "IAM-14", + "Description": "Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.", + "Name": "Strong Authentication", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-02", + "IAM-05" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "6.3", + "6.5", + "12.5", + "12.7" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3", + "SA1.4", + "SA1.8" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.1.2", + "27002: 9.1.2", + "27017: 9.1.2", + "27001: A.9.2.4", + "27002: 9.2.4", + "27017: 9.2.4", + "27001: A.9.4.2", + "27002: 9.4.2", + "27017: 9.4.2", + "27018: 9.4.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.15", + "27001: A.5.17", + "27001: A.8.5", + "27001: A.8.24", + "27002: 8.5", + "27002: 8.24 other information (d)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-6", + "AC-6(5)", + "AC-7", + "AC-7(4)", + "AU-10", + "AU-10(2)", + "IA-2", + "IA-2(1)", + "IA-2(2)", + "IA-2(8)", + "IA-2(12)", + "IA-3", + "IA-3(1)", + "IA-5", + "IA-5(2)", + "IA-5(7)", + "IA-5(9)", + "IA-5(10)", + "IA-5(12)", + "IA-5(14)-(16)", + "IA-8", + "IA-8(1)", + "IA-8(6)", + "SC-23", + "SC-23(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-6", + "PR.AC-7" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-02", + "PR.AA-03" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "8.1.2", + "8.1.3", + "8.1.6", + "8.2", + "8.3", + "8.3.2", + "12.3.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "7.2.1", + "8.3.1", + "8.3.2", + "8.4.1", + "8.4.2", + "8.4.3" + ] + } + ] + } + ], + "Checks": [ + "identity_user_mfa_enabled_console_access" + ] + }, + { + "Id": "IAM-15", + "Description": "Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.", + "Name": "Passwords Management", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.1.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.2.4", + "27002: 9.2.4", + "27017: 9.2.4", + "27018: 9.2.4", + "27001: A.9.3.1", + "27002: 9.3.1", + "27017: 9.3.1", + "27018: 9.3.1", + "27001: A.9.4.3", + "27002: 9.4.3", + "27017: 9.4.3", + "27018: 9.4.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.17" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "IA-4", + "IA-4(8)", + "IA-5", + "IA-5(1)", + "IA-5(8)", + "IA-5(18)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "8.2", + "8.2.1-6" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "2.2.2", + "2.3.1", + "8.3.5", + "8.3.6", + "8.3.7", + "8.3.8", + "8.3.9", + "8.3.10", + "8.3.10.1", + "8.6.2" + ] + } + ] + } + ], + "Checks": [ + "identity_password_policy_minimum_length_14", + "identity_password_policy_expires_within_365_days", + "identity_password_policy_prevents_reuse" + ] + }, + { + "Id": "IAM-16", + "Description": "Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.", + "Name": "Authorization Mechanisms", + "Attributes": [ + { + "Section": "Identity & Access Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.2", + "CC6.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IAM-02" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "5.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SA1.3", + "SA1.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.9.2.5", + "27002: 9.2.5", + "27017: 9.2.5", + "27018: 9.2.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.18" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-3", + "AC-3(5)", + "AC-4", + "AC-4(17)", + "AC-4(21)", + "AC-4(22)", + "AC-6", + "AC-6(8)", + "AC-6(9)", + "AC-12", + "AC-12(1)", + "AC-20", + "AC-20(1)", + "AU-10", + "AU-10(1)", + "AU-10(2)", + "IA-2", + "IA-2(1)", + "IA-2(2)", + "IA-2(12)", + "IA-3", + "IA-3(1)", + "IA-5(1)", + "IA-5(2)", + "IA-5(5)", + "IA-5(8)", + "IA-5(10)", + "IA-5(12)", + "IA-8", + "IA-8(1)", + "IA-8(2)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-4", + "PR.AC-6", + "PR.AC-7", + "PR.PT-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-01", + "PR.AA-02", + "PR.AA-03", + "PR.AA-04", + "PR.AA-05", + "PR.PS-04" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "5.3", + "7.1.4" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "7.2.4", + "7.2.3", + "7.2.5.1" + ] + } + ] + } + ], + "Checks": [ + "identity_tenancy_admin_permissions_limited", + "identity_service_level_admins_exist", + "database_autonomous_database_access_restricted", + "analytics_instance_access_restricted", + "integration_instance_access_restricted" + ] + }, + { + "Id": "IPY-03", + "Description": "Implement cryptographically secure and standardized network protocols for the management, import and export of data.", + "Name": "Secure Interoperability and Portability Management", + "Attributes": [ + { + "Section": "Interoperability & Portability", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IPY-04" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1", + "5.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SY1.1", + "SY1.2", + "NC1.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.18.1", + "27001: A.15.1.1", + "27002: 15.1.1", + "27017: 15.1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.19", + "27001: A.5.23", + "27001: A.5.31", + "27001: A.5.32", + "27001: A.5.33", + "27001: A.5.34" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PT-2", + "PT-2(2)", + "SA-4", + "SC-16", + "SC-16(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-02" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "1.2.1", + "1.2.5", + "1.2.6", + "2.2.4", + "2.2.5", + "2.2.7", + "4.2.1" + ] + } + ] + } + ], + "Checks": [ + "compute_instance_in_transit_encryption_enabled" + ] + }, + { + "Id": "IVS-02", + "Description": "Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required system performance as determined by the business.", + "Name": "Capacity and Resource Planning", + "Attributes": [ + { + "Section": "Infrastructure & Virtualization Security", + "CCMLite": "No", + "IaaS": "CSP-Owned", + "PaaS": "CSP-Owned", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "A1.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-04" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SY2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 5.3", + "27001: 6.1", + "27001: 9.1", + "27001: A.12.1.3", + "27002: 12.1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 5.3 (b)", + "27001: 6.1", + "27001: 9.1", + "27001: A.8.6", + "27001: A.8.14" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CP-2", + "CP-2(2)", + "SC-5", + "SC-5(2)", + "SC-4", + "SI-4" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-4", + "ID.BE-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.IR-04", + "GV.OC-04" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "IVS-03", + "Description": "Monitor, encrypt and restrict communications between environments to only authenticated and authorized connections, as justified by the business. Review these configurations at least annually, and support them by a documented justification of all allowed services, protocols, ports, and compensating controls.", + "Name": "Network Security", + "Attributes": [ + { + "Section": "Infrastructure & Virtualization Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-06" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.8", + "3.1", + "12.2", + "13.6", + "13.9" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.2", + "5.2.7" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "NC1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 7.5", + "27001: 9.1", + "27001: A.13.1.1", + "27002: 13.1.1", + "27001: A.13.1.2", + "27002: 13.1.2", + "27001: A.13.1.3", + "27002: 13.1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 7.5", + "27001: 9.1", + "27001: A.5.15", + "27001: A.5.37", + "27001: A.8.5", + "27001: A.8.9", + "27001: A.8.16", + "27001: A.8.20", + "27001: A.8.21", + "27001: A.8.22", + "27001: A.8.24", + "27002: A.5.15 2nd c)", + "27002: 8.20", + "27002: 8.21", + "27002: 8.22", + "27002: 8.24" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-1", + "SC-4", + "SC-7", + "SC-7(4)", + "SC-7(5)", + "SC-7(8)", + "SC-7(9)", + "SC-7(11)", + "SC-8", + "SC-8(1)", + "SC-11", + "SC-12", + "SC-16", + "SC-23", + "SC-29", + "SC-29(1)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-5", + "PR.AC-7", + "PR.PT-4", + "DE.CM-1", + "DE.CM-7", + "PR.DS-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.IR-01", + "PR.AA-03", + "PR.AA-05", + "DE.CM-01", + "PR.DS-02", + "ID.AM-03" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "1.1.6", + "1.2", + "1.2.3", + "2.2", + "4.1.1", + "10.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "1.2.5", + "1.2.6", + "1.2.7", + "1.4.2", + "2.2.4", + "2.2.5", + "2.2.7", + "4.2.1", + "10.1.1" + ] + } + ] + } + ], + "Checks": [ + "network_vcn_subnet_flow_logs_enabled", + "network_default_security_list_restricts_traffic", + "network_security_group_ingress_from_internet_to_ssh_port", + "network_security_group_ingress_from_internet_to_rdp_port", + "network_security_list_ingress_from_internet_to_ssh_port", + "network_security_list_ingress_from_internet_to_rdp_port" + ] + }, + { + "Id": "IVS-04", + "Description": "Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline.", + "Name": "OS Hardening and Base Controls", + "Attributes": [ + { + "Section": "Infrastructure & Virtualization Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "CSP-Owned", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.8", + "CC7.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-07", + "IVS-11" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "4.1", + "4.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.1.3", + "5.2.5" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SY1.1", + "SY1.3", + "SY1.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 7.5", + "27001: 9.1", + "27001: A.14.2.2", + "27002: 14.2.2", + "27001: A.14.2.3", + "27001 A.14.2.4", + "27018: 12.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 7.5", + "27001: 9.1", + "27001: A.5.37", + "27001: A.8.5", + "27001: A.8.9", + "27001: A.8.16", + "27001: A.8.20", + "27001: A.8.22", + "27001: A.8.24", + "27002: 8.20", + "27002: 8.22", + "27002: 8.24" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CM-6", + "CM-6(1)", + "SC-29", + "SC-29(1)", + "SC-2", + "SC-7", + "SC-7(12)", + "SC-30", + "SC-34", + "SC-35", + "SC-39", + "SC-44" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.IP-1", + "PR.PT-3" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-01" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "2.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "2.2.1" + ] + } + ] + } + ], + "Checks": [ + "compute_instance_legacy_metadata_endpoint_disabled", + "compute_instance_secure_boot_enabled" + ] + }, + { + "Id": "IVS-06", + "Description": "Design, develop, deploy and configure applications and infrastructures such that CSP and CSC (tenant) user access and intra-tenant access is appropriately segmented and segregated, monitored and restricted from other tenants.", + "Name": "Segmentation and Segregation", + "Attributes": [ + { + "Section": "Infrastructure & Virtualization Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-09" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1", + "5.3.4", + "5.2.7" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SC2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 9.1", + "27001: A.13.1.3", + "27002: 13.1.3", + "27017: 13.1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 9.1", + "27001: A.5.15", + "27001: A.5.20", + "27001: A.8.3", + "27001: A.8.9", + "27001: A.8.16", + "27001: A.8.22", + "27002: 5.15 (b)", + "27002: 8.3 (b)", + "27002: 8.16 (b)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-3", + "SC-7", + "SC-7(20)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4", + "PR.AC-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05", + "PR.IR-01", + "PR.PS-01", + "PR.PS-06", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "2.6", + "8.3.1", + "10.8", + "11.3", + "A3.2.1", + "A3.3.