Back

Establish, implement, and maintain a shared resources management program.


CONTROL ID
07096
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a virtual environment and shared resources security program., CC ID: 06551

This Control has the following implementation support Control(s):
  • Maintain ownership of all shared resources., CC ID: 12180
  • Employ resource-isolation mechanisms in virtual environments., CC ID: 12178


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Privileged operating environments are not virtualised within unprivileged operating environments. (Control: ISM-1687; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Privileged operating environments are not virtualised within unprivileged operating environments. (Control: ISM-1687; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Data is separated securely and strictly on jointly used virtual and physical resources (storage network, memory) according to a documented concept in order to guarantee the confidentiality and integrity of the stored and processed data. (Section 5.6 RB-23 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • How are shared resources (such as processing, memory, and storage) managed to ensure they cannot be manipulated—for example by overloading—in order to gain access to other client environments or data? (Appendix D, Build and Maintain a Secure Network Bullet 9, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Examine the authentication policies and procedures to verify they define physical controls and/or logical controls for ensuring only the authorized individual can use the authentication measure to gain access. (Testing Procedures § 8.6.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Logical controls and/or physical controls must be implemented to ensure only the authorized individual can use the authentication mechanism to gain access. (PCI DSS Requirements § 8.6 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (12.5.2 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (12.5.2 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (12.5.2 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by using temporary or loan mobile devices (including laptops, netbooks, tablets, and smartphones). (CF.14.01.07a, The Standard of Good Practice for Information Security)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by using temporary or loan mobile devices (including laptops, netbooks, tablets, and smartphones). (CF.14.01.05a, The Standard of Good Practice for Information Security, 2013)
  • The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements. (§ 13.1.3 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC.3.182, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC.3.182, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC.3.182, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC.L2-3.13.4 Shared Resource Control, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prevent unauthorized and unintended information transfer via shared system resources. (3.13.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Prevent unauthorized and unintended information transfer via shared system resources. (3.13.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Prevent unauthorized and unintended information transfer via shared system resources. (3.13.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The Information System must prevent shared system resources from transferring unauthorized information and unintended information. (App F § SC-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should not share the resources that are used for interfacing with systems that operate at different security levels. (App F § SC-4(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system prevents unauthorized information transfer via shared resources in accordance with {organizationally documented procedures} when system processing explicitly switches between different information classification levels or security categories. (SC-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. (SC-4(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. (SC-4(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent unauthorized and unintended information transfer via shared system resources. (SC-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. (SC-4(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The information system prevents unauthorized and unintended information transfer via shared system resources. (SC-4 Control, TX-RAMP Security Controls Baseline Level 2)