Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

NIST Compliance Controls

READ ME for the Agency ATO Review Template

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Recommended Security Controls for Federal Information Systems and Organizations

Four Deadly Traps of Using Frameworks NIST Examples

Because Security Gives Us Freedom

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Continuous Monitoring Strategy & Guide

Altius IT Policy Collection Compliance and Standards Matrix

FISMA Compliance. with O365 Manager Plus.

Altius IT Policy Collection Compliance and Standards Matrix

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

CloudCheckr NIST Audit and Accountability

SAC PA Security Frameworks - FISMA and NIST

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Ransomware. How to protect yourself?

NIST Special Publication

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Evolving Cybersecurity Strategies

SYSTEM SECURITY PLAN (SSP)

The Common Controls Framework BY ADOBE

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc.

BYTEGRIDR. in the GxP Context. Presentation to the FDA Cloud Working Group. Copyright 2014 ByteGrid. All Rights Reserved.

ENTS 650 Network Security. Dr. Edward Schneider

Using Metrics to Gain Management Support for Cyber Security Initiatives

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

CSAM Support for C&A Transformation

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Building Secure Systems

INFORMATION ASSURANCE DIRECTORATE

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis

Fiscal Year 2013 Federal Information Security Management Act Report

MIS Week 9 Host Hardening

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Rev.1 Solution Brief

IASM Support for FISMA

FedRAMP Training - How to Write a Control. 1. FedRAMP_Training_HTWAC_v5_ FedRAMP HTWAC Online Training Splash Screen.

NIST SP , Revision 1 CNSS Instruction 1253

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

DOT/DHS: Joint Agency Work on Vehicle Cyber Security

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Using ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.

FISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Executive Order 13556

NIST Risk Management Framework (RMF)

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud

FedRAMP Security Assessment Plan (SAP) Training

FISMAand the Risk Management Framework

SECURITY & PRIVACY DOCUMENTATION

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1

NIST Cybersecurity Framework Based Written Information Security Program (WISP)

SYSTEMS ASSET MANAGEMENT POLICY

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

NIST Special Publication

Information Security Policy

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

CloudCheckr NIST Matrix

IT Security Risk Management: A Lifecycle Approach

Interagency Advisory Board Meeting Agenda, December 7, 2009

FedRAMP Digital Identity Requirements. Version 1.0

Guide to Understanding FedRAMP. Version 2.0

Advent IM Ltd ISO/IEC 27001:2013 vs

The New Security Heroes. Alan Paller

Checklist: Credit Union Information Security and Privacy Policies

INFORMATION ASSURANCE DIRECTORATE

Meeting RMF Requirements around Compliance Monitoring

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

FedRAMP Penetration Test Guidance. Version 1.0.1

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Cybersecurity Challenges

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Trust Services Principles and Criteria

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

TAC 202 Requirements 2017

NIST (NCF) & GDPR to Microsoft Technologies MAP

NIST Special Publication

A company built on security

ISO/IEC Information technology Security techniques Code of practice for information security management

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

CIP Cyber Security Systems Security Management

Transcription:

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions of their implementation, or provide a self attestation that their implementation meets the intent of the security requirements. All required and conditional controls are tested by an approved assessor annually. ArcGIS Online does not undergo a separate ISO 27001 certification as the FedRAMP authorization meets requirements for equivalent or better security assurance. Revision History Date Description Version Author 7/20/2018 Initial mapping of Rev4 security controls in scope of Li SaaS authorizations (such as ArcGIS Online) to International Standards Organization (ISO) 27001 security controls. Source documents are as follows: 1 Esri Software Security & Privacy NIST 800-53 Rev4 1/22/2015 NIST FedRAMP Tailored Low Security Controls 11/14/2017 FedRAMP

FedRAMP Tailored LI SaaS Baseline Mapping to ISO 27001 No Control ID ISO 27001 Control Control Name Tailoring Action Additional Control Tailoring 1 AC 1 A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2 2 AC 2 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 Access Control Policy & Account Management 3 AC 3 A.6.2.2, A.9.1.2, Access Enforcement A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 4 AC 7 A.9.4.2 Unsuccessful Login Attempts NSO, NSO for non privileged users. ation for privileged users related to multi factor identification and authentication. 5 AC 17 A.6.2.1, A.6.2.2, Remote Access A.13.1.1, A.13.2.1, A.14.1.2 6 AC 20 A.11.2.6, A.13.1.1, Use of External Information Systems A.13.2.1 7 AC 22 None Publicly Accessible Content 8 AT 1 A.5.1.1, A.5.1.2, Security Awareness and Training Policy and 9 AT 2 A.7.2.2, A.12.2.1 Security Awareness Training 10 AT 3 A.7.2.2* Role Based Security Training 11 AT 4 None Security Training Records 12 AU 1 A.5.1.1, A.5.1.2, Audit and Accountability Policy and 13 AU 2 None Audit Events 14 AU 3 A.12.4.1* Content of Audit Records 15 AU 5 None Response to Audit Processing Failures 16 AU 6 A.12.4.1, A.16.1.2, Audit Review, Analysis, and Reporting A.16.1.4 17 AU 8 A.12.4.4 Time Stamps 18 AU 9 A.12.4.2, A.12.4.3, Protection of Audit Information A.18.1.3 19 AU 12 A.12.4.1, A.12.4.3 Audit Generation 20 CA 1 A.5.1.1, A.5.1.2, Security Assessment and Authorization Policies and 21 CA 2 A.14.2.8, A.18.2.2, A.18.2.3 Security Assessments 22 CA 2 (1) A.14.2.8, A.18.2.2, A.18.2.3 Security Assessments Independent Assessors Page 1