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "A1.1.1", + "A1.1.2", + "A1.1.3" + ] + } + ] + } + ], + "Checks": [ + "network_default_security_list_restricts_traffic", + "identity_non_root_compartment_exists", + "identity_no_resources_in_root_compartment" + ] + }, + { + "Id": "IVS-07", + "Description": "Use secure and encrypted communication channels when migrating servers, services, applications, or data to cloud environments. Such channels must include only up-to-date and approved protocols.", + "Name": "Migration to Cloud Environments", + "Attributes": [ + { + "Section": "Infrastructure & Virtualization Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-10" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.4", + "IM1.4", + "NC1.4", + "SC2.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.13.1.1", + "27002: 13.1.1", + "27017: 13.1.1", + "27018: 13.1.1", + "27001: A.13.1.2", + "27002: 13.1.2", + "27017: 13.1.2", + "27018: 13.1.2", + "27001: A.13.1.3", + "27002: 13.1.3", + "27017: 13.1.3", + "27018: 13.1.3", + "27001: A.13.2.1", + "27002: 13.2.1", + "27017: 13.2.1", + "27018: 13.2.1", + "27001: A.13.2.2", + "27002: 13.2.2", + "27017: 13.2.2", + "27018: 13.2.2", + "27001: A.13.2.3", + "27002: 13.2.3", + "27017: 13.2.3", + "27018: 13.2.3", + "27001: A.13.2.4", + "27002: 13.2.4", + "27017: 13.2.4", + "27018: 13.2.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.14", + "27001: A.8.20", + "27001: A.8.24", + "27002: 8.20 (e)", + "27002: 8.24 Guidance (b,f), other information (a)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-17", + "AC-20", + "SC-7", + "SC-7(28)", + "SC-8", + "SC-8(1)", + "SC-12", + "SC-23", + "SC-29", + "SI-7", + "SI-7(1)-(3)", + "SI-7(5)-(10)", + "SI-7(12)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-2", + "PR.PT-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-02" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "4.2.1" + ] + } + ] + } + ], + "Checks": [ + "compute_instance_in_transit_encryption_enabled" + ] + }, + { + "Id": "IVS-09", + "Description": "Define, implement and evaluate processes, procedures and defense-in-depth techniques for protection, detection, and timely response to network-based attacks.", + "Name": "Network Defense", + "Attributes": [ + { + "Section": "Infrastructure & Virtualization Security", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.6", + "CC6.8", + "CC7.1", + "CC7.2", + "CC7.5" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-13" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "13.3", + "13.8" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.3", + "5.2.4", + "5.2.5", + "5.2.7", + "5.3.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "NC1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 6.1", + "27001: 6.2", + "27001: A.14.1.2", + "27002: 14.1.2", + "27017: 14.1.2", + "27001: A.11.1.4", + "27002: 11.1.4", + "27017: 11.1.4", + "27018: 16.1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 6.1", + "27001: 6.2", + "27001: A.5.24", + "27001: A.5.26", + "27001: A.8.8", + "27001: A.8.16", + "27001: A.8.20", + "27001: A.8.21", + "27001: A.8.22", + "27001: A.8.26", + "27002: 8.8 (i)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PL-8", + "PL-8(1)", + "SC-5", + "SC-5(1)", + "SC-5(3)", + "SC-7", + "SC-7(13)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.AE-1", + "DE.DP-1", + "DE.CM-1", + "DE.CM-7", + "PR.AC-5", + "RS.MI-2", + "PR.DS-2", + "RS.RP-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-03", + "DE.CM-01", + "PR.IR-01", + "RS.MA-01", + "RS.MI-01", + "RS.MI-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.6", + "1.1", + "1.2", + "1.3", + "1.5", + "12.10.5" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "1.1.1", + "1.3.1", + "1.3.2", + "1.3.3", + "1.4.1", + "1.4.2", + "1.4.3", + "1.4.4", + "1.4.5", + "1.5.1", + "12.10.1" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled", + "events_rule_cloudguard_problems" + ] + }, + { + "Id": "LOG-02", + "Description": "Define, implement and evaluate processes, procedures and technical measures to ensure the security and retention of audit logs.", + "Name": "Audit Logs Protection", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-01" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "8.1", + "8.9", + "8.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "3.1.3", + "5.1.2", + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.18.1.3", + "27002: 18.1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.28", + "27001: A.5.33", + "27001: A.8.15" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-4", + "AU-11" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4", + "PR.IP-4", + "PR.IP-6", + "PR.PT-1", + "PR.DS-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05", + "PR.DS-01", + "PR.DS-02", + "ID.AM-08", + "PR.DS-11", + "PR.PS-04" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.5", + "10.7" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.3.1", + "10.3.2", + "10.3.3", + "10.3.4", + "10.5.1" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days" + ] + }, + { + "Id": "LOG-03", + "Description": "Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics.", + "Name": "Security Monitoring and Alerting", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.8", + "CC7.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "SEF-03", + "SEF-05" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "8.5" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.4", + "5.2.7", + "1.6.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2", + "TM1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.4.1", + "27002: 12.4.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.28", + "27001: A.8.15" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-5", + "AU-5(2)", + "AU-13" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.AE-1", + "DE.AE-2", + "DE.AE-3", + "DE.AE-5", + "DE.CM-1", + "DE.CM-2", + "DE.CM-3", + "DE.CM-4", + "DE.CM-5", + "DE.CM-6", + "DE.CM-7", + "DE.DP-1", + "DE.DP-4", + "DE.AE-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-04", + "DE.AE-02", + "DE.AE-03", + "DE.AE-04", + "DE.AE-06", + "DE.AE-07", + "DE.AE-08", + "DE.CM-01", + "DE.CM-02", + "DE.CM-03", + "DE.CM-06", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.2.1", + "10.2.2", + "10.4.1.1", + "10.4.2.1", + "10.4.3" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled", + "events_rule_cloudguard_problems", + "events_notification_topic_and_subscription_exists", + "events_rule_local_user_authentication" + ] + }, + { + "Id": "LOG-04", + "Description": "Restrict audit logs access to authorized personnel and maintain records that provide unique access accountability.", + "Name": "Audit Logs Access and Accountability", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "IVS-01" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.14" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "3.1.1", + "4.1.2", + "4.1.3", + "4.2.1", + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.4.2", + "27001: A.12.4.1", + "27002: 12.4.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.33", + "27001: A.8.15" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-9", + "AU-9(4)", + "AU-9(6)", + "AU-10" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-1", + "PR.AC-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05", + "PR.PS-04" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.1", + "10.2.1", + "10.2.3", + "10.5.1", + "10.5.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.2.1.3", + "10.3.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "LOG-05", + "Description": "Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.", + "Name": "Audit Logs Monitoring and Response", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.2" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "8.8", + "8.11" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.6.1", + "1.6.2", + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.4.3", + "27002: 12.4.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.15", + "27001: A.8.16" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-6", + "AU-6(1)", + "AU-6(5)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.AE-3", + "PR.PT-1", + "RS.AN-1", + "RS.CO-1.", + "DE.AE-1", + "DE.AE-5", + "DE.DP-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.AM-03", + "PR.PS-04", + "DE.AE-02", + "DE.AE-03", + "DE.AE-06", + "DE.AE-07", + "DE.AE-08", + "DE.CM-01", + "DE.CM-02", + "DE.CM-03", + "DE.CM-06", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.6", + "10.6.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.4.1.1", + "10.4.2.1" + ] + } + ] + } + ], + "Checks": [ + "events_rule_iam_group_changes", + "events_rule_iam_policy_changes", + "events_rule_identity_provider_changes", + "events_rule_idp_group_mapping_changes", + "events_rule_local_user_authentication", + "events_rule_network_gateway_changes", + "events_rule_network_security_group_changes", + "events_rule_route_table_changes", + "events_rule_security_list_changes", + "events_rule_user_changes", + "events_rule_vcn_changes", + "events_rule_cloudguard_problems" + ] + }, + { + "Id": "LOG-07", + "Description": "Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.", + "Name": "Logging Scope", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.2" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "8.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 7.5.3", + "27001: A.12.4.1", + "27002: 12.4.1", + "27017: 12.4.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 7.5.3", + "27001: A.8.15" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-1", + "AU-14", + "AU-16" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.SC-3", + "ID.SC-4", + "PR.PT-1", + "ID.GV-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-04" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.3" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.2.1", + "10.2.2" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days", + "network_vcn_subnet_flow_logs_enabled", + "objectstorage_bucket_logging_enabled" + ] + }, + { + "Id": "LOG-08", + "Description": "Generate audit records containing relevant security information.", + "Name": "Log Records", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.2" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "8.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.4.1", + "27002: 12.4.1", + "27017: 12.4.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.15" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-3", + "AU-3(1)", + "AU-3(3)", + "AU-6", + "AU-6(8)", + "AU-12", + "AU-12(1)", + "AU-12(2)", + "AU-12(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.PT-1", + "DE.AE-3", + "DE.CM-1", + "DE.CM-2", + "DE.CM-3", + "DE.CM-6", + "DE.CM-7" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-04", + "DE.CM-01", + "DE.CM-02", + "DE.CM-03", + "DE.CM-06", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.3" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.2.2" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days", + "network_vcn_subnet_flow_logs_enabled", + "objectstorage_bucket_logging_enabled" + ] + }, + { + "Id": "LOG-09", + "Description": "The information system protects audit records from unauthorized access, modification, and deletion.", + "Name": "Log Protection", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "GRM-04", + "IVS-01" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.4", + "4.2.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.4.2", + "27002: 12.4.