Back

Establish, implement, and maintain configuration standards for all systems based upon industry best practices.


CONTROL ID
11953
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system hardening standard., CC ID: 00876

This Control has the following implementation support Control(s):
  • Include common security parameter settings in the configuration standards for all systems., CC ID: 12544
  • Apply configuration standards to all systems, as necessary., CC ID: 12503
  • Document and justify system hardening standard exceptions., CC ID: 06845
  • Configure security parameter settings on all system components appropriately., CC ID: 12041
  • Provide documentation verifying devices are not susceptible to known exploits., CC ID: 11987


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Secure Configurations/hardening for all hardware and software on Laptops, Workstations, and Servers and Network Devices such as Firewalls, Routers and Switches. Configuration management begins with well-tested and documented security baselines for various systems. There need to be documented securit… (Critical components of information security 24) viii. ¶ 1 b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Given the critical role of security technologies as part of the information security framework, banks need to subject them to suitable controls across their lifecycle like guidelines on their usage, standards and procedures indicating the detailed objectives and requirements of individual informatio… (Critical components of information security 1) 4), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should configure IT systems and devices with security settings that are consistent with the expected level of protection. The FI should establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise … (§ 9.3.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Mobile online services and payments are extensions of the online financial services and payments services which are offered by FIs and accessible from the internet via computers or laptops. The FI should implement security measures which are similar to those of online financial and payment systems o… (§ 12.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The security standards for the FI's hardware and software (e.g. operating systems, databases, network devices and endpoint devices) should outline the configurations that will minimise their exposure to cyber threats. The standards should be reviewed periodically for relevance and effectiveness. (§ 11.3.1, Technology Risk Management Guidelines, January 2021)
  • High assurance ICT equipment is only operated in an evaluated configuration. (Security Control: 0292; Revision: 5, Australian Government Information Security Manual, March 2021)
  • High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC. (Security Control: 0290; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation. (Security Control: 0289; Revision: 2, Australian Government Information Security Manual, March 2021)
  • SOEs are used for workstations and servers. (Control: ISM-1406; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Secure configuration guidance is produced as part of application development. (Control: ISM-1798; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Evaluated products are installed, configured, administered and operated in an evaluated configuration and in accordance with vendor guidance. (Control: ISM-0289; Revision: 3, Australian Government Information Security Manual, June 2023)
  • High assurance ICT equipment is installed, configured, administered and operated in an evaluated configuration and in accordance with ACSC guidance. (Control: ISM-0290; Revision: 7, Australian Government Information Security Manual, June 2023)
  • SOEs are used for workstations and servers. (Control: ISM-1406; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Secure configuration guidance is produced as part of application development. (Control: ISM-1798; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Evaluated products are installed, configured, administered and operated in an evaluated configuration and in accordance with vendor guidance. (Control: ISM-0289; Revision: 3, Australian Government Information Security Manual, September 2023)
  • High assurance ICT equipment is installed, configured, administered and operated in an evaluated configuration and in accordance with ASD guidance. (Control: ISM-0290; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies b… (Art. 8.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The cloud provider draws up regular reports on the performed audits, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical safeguards for the secure configuration and monitoring of the management console (both the self- service of the cu… (Section 5.6 RB-05 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • System components which are used for the rendering of the cloud service are hardened according to generally established and accepted industry standards. The hardening instructions used are documented as well as the implementation status. (Section 5.6 RB-22 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Definition and description of minimum security requirements with regard to the information processed, which are based on recognised industry standards such as ISO/IEC 27001 (Section 5.12 DLL-01 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The entity implements logical access security control software, infrastructures, authentication mechanisms and related architectures and security configuration controls over protected information assets to protect them from security incidents and events that might result in unauthorized access, alte… (S7.1, Privacy Management Framework, Updated March 1, 2020)
  • Interview personnel and examine policies to verify system configuration standards are updated when new vulnerabilities are identified. (Testing Procedures § 2.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that system configuration standards are updated as new vulnerability issues are identified (§ 2.2.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. (2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: - Cente… (2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. (2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are configuration standards developed for all system components and are they consistent with industry- accepted system hardening standards? (2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are configuration standards developed for all system components and are they consistent with industry- accepted system hardening standards? (2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are common system security parameters settings included in the system configuration standards? (2.2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are system configuration standards applied when new systems are configured? (2.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are common system security parameters settings included in the system configuration standards? (2.2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (2.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards. (2.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1. (2.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Configuration standards are developed, implemented, and maintained to: (2.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Cover all system components. (2.2.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Address all known security vulnerabilities. (2.2.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. (2.2.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. (2.2.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine system configuration standards to verify they define processes that include all elements specified in this requirement. (2.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. (2.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (PCI DSS Question 2.2(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (PCI DSS Question 2.2(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (PCI DSS Question 2.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? (PCI DSS Question 2.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Configuration standards are developed, implemented, and maintained to: (2.2.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Cover all system components. (2.2.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Address all known security vulnerabilities. (2.2.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. (2.2.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. (2.2.1 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configuration standards are developed, implemented, and maintained to: (2.2.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Cover all system components. (2.2.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Address all known security vulnerabilities. (2.2.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. (2.2.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. (2.2.1 Bullet 4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. (2.2.1 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. (2.2.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configuration standards are developed, implemented, and maintained to: (2.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Cover all system components. (2.2.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Address all known security vulnerabilities. (2.2.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configuration standards are developed, implemented, and maintained to: (2.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Address all known security vulnerabilities. (2.2.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Cover all system components. (2.2.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. (2.2.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. (2.2.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. (Control 18.7, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. (CIS Control 18: Sub-Control 18.11 Use Standard Hardening Configuration Templates for Databases, CIS Controls, 7.1)
  • Maintain documented security configuration standards for all authorized operating systems and software. (CIS Control 5: Sub-Control 5.1 Establish Secure Configurations, CIS Controls, 7.1)
  • Maintain documented security configuration standards for all authorized network devices. (CIS Control 11: Sub-Control 11.1 Maintain Standard Security Configurations for Network Devices, CIS Controls, 7.1)
  • For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. (CIS Control 18: Sub-Control 18.11 Use Standard Hardening Configuration Templates for Databases, CIS Controls, V7)
  • Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. (CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts, CIS Controls, V8)
  • The entity has defined configuration standards to be used for hardening systems. (CC7.1 ¶ 2 Bullet 1 Uses Defined Configuration Standards, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules and configuration standards for information assets. (CC6.1 ¶ 3 Bullet 7 Restricts Access to Information Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization establishes and maintains baseline system security configuration standards to facilitate consistent application of security settings to designated information assets. (PR.IP-1.1, CRI Profile, v1.2)
  • The organization establishes and maintains baseline system security configuration standards to facilitate consistent application of security settings to designated information assets. (PR.IP-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Management has defined configuration standards. (CC7.1 Uses Defined Configuration Standards, Trust Services Criteria)
  • Management has defined configuration standards. (CC7.1 ¶ 2 Bullet 1 Uses Defined Configuration Standards, Trust Services Criteria, (includes March 2020 updates))
  • Modify the Information System in accordance with the Licensee's Information Security Program; (Section 4.D ¶ 1(2)(f), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • minimally acceptable system configuration requirements, as determined by the agency; and (§ 3554(b)(2)(D)(iii), Federal Information Security Modernization Act of 2014)
  • The standard and implementation specifications specified in §170.204(b)(4). (§ 170.315 (a) (9) (iv) (A) (2), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • The standard and implementation specifications specified in §170.204(b)(3). (§ 170.315 (a) (9) (iv) (A) (1), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • The standard and implementation specifications specified in §170.204(b)(4). (§ 170.315 (a) (9) (iv) (A) (2), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The standard and implementation specifications specified in §170.204(b)(3). (§ 170.315 (a) (9) (iv) (A) (1), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. (Domain 3: Assessment Factor: Preventative Controls, INFRASTRUCTURE MANAGEMENT Baseline 1 ¶ 5, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Determined whether COTS software meets the entity's needs and security requirements or if it will integrate with existing software and require further configuration. (App A Objective 13:5b Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Establishes and documents configuration settings for information technology products employed within the information system using [FedRAMP Assignment: United States Government Configuration Baseline (USGCB)] that reflect the most restrictive mode consistent with operational requirements; (CM-6a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes and documents configuration settings for information technology products employed within the information system using [FedRAMP Assignment: United States Government Configuration Baseline (USGCB)] that reflect the most restrictive mode consistent with operational requirements; (CM-6a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes and documents configuration settings for information technology products employed within the information system using [FedRAMP Assignment: United States Government Configuration Baseline (USGCB)] that reflect the most restrictive mode consistent with operational requirements; (CM-6a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., FedRAMP Security Controls High Baseline, Version 5)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., FedRAMP Security Controls High Baseline, Version 5)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., FedRAMP Security Controls Low Baseline, Version 5)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The CSP SHALL employ appropriately-tailored privacy controls defined in SP 800-53 or equivalent industry standard. (4.4 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP SHALL employ appropriately-tailored security controls from the low baseline of security controls defined in SP 800-53 or equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls for lowimpact systems, or equivalent, are satisfi… (4.1.4 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP SHALL employ appropriately-tailored security controls from the moderate baseline of security controls defined in SP 800-53 or equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls for moderate-impact systems or equivalent ar… (4.2.4 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP SHALL employ appropriately-tailored security controls from the high baseline of security controls defined in SP 800-53 or an equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls for high-impact systems or equivalent are sat… (4.3.4 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP SHALL employ appropriately tailored security controls, to include control enhancements, from the moderate or high baseline of security controls defined in SP 800-53 or equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls fo… (4.4.1.8 ¶ 1, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • The CSP SHALL employ appropriately tailored security controls, to include control enhancements, from the high baseline of security controls defined in SP 800-53 or an equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls for high-im… (4.5.8 ¶ 1, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Enforcement of compliance requirements by optionally preventing the running of noncompliant images. (4.1.2 ¶ 1 (3), NIST SP 800-190, Application Container Security Guide)
  • The organization must update the smart grid Information System to include the identified vulnerabilities in accordance with the maintenance policy. (SG.RA-6 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; (CM-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Modify the information system in accordance with the information security program of the licensee. (Section 27-62-4(d)(2) f., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Modification of such licensee's information system in accordance with such licensee's information security program; (Part VI(c)(4)(B)(vi), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Modify the information system in accordance with the licensee's information security program. (§ 8604.(d)(2) f., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Modify the information system in accordance with the licensee's information security program; (§431:3B-203(2)(F), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Modifying information systems in accordance with the licensee's information security program. (Sec. 18.(2)(F), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Modify information systems in accordance with the licensee’s information security program. (507F.4 4.b.(6), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Modify the information system in accordance with the licensee's information security program. (§2504.D.(2)(f), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Modify information systems in accordance with the licensee's information security program; (§2264 4.B.(6), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Modifying the information system in accordance with the licensee's information security program. (Sec. 555.(4)(b)(vii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • modify the information system in accordance with the licensee's information security program; (§ 60A.9851 Subdivision 4(2)(vi), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Modify the information system in accordance with the licensee’s information security program; (§ 83-5-807 (4)(b)(vi), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Modify the information system in accordance with the licensee's information security program. (§ 420-P:4 IV.(b)(6), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Modify the information system in accordance with the licensee's information security program; (26.1-02.2-03. 4.b.(6), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Modify the information system in accordance with the licensee's information security program; (Section 3965.02 (D)(2)(f), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • modifying the information system in accordance with the licensee's information security program; (SECTION 38-99-20. (D)(2)(f), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Modify the licensee's information system in accordance with the licensee's information security program; (§ 56-2-1004 (4)(B)(vi), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., TX-RAMP Security Controls Baseline Level 1)
  • Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [TX-RAMP Assignment: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings. Requirement 2: The service provider shall ensure that checklist… (CM-7b., TX-RAMP Security Controls Baseline Level 1)
  • Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; (CM-9b., TX-RAMP Security Controls Baseline Level 2)
  • Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; (CM-6a., TX-RAMP Security Controls Baseline Level 2)
  • Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [TX-RAMP Assignment: Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings. Requirement 2: The service provider shall ensure… (CM-7b., TX-RAMP Security Controls Baseline Level 2)
  • Modify information systems in accordance with the licensee's information security program. (§ 601.952(3)(b)6., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)