Control ID ISO 27001 Control Control Name Tailoring Action Additional Control Tailoring 23 CA 3 A.13.1.2, A.13.2.1, A.13.2.2 System Interconnections Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is oneway or bi directional. 4) Identify how the connection is secured. 24 CA 5 None Plan of Action and Milestones ation for compliance with FedRAMP Tailored LI SaaS Continuous Monitoring Requirements 25 CA 6 None Security Authorization 26 CA 7 None Continuous Monitoring 27 CA 9 None Internal System Connections 28 CM 1 A.5.1.1, A.5.1.2, Configuration Management Policy and 29 CM 2 None Baseline Configuration 30 CM 4 A.14.2.3 Security Impact Analysis 31 CM 6 None Configuration Settings 32 CM 7 A.12.5.1* Least Functionality 33 CM 8 A.8.1.1, A.8.1.2 Information System Component Inventory 34 CP 1 A.5.1.1, A.5.1.2, Contingency Planning Policy and 35 CP 9 A.12.3.1, A.17.1.2, A.18.1.3 Information System Backup 36 IA 1 A.5.1.1, A.5.1.2, Identification and Authentication Policy and 37 IA 2 A.9.2.1 Identification and Authentication (Organizational Users) Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is oneway or bi directional. 4) Identify how the connection is secured. NSO, NSO for non privileged users. ation for privileged users related to multi factor identification and authentication. Include specific description of management of service accounts. Page 2

Control ID ISO 27001 Control Control Name Tailoring Action Additional Control Tailoring 38 IA 2 (1) A.9.2.1 Identification and Authentication (Organizational Users) Network Access to Privileged Accounts 39 IA 2 (12) A.9.2.1 Identification and Authentication (Organizational Users) Acceptance of Personal Identity Verification (PIV) Credentials 40 IA 4 A.9.2.1 Identifier Management 41 IA 5 A.9.2.1, A.9.2.4, Authenticator Management A.9.3.1, A.9.4.3 42 IA 5 (1) A.9.2.1, A.9.2.4, Authenticator Management A.9.3.1, A.9.4.3 Password Based Authentication 43 IA 5 (11) A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3 Authenticator Management Hardware Token Based Authentication FED, Document and Assess 44 IA 6 A.9.4.2 Authenticator Feedback 45 IA 7 A.18.1.5 Cryptographic Module Authentication 46 IA 8 A.9.2.1 Identification and Authentication (Non Organizational Users) 47 IA 8 (1) A.9.2.1 Identification and Authentication (Non Organizational Users) Acceptance of PIV Credentials from Other Agencies 48 IA 8 (2) A.9.2.1 Identification and Authentication (Non Organizational Users) Acceptance of Third Party Credentials 49 IA 8 (3) A.9.2.1 Identification and Authentication (Non Organizational Users) Acceptance of FICAM Approved Products Condition: Must document and assess for privileged users. May attest to this control for non privileged users. FedRAMP requires a minimum of multi factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP. FED for Federal privileged users. Condition Must document and assess for privileged users. May attest to this control for nonprivileged users. Condition: Must document and assess for privileged users. May attest to this control for non privileged users. FedRAMP requires a minimum of multi factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP. Condition: Must document and assess for privileged users. May attest to this control for non privileged users. FedRAMP requires a minimum of multi factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP. Page 3