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.15" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-9", + "AU-9(2)", + "AU-9(3)", + "AU-9(4)", + "AU-12(3)", + "AU-12(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.AC-4", + "PR.IP-4", + "PR.IP-6", + "PR.PT-1", + "PR.DS-1", + "PR.DS-6" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AA-05", + "PR.DS-01", + "PR.DS-02", + "PR.DS-11" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.5", + "10.5.1", + "10.5.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.3.1", + "10.3.2", + "10.3.3", + "10.3.4" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days" + ] + }, + { + "Id": "LOG-10", + "Description": "Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.", + "Name": "Encryption Monitoring and Reporting", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC7.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "EKM-02", + "EKM-03" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "4.2.1", + "5.1.1", + "5.1.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.10.1", + "27002: 10.1", + "27001: A.10.1.2", + "27017: 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.24" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-1", + "AU-9", + "AU-9(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.GV-1", + "PR.PT-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-04", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.1.1", + "10.2.1", + "10.4.1" + ] + } + ] + } + ], + "Checks": [ + "kms_key_rotation_enabled" + ] + }, + { + "Id": "LOG-11", + "Description": "Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.", + "Name": "Transaction/Activity Logging", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC7.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "EKM-02" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.1" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.10.1.2", + "27017: 10.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.24" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-9", + "AU-9(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.PT-1", + "DE.AE-3" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-04", + "DE.CM-09" + ] + } + ] + } + ], + "Checks": [ + "audit_log_retention_period_365_days" + ] + }, + { + "Id": "LOG-13", + "Description": "Define, implement and evaluate processes, procedures and technical measures for the reporting of anomalies and failures of the monitoring system and provide immediate notification to the accountable party.", + "Name": "Failures and Anomalies Reporting", + "Attributes": [ + { + "Section": "Logging and Monitoring", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC2.3", + "CC7.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "SEF-03" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.6.1", + "5.2.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.16.1.1", + "27002: 16.1.1", + "27001: A.16.1.2", + "27017: 16.1.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.24", + "27001: A.6.8", + "27002: 6.8 (g)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AU-5", + "AU-5(2)", + "AU-6", + "AU-6(3)", + "AU-6(4)", + "AU-6(5)", + "AU-16" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.DP-3", + "DE.DP-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-04", + "DE.AE-06" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "10.6" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "10.4.3", + "10.7.1", + "10.7.2", + "10.7.3" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled", + "events_rule_cloudguard_problems", + "events_notification_topic_and_subscription_exists" + ] + }, + { + "Id": "SEF-03", + "Description": "'Establish, document, approve, communicate, apply, evaluate and maintain a security incident response plan, which includes but is not limited to: relevant internal departments, impacted CSCs, and other business critical relationships (such as supply-chain) that may be impacted.'", + "Name": "Incident Response Plans", + "Attributes": [ + { + "Section": "Security Incident Management, E-Discovery, & Cloud Forensics", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.2", + "CC7.3", + "CC7.4" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "BCR-02" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "17.2", + "17.4" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.6.2", + "1.6.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 5.2", + "27001: 7.3", + "27001: 7.4", + "27001: 7.5", + "27001: A.16.1.5", + "27002: 16.1.5", + "27017: 16.1.5", + "27017: CLD.12.1.5", + "27018: 16.1.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 5.2", + "27001: 7.3", + "27001: 7.4", + "27001: 7.5", + "27001: A.5.26", + "27002: 5.26 (e,f)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "IR-1", + "IR-2", + "IR-2(1)-(3)", + "IR-3", + "IR-3(1)-(3)", + "IR-4", + "IR-4(1)-(15)", + "IR-5", + "IR-5(1)", + "IR-6", + "IR-6(1)-(3)", + "IR-7", + "IR-7(1)", + "IR-7(2)", + "IR-8", + "IR-8(1)", + "IR-9", + "IR-9(1)-(4)", + "PM-12" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "RS.CO-1", + "RS.CO-4", + "ID.AM-6", + "ID.GV-2", + "ID.SC-5", + "PR.IP-9", + "PR.IP10" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.AT-01", + "PR.AT-02", + "RS.MA-01", + "GV.SC-08", + "ID.IM-02", + "ID.IM-04", + "RC.RP-01" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "12.1", + "12.10.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "12.10.1", + "12.10.5" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "SEF-06", + "Description": "Define, implement and evaluate processes, procedures and technical measures supporting business processes to triage security-related events.", + "Name": "Event Triage Processes", + "Attributes": [ + { + "Section": "Security Incident Management, E-Discovery, & Cloud Forensics", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "SEF-02" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.6.2" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.16.1.4", + "27002: 16.1.4", + "27017: 16.1.4", + "27018: 16.1.4", + "27001: A.16.1.5", + "27002: 16.1.5", + "27017: 16.1.5", + "27018: 16.1.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.25" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CA-7", + "CA-7(3)", + "CA-7(4)", + "CA-7(5)", + "CA-7(6)", + "IR-4", + "IR-4(1)", + "IR-4(3)", + "IR-4(4)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.AE-1", + "DE.AE-2", + "DE.AE-4", + "RS.RP-1", + "RS.AN-2" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "RS.MA-02", + "RS.MA-03", + "RS.AN-03", + "DE.AE-02", + "DE.AE-04", + "DE.AE-06", + "DE.AE-07", + "DE.AE-08", + "RS.MI-02", + "RC.RP-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "12.5.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "12.10.1" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled" + ] + }, + { + "Id": "SEF-08", + "Description": "Maintain points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities.", + "Name": "Points of Contact Maintenance", + "Attributes": [ + { + "Section": "Security Incident Management, E-Discovery, & Cloud Forensics", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC2.3" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "SEF-01" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "17.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.6.2", + "1.6.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "SM2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 4.2", + "27001: A.6.1.3", + "27002: 6.1.3", + "27017: 6.1.3", + "27018: 6.1.3", + "27001: A.16.1.1", + "27002: 16.1.1", + "27001: A.18.1.1", + "27002: 18.1.1", + "27017: 18.1.1", + "27018: 18.1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.5", + "27001: A.5.24", + "27002: 5.24 Incident management procedure (d)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "IR-4", + "IR-4(8)", + "IR-6", + "IR-6(3)", + "IR-7", + "IR-7(2)", + "PM-21", + "PM-23", + "PM-26" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.GV-2", + "RS.CO-3", + "RS.CO-4" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.RR-02", + "RS.CO-02", + "RS.CO-03" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "12.10.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "TVM-02", + "Description": "Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets. Review and update the policies and procedures at least annually.", + "Name": "Malware Protection Policy and Procedures", + "Attributes": [ + { + "Section": "Threat & Vulnerability Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC5.3", + "CC6.8" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "TVM-01", + "GRM-06", + "GRM-09" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "9.7", + "10.1" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "1.1.1", + "1.5.1", + "5.2.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS1.2", + "TS1.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 5.1", + "27001: 5.2", + "27001: 7.3", + "27001: 7.4", + "27001: 7.5", + "27001: 9.1", + "27001: 9.3", + "27001: A.5", + "27002: 5", + "27001: A.12.2.1", + "27001: A.6.2.1", + "27002: 6.2.1 (h)", + "27001: A.6.2.2", + "27002: 6.2.2 (j)", + "27001: A.7.2.2", + "27002: 7.2.2 (d)", + "27001: A.10.1.1", + "27002: 10.1.1 (g)", + "27001: A.13.2.1", + "27002: 13.2.1 (b)", + "27001: A.15.1.2", + "27017: 15.1.2", + "27001: A.12.2.1", + "27002: 12.2.1 (a),(d)", + "27017: CLD.9.5.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 5.1", + "27001: 5.2", + "27001: 7.3", + "27001: 7.4", + "27001: 7.5", + "27001: 9.1", + "27001: 9.3", + "27001: A.5.1", + "27001: A.5.4", + "27001: A.5.7", + "27001: A.5.37", + "27001: A.8.7", + "27002: 5.7 (b)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "RA-3", + "RA-3(3)", + "RA-5", + "RA-5(3)", + "RA-5(5)", + "SI-3", + "SI-3(4)", + "SI-3(10)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.GV-1", + "DE.CM-4", + "DE.CM-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "GV.PO-01", + "GV.PO-02", + "ID.IM-03", + "DE.CM-01", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "5.4", + "12.1", + "12.1.1", + "12.3.1", + "12.5.1", + "12.11" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "12.1.1", + "12.1.2", + "5.1.1", + "5.3.2.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "TVM-03", + "Description": "Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.", + "Name": "Vulnerability Remediation Schedule", + "Attributes": [ + { + "Section": "Threat & Vulnerability Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC5.3", + "CC7.1", + "CC7.4" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "TVM-02" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "7.2", + "7.7", + "17.9" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.5" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.1", + "TM2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 6.1.3", + "27001: A.12.2.1", + "27001: A.12.6.1", + "27002: 12.6.1(c)(d)(j)", + "27018: 12.6.1(k)(i)" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 6.1.3", + "27001: A.8.7", + "27001: A.8.8", + "27001: A.8.32", + "27002: 8.7", + "27002: 8.8", + "27002: 8.32" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "PM-31", + "RA-3", + "RA-3(1)", + "RA-5", + "RA-5(2)-(4)", + "RA-5(6)", + "SI-3", + "SI-3(10)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "RS.AN-5", + "PR.IP-12" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.RA-01", + "ID.RA-06", + "ID.RA-08", + "PR.PS-02", + "PR.PS-03" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.1", + "6.1.a", + "6.1.b" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.1.1", + "6.3.1", + "6.3.2", + "6.3.3", + "12.10.1" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "TVM-04", + "Description": "Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.", + "Name": "Detection Updates", + "Attributes": [ + { + "Section": "Threat & Vulnerability Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "No mapping" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "10.2" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.3" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TS1.3", + "TS1.4", + "TM1.3", + "TM1.4", + "IM1.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 6.1.3", + "27001: A.5.1.1", + "27002: 5.1.1 (h)", + "27001: A.12.6.1", + "27002: 12.6.1 (b),(c)" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 6.1.3", + "27001: A.5.1", + "27001: A.8.8", + "27001: A.8.15", + "27001: A.8.16", + "27002: 5.1", + "27002: 5.37", + "27002: 8.8", + "27002: 8.15 (d)", + "27002: 8.16 (d,e)", + "27002: 8.31 2nd (a)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "CM-7", + "CM-7(4)", + "RA-3", + "RA-3(3)", + "RA-5(2)", + "SA-10", + "SA-10(5)", + "SA-11", + "SA-11(2)", + "SI-2", + "SI-2(4)", + "SI-3", + "SI-3(4)", + "SI-4", + "SI-4(9)", + "SI-4(24)", + "SI-8", + "SI-8(2)", + "SI-8(3)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.DP-5", + "PR.IP-12" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.PS-02", + "ID.RA-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "5.2", + "5.2a", + "5.2b", + "5.2c" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "5.3.1" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled" + ] + }, + { + "Id": "TVM-05", + "Description": "Define, implement and evaluate processes, procedures and technical measures to identify updates for applications which use third party or open source libraries according to the organization's vulnerability management policy.", + "Name": "External Library Vulnerabilities", + "Attributes": [ + { + "Section": "Threat & Vulnerability Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "CSP-Owned", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC3.2" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "No mapping" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "2.6" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.1", + "SD2.3" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: 6.1.3", + "27001: A.12.6.2", + "27002: 12.6.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: 6.1.3", + "27001: A 5.6", + "27001: A.8.19", + "27001: A.8.8", + "27001: A.8.28", + "27001: A.8.31", + "27002: 5.6 (c)", + "27001: 8.19", + "27001: 8.8", + "27001: 8.28", + "27001: 8.31" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "RA-5", + "RA-5(3)", + "SA-11", + "SA-11(2)", + "SA-11(5)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "DE.DP-5", + "PR.IP-12" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.RA-01", + "ID.RA-03", + "PR.PS-02" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.1", + "6.2", + "6.3.2" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.3.1", + "6.3.2", + "6.3.3" + ] + } + ] + } + ], + "Checks": [] + }, + { + "Id": "TVM-07", + "Description": "Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly.", + "Name": "Vulnerability Identification", + "Attributes": [ + { + "Section": "Threat & Vulnerability Management", + "CCMLite": "Yes", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC7.1" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "TVM-02" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "7.1", + "7.5", + "7.6" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.5", + "5.2.6" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "TM1.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.6", + "27001: A.12.6.1", + "27002: 12.6.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.8", + "27002: 8.8" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "RA-5", + "RA-5(4)", + "RA-5(5)", + "SA-11", + "SA-11(5)", + "SA-15(5)", + "SC-7", + "SC-7(10)", + "SI-3(8)", + "SI-3(10)", + "SI-7", + "SI-7(9)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "ID.RA-1", + "DE.CM-8", + "PR.IP-12" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "ID.RA-01" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "6.1", + "11.2", + "11.2.1" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "6.3.1", + "6.3.2", + "6.3.3", + "11.3.2", + "11.3.2.1" + ] + } + ] + } + ], + "Checks": [ + "cloudguard_enabled" + ] + }, + { + "Id": "UEM-08", + "Description": "Protect information from unauthorized disclosure on managed endpoint devices with storage encryption.", + "Name": "Storage Encryption", + "Attributes": [ + { + "Section": "Universal Endpoint Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.1", + "CC6.7" + ] + }, + { + "ReferenceId": "CCM v3.0.1", + "Identifiers": [ + "MOS-11" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.6" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.1.2", + "3.1.4" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "PA1.2", + "PA1.3", + "PA1.5", + "PA2.2", + "PM1.4" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.11.2.7", + "27002: 11.2.7", + "27001: A.18.1.1", + "27017: 18.1.1", + "27001: A.12.3.1", + "27017: 12.3.1", + "27018: A.11.4", + "27018: A.11.5" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.8.1", + "27002: 8.1 (h)" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "AC-19(5)", + "SC-28", + "SC-28(1)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-1" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-01" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "3.4", + "3.6" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "3.5.1", + "3.6" + ] + } + ] + } + ], + "Checks": [ + "blockstorage_block_volume_encrypted_with_cmk", + "blockstorage_boot_volume_encrypted_with_cmk", + "filestorage_file_system_encrypted_with_cmk" + ] + }, + { + "Id": "UEM-11", + "Description": "Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in accordance with a risk assessment.", + "Name": "Data Loss Prevention", + "Attributes": [ + { + "Section": "Universal Endpoint Management", + "CCMLite": "No", + "IaaS": "Shared", + "PaaS": "Shared", + "SaaS": "Shared", + "ScopeApplicability": [ + { + "ReferenceId": "AICPA TSC 2017", + "Identifiers": [ + "CC6.7" + ] + }, + { + "ReferenceId": "CIS v8.0", + "Identifiers": [ + "3.13" + ] + }, + { + "ReferenceId": "ENX ISA v6.0", + "Identifiers": [ + "5.2.7" + ] + }, + { + "ReferenceId": "ISF SOGP 2022", + "Identifiers": [ + "IM1.5", + "PA2.2" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019", + "Identifiers": [ + "27001: A.12.3", + "27002: 12.3", + "27001: A.8.3.1", + "27002: 8.3.1", + "27001: A.12.2", + "27002: 12.2", + "27001: A.18.1.3", + "27002: 18.1.3", + "27001: A.6.1.1", + "27017: 6.1.1", + "27018: 12.3.1", + "27018: 10.1" + ] + }, + { + "ReferenceId": "ISO/IEC 27001:2022, 27002:2022", + "Identifiers": [ + "27001: A.5.12", + "27001: A.8.3" + ] + }, + { + "ReferenceId": "NIST 800-53 rev 5", + "Identifiers": [ + "SC-7", + "SC-7(10)" + ] + }, + { + "ReferenceId": "NIST CSF v1.1", + "Identifiers": [ + "PR.DS-5" + ] + }, + { + "ReferenceId": "NIST CSF v2.0", + "Identifiers": [ + "PR.DS-02", + "PR.DS-10", + "PR.PS-01", + "ID.AM-08", + "DE.CM-09" + ] + }, + { + "ReferenceId": "PCI DSS v3.2.1", + "Identifiers": [ + "A3.2.6" + ] + }, + { + "ReferenceId": "PCI DSS v4.0", + "Identifiers": [ + "A3.2.6" + ] + } + ] + } + ], + "Checks": [] + } + ] +} diff --git a/prowler/lib/outputs/compliance/csa/csa_oraclecloud.py b/prowler/lib/outputs/compliance/csa/csa_oraclecloud.py new file mode 100644 index 0000000000..9b3d36c168 --- /dev/null +++ b/prowler/lib/outputs/compliance/csa/csa_oraclecloud.py @@ -0,0 +1,96 @@ +from prowler.config.config import timestamp +from prowler.lib.check.compliance_models import Compliance +from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput +from prowler.lib.outputs.compliance.csa.models import OracleCloudCSAModel +from prowler.lib.outputs.finding import Finding + + +class OracleCloudCSA(ComplianceOutput): + """ + This class represents the OracleCloud CSA compliance output. + + Attributes: + - _data (list): A list to store transformed data from findings. + - _file_descriptor (TextIOWrapper): A file descriptor to write data to a file. + + Methods: + - transform: Transforms findings into OracleCloud CSA compliance format. + """ + + def transform( + self, + findings: list[Finding], + compliance: Compliance, + compliance_name: str, + ) -> None: + """ + Transforms a list of findings into OracleCloud CSA compliance format. + + Parameters: + - findings (list): A list of findings. + - compliance (Compliance): A compliance model. + - compliance_name (str): The name of the compliance model. + + Returns: + - None + """ + for finding in findings: + # Get the compliance requirements for the finding + finding_requirements = finding.compliance.get(compliance_name, []) + for requirement in compliance.Requirements: + if requirement.Id in finding_requirements: + for attribute in requirement.Attributes: + compliance_row = OracleCloudCSAModel( + Provider=finding.provider, + Description=compliance.Description, + TenancyId=finding.account_uid, + Region=finding.region, + AssessmentDate=str(timestamp), + Requirements_Id=requirement.Id, + Requirements_Description=requirement.Description, + Requirements_Name=requirement.Name, + Requirements_Attributes_Section=attribute.Section, + Requirements_Attributes_CCMLite=attribute.CCMLite, + Requirements_Attributes_IaaS=attribute.IaaS, + Requirements_Attributes_PaaS=attribute.PaaS, + Requirements_Attributes_SaaS=attribute.SaaS, + Requirements_Attributes_ScopeApplicability=attribute.ScopeApplicability, + Status=finding.status, + StatusExtended=finding.status_extended, + ResourceId=finding.resource_uid, + ResourceName=finding.resource_name, + CheckId=finding.check_id, + Muted=finding.muted, + Framework=compliance.Framework, + Name=compliance.Name, + ) + self._data.append(compliance_row) + # Add manual requirements to the compliance output + for requirement in compliance.Requirements: + if not requirement.Checks: + for attribute in requirement.Attributes: + compliance_row = OracleCloudCSAModel( + Provider=compliance.Provider.lower(), + Description=compliance.Description, + TenancyId="", + Region="", + AssessmentDate=str(timestamp), + Requirements_Id=requirement.Id, + Requirements_Description=requirement.Description, + Requirements_Name=requirement.Name, + Requirements_Attributes_Section=attribute.Section, + Requirements_Attributes_CCMLite=attribute.CCMLite, + Requirements_Attributes_IaaS=attribute.IaaS, + Requirements_Attributes_PaaS=attribute.PaaS, + Requirements_Attributes_SaaS=attribute.SaaS, + Requirements_Attributes_ScopeApplicability=attribute.ScopeApplicability, + Status="MANUAL", + StatusExtended="Manual check", + ResourceId="manual_check", + ResourceName="Manual check", + CheckId="manual", + Muted=False, + Framework=compliance.Framework, + Name=compliance.Name, + ) + self._data.append(compliance_row) diff --git a/prowler/lib/outputs/compliance/csa/models.py b/prowler/lib/outputs/compliance/csa/models.py index 7d3acefcc6..3bc51bd4b9 100644 --- a/prowler/lib/outputs/compliance/csa/models.py +++ b/prowler/lib/outputs/compliance/csa/models.py @@ -59,6 +59,35 @@ class GCPCSAModel(BaseModel): Name: str +class OracleCloudCSAModel(BaseModel): + """ + OracleCloudCSAModel generates a finding's output in CSV CSA format for OracleCloud. + """ + + Provider: str + Description: str + TenancyId: str + Region: str + AssessmentDate: str + Requirements_Id: str + Requirements_Description: str + Requirements_Name: str + Requirements_Attributes_Section: str + Requirements_Attributes_CCMLite: str + Requirements_Attributes_IaaS: str + Requirements_Attributes_PaaS: str + Requirements_Attributes_SaaS: str + Requirements_Attributes_ScopeApplicability: list[dict] + Status: str + StatusExtended: str + ResourceId: str + CheckId: str + Muted: bool + ResourceName: str + Framework: str + Name: str + + class AzureCSAModel(BaseModel): """ AzureCSAModel generates a finding's output in CSV CSA format for Azure.