Control ID ISO 27001 Control Control Name Tailoring Action Additional Control Tailoring 50 IA 8 (4) A.9.2.1 Identification and Authentication (Non Organizational Users) Use of FICAM Issued Profiles 51 IR 1 A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 Incident Response Policy and 52 IR 2 A.7.2.2* Incident Response Training 53 IR 4 A.16.1.4, A.16.1.5, Incident Handling A.16.1.6 54 IR 5 None Incident Monitoring 55 IR 6 A.6.1.3, A.16.1.2 Incident Reporting 56 IR 7 None Incident Response Assistance 57 IR 8 A.16.1.1 Incident Response Plan ation Specifically attest to US CERT compliance. 58 IR 9 None Information Spillage Response ation Specifically describe information spillage response processes. 59 MA 1 A.5.1.1, A.5.1.2, System Maintenance Policy and 60 MA 2 A.11.2.4*, A.11.2.5* Controlled Maintenance 61 MA 4 None Non local Maintenance 62 MA 5 None Maintenance Personnel 63 MP 1 A.5.1.1, A.5.1.2, 64 MP 2 A.8.2.3, A.8.3.1, A.11.2.9 65 MP 6 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7 Media Protection Policy and Media Access Media Sanitization 66 MP 7 A.8.2.3, A.8.3.1 Media Use 67 PE 1 A.5.1.1, A.5.1.2, Physical and Environmental Protection Policy and 68 PE 2 A.11.1.2* Physical Access Authorizations 69 PE 3 A.11.1.1, A.11.1.2, A.11.1.3 Physical Access Control 70 PE 6 None Monitoring Physical Access Page 4

Control ID ISO 27001 Control Control Name Tailoring Action Additional Control Tailoring 71 PE 8 None Visitor Access Records 72 PE 12 A.11.2.2* Emergency Lighting 73 PE 13 A.11.1.4, A.11.2.1 Fire Protection 74 PE 14 A.11.1.4, A.11.2.1, A.11.2.2 75 PE 15 A.11.1.4, A.11.2.1, A.11.2.2 76 PE 16 A.8.2.3, A.11.1.6, A.11.2.5 Temperature and Humidity Controls Water Damage Protection Delivery and Removal 77 PL 1 A.5.1.1, A.5.1.2, Security Planning Policy and 78 PL 2 A.14.1.1 System Security Plan 79 PL 4 A.7.1.2, A.7.2.1, A.8.1.3 Rules of Behavior 80 PS 1 A.5.1.1, A.5.1.2, Personnel Security Policy and 81 PS 3 A.7.1.1 Personnel Screening 82 PS 4 A.7.3.1, A.8.1.4 Personnel Termination 83 PS 5 A.7.3.1, A.8.1.4 Personnel Transfer 84 PS 6 A.7.1.2, A.7.2.1, Access Agreements A.13.2.4 85 PS 7 A.6.1.1*, A.7.2.1* Third Party Personnel Security ation Specifically stating that any third party security personnel are treated as CSP employees. 86 PS 8 A.7.2.3 Personnel Sanctions 87 RA 1 A.5.1.1, A.5.1.2, Risk Assessment Policy and 88 RA 2 A.8.2.1 Security Categorization 89 RA 3 A.12.6.1* Risk Assessment 90 RA 5 A.12.6.1* Vulnerability Scanning 91 SA 1 A.5.1.1, A.5.1.2, System and Services Acquisition Policy and 92 SA 2 None Allocation of Resources Page 5

Control ID ISO 27001 Control Control Name Tailoring Action Additional Control Tailoring 93 SA 3 A.6.1.1, A.6.1.5, System Development Life Cycle A.14.1.1, A.14.2.1, A.14.2.6 94 SA 4 A.14.1.1, A.14.2.7, Acquisition Process A.14.2.9, A.15.1.2 95 SA 4 (10) A.14.1.1, A.14.2.7, Acquisition Process Use of Approved A.14.2.9, A.15.1.2 PIV Products 96 SA 5 A.12.1.1* Information System Documentation 97 SA 9 A.6.1.1, A.6.1.5, A.7.2.1, A.13.1.2, A.13.2.2, A.15.2.1, A.15.2.2 External Information System Services 98 SC 1 A.5.1.1, A.5.1.2, System and Communications Protection Policy and 99 SC 5 None Denial of Service Protection 100 SC 7 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3 Boundary Protection 101 SC 12 A.10.1.2 Cryptographic Key Establishment and Management Condition: If availability is a requirement define protections in place as per control requirement. 102 SC 13 A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5 Conditional Cryptographic Protection Condition: If implementing need to detail how they meet it or not. 103 SC 20 None Secure Name /Address Resolution Service (Authoritative Source) 104 SC 21 None Secure Name /Address Resolution Service (Recursive or Caching Resolver) 105 SC 22 None Architecture and Provisioning for Name/Address Resolution Service 106 SC 39 None Process Isolation 107 SI 1 A.5.1.1, A.5.1.2, 108 SI 2 A.12.6.1, A.14.2.2, A.14.2.3, A.16.1.3 System and Information Integrity Policy and Flaw Remediation 109 SI 3 A.12.2.1 Malicious Code Protection 110 SI 4 None Information System Monitoring 111 SI 5 A.6.1.4* Security Alerts, Advisories, and Directives 112 SI 12 None Information Handling and Retention ation Specifically related to US CERT and FedRAMP communications procedures. Page 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback