RMiT – Requirements
Control Name | Description | Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|---|
| 1.2.11 | For large financial institutions, senior management must embed appropriate oversight arrangements within the technology function to support the enterprise-wide oversight of technology risk. These arrangements must provide for designated staff responsible for the identification, assessment and mitigation of technology risks who do not engage in day-to-day technology operations. | SIEM | SIEM | SIEM | SIEM |
| 1.2.12 | For the purpose of paragraph 8.11 and all other requirements applicable to large financial institutions under this policy document, each financial institution shall conduct a self-assessment on whether it is a large financial institution in accordance with the definition in paragraph 5.2. The self-assessment shall take into account– (a) the complexity of the financial institution’s operations, having particular regard to the interconnectedness of its operations with other financial institutions, customers and counterparties that are driven by technology; (b) the number and size of the financial institution’s significant business lines together with its market share (e.g. in terms of assets, liabilities, revenue and premiums); (c) the number of subsidiaries, branches and agents; and (d) other business considerations that could give rise to technology risk. | CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv | CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary | ||
| 3.1.2 | The risk assessments shall identify and address the key risks arising from the implementation of technology projects. These include the risks that could threaten successful project implementation and the risks that a project failure will lead to a broader impact on the financial institution's operational capabilities. At a minimum, due regard shall be given to the following areas: (a) the adequacy and competency of resources including those of the vendor to effectively implement the project. This shall also take into consideration the number, size and duration of significant technology projects already undertaken concurrently by the financial institution; (b) the complexity of systems to be implemented such as the use of unproven or unfamiliar technology and the corresponding risks of integrating the new technology into existing systems, managing multiple vendor- proprietary technologies, large-scale data migration or cleansing efforts and extensive system customisation; (c) the adequacy and configuration of security controls throughout the project life cycle to mitigate cybersecurity breaches or exposure of confidential data; (d) the comprehensiveness of the user requirement specifications to mitigate risks from extensive changes in project scope or deficiencies in meeting business needs; (e) the robustness of system and user testing strategies to reduce risks of undiscovered system faults and functionality errors; (f) the appropriateness of system deployment and fallback strategies to mitigate risks from prolonged system stability issues; and (g) the adequacy of disaster recovery operational readiness following the implementation of new or enhanced systems. | CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv | CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary | ||
| 3.1.3 | The board and senior management must receive and review timely reports on the management of these risks on an ongoing basis throughout the implementation of significant projects. | CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv | CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary | ||
| 3.2.6 | A financial institution is encouraged to deploy automated tools for software development, testing, software deployment, change management, code scanning and software version control to support more secure systems development. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary |
| 3.2.11 | In relation to critical systems that are developed and maintained by vendors, a financial institution must ensure the source code continues to be readily accessible and secured from unauthorised access. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary |
| 3.3.16 | A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for: (a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation; (b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction; (c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and (d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary |
| 3.3.18 | A financial institution must conduct due diligence and evaluate the cryptographic controls associated with the technology used in order to protect the confidentiality, integrity, authentication, authorisation and non-repudiation of information. Where a financial institution does not generate its own encryption keys, the financial institution shall undertake appropriate measures to ensure robust controls and processes are in place to manage encryption keys. Where this involves a reliance on third party assessments11, the financial institution shall consider whether such reliance is consistent with the financial institution’s risk appetite and tolerance. A financial institution must also give due regard to the system resources required to support the cryptographic controls and the risk of reduced network traffic visibility of data that has been encrypted. | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary |
| 3.3.19 | A financial institution must ensure cryptographic controls are based on the effective implementation of suitable cryptographic protocols. The protocols shall include secret and public cryptographic key protocols, both of which shall reflect a high degree of protection to the applicable secret or private cryptographic keys. The selection of such protocols must be based on recognised international standards and tested accordingly. Commensurate with the level of risk, secret cryptographic key and private-cryptographic key storage and encryption/decryption computation must be undertaken in a protected environment, supported by a hardware security module (HSM) or trusted execution environment (TEM). | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary |
| 3.3.20 | A financial institution shall store public cryptographic keys in a certificate issued by a certificate authority as appropriate to the level of risk. Such certificates associated with customers shall be issued by recognised certificate authorities. The financial institution must ensure that the implementation of authentication and signature protocols using such certificates are subject to strong protection to ensure that the use of private cryptographic keys corresponding to the user certificates are legally binding and irrefutable. The initial issuance and subsequent renewal of such certificates must be consistent with industry best practices and applicable legal/regulatory specifications. | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary |
| 3.4.24 | A financial institution shall host critical systems in a dedicated space intended for production data centre usage. The dedicated space must be physically secured from unauthorised access and is not located in a disaster-prone area. A financial institution must also ensure there is no single point of failure (SPOF) in the design and connectivity for critical components of the production data centres, including hardware components, electrical utility, thermal management and data centre infrastructure. A financial institution must also ensure adequate maintenance, and holistic and continuous monitoring of these critical components with timely alerts on faults and indicators of potential issues. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary |
| 3.4.27 | A financial institution must establish real-time monitoring mechanisms to track capacity utilisation and performance of key processes and services. These monitoring mechanisms shall be capable of providing timely and actionable alerts to administrators. | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary |
| 3.4.28 | A financial institution must segregate incompatible activities in the data centre operations environment to prevent any unauthorised activity. In the case where vendors’ or programmers’ access to the production environment is necessary, these activities must be properly authorised and monitored. | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary |
| 3.4.29 | A financial institution must establish adequate control procedures for its data centre operations, including the deployment of relevant automated tools for batch processing management to ensure timely and accurate batch processes. These control procedures shall also include procedures for implementing changes in the production system, error handling as well as management of other exceptional conditions. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary |
| 3.4.30 | A financial institution is required to undertake an independent risk assessment of its end-to-end backup storage and delivery management to ensure that existing controls are adequate in protecting sensitive data at all times. A financial institution must also maintain a sufficient number of backup copies of critical data, the updated version of the operating system software, production programs, system utilities, all master and transaction files and event logs for recovery purposes. Backup media must be stored in an environmentally secure and access-controlled backup site. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary |
| 3.4.31 | In regard to paragraph 10.30, a financial institution should also adopt the controls as specified in Appendix 1 or their equivalent to secure the storage and transportation of sensitive data in removable media. | ||||
| 3.4.32 | Where there is a reasonable expectation for immediate delivery of service to customers or dealings with counterparties, a financial institution must ensure that the relevant critical systems are designed for high availability with a cumulative unplanned downtime affecting the interface with customers or counterparties of not more than 4 hours on a rolling 12 months basis and a maximum tolerable downtime of 120 minutes per incident. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary |
| 3.5.35 | A financial institution must establish real-time network bandwidth monitoring processes and corresponding network service resilience metrics to flag any over utilisation of bandwidth and system disruptions due to bandwidth congestion and network faults. This includes traffic analysis to detect trends and anomalies. | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary |
| 3.5.38 | A financial institution must ensure sufficient and relevant network device logs are retained for investigations and forensic purposes for at least three years. | ||||
| 3.7.51 | A financial institution is required to consult the Bank prior to the use of public cloud for critical systems. The financial institution is expected to demonstrate that specific risks associated with the use of cloud services for critical systems have been adequately considered and addressed. The risk assessment shall address the risks outlined in paragraph 10.49 as well as the following areas: (a) the adequacy of the over-arching cloud adoption strategy of the financial institution including: (i) board oversight over cloud strategy and cloud operational management; (ii) senior management roles and responsibilities on cloud management; (iii) conduct of day-to-day operational management functions; (iv) management and oversight by the financial institution of cloud service providers; (v) quality of risk management and internal control functions; and (vi) strength of in-house competency and experience; (b) the the cloud service providers, at a minimum, in the following areas: (i) information security management framework, including availability of independent, internationally recognised certifications of cryptographic modules such as used for encryption and decryption of user data; and (ii) cloud-specific security controls for protection of customer and counterparty or proprietary information including payment transaction data in use, in storage and in transit; and (c) the addresses the following attributes: (i) geographical redundancy; (ii) high availability; (iii) scalability; (iv) portability; (v) interoperability; and (vi) strong recovery and resumption capability including appropriate alternate Internet path to protect against potential Internet faults. | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary |
| 3.7.53 | A financial institution must implement appropriate safeguards on customer and counterparty information and proprietary data when using cloud services to protect against unauthorised disclosure and access. This shall include retaining ownership, control and management of all data pertaining to customer and counterparty information, proprietary data and services hosted on the cloud, including the relevant cryptographic keys management. | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary |
| 3.8.54 | A financial institution must implement an appropriate access controls policy for the identification, authentication and authorisation of users (internal and external users such as third party service providers). This must address both logical and physical technology access controls which are commensurate with the level of risk of unauthorised access to its technology systems. | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Physical Access Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.8.55 | In observing paragraph 10.54, a financial institution should consider the following principles in its access control policy: (a) adopt a “deny all” access control policy for users by default unless explicitly authorised; (b) employ “least privilege” access rights or on a ‘need-to-have’ basis where only the minimum sufficient permissions are granted to legitimate users to perform their roles; (c) employ time-bound access rights which restrict access to a specific period including access rights granted to service providers; (d) employ segregation of incompatible functions where no single person is responsible for an entire operation that may provide the ability to independently modify, circumvent, and disable system security features. This may include a combination of functions such as: (i) system development and technology operations; (ii) security administration and system administration; and (iii) network operation and network security; (e) employ dual control functions which require two or more persons to execute an activity; (f) adopt stronger authentication for critical activities including for remote access; (g) limit and control the use of the same user ID for multiple concurrent sessions; (h) limit and control the sharing of user ID and passwords across multiple users; and (i) control the use of generic user ID naming conventions in favour of more personally identifiable IDs. | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.8.56 | A financial institution must employ robust authentication processes to ensure the authenticity of identities in use. Authentication mechanisms shall be commensurate with the criticality of the functions and adopt at least one or more of these three basic authentication factors, namely, something the user knows (e.g. password, PIN), something the user possesses (e.g. smart card, security device) and something the user is (e.g. biometric characteristics, such as a fingerprint or retinal pattern). | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.8.58 | Authentication methods that depend on more than one factor typically are more difficult to compromise than a single factor system. In view of this, financial institutions are encouraged to properly design and implement (especially in high-risk or ‘single sign-on’ systems) multi-factor authentication (MFA) that are more reliable and provide stronger fraud deterrents. | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.8.59 | A financial institution is encouraged to adopt dedicated user domains for selected critical functions, separate from the broader enterprise-wide user authentication system. | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.8.61 | A financial institution must ensure— (a) access controls to enterprise-wide systems are effectively managed and monitored; and (b) user activities in critical systems are logged for audit and investigations. Activity logs must be maintained for at least three years and regularly reviewed in a timely manner. | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.8.62 | In fulfilling the requirement under paragraph 10.61, large financial institutions are required to— (a) deploy an identity access management system to effectively manage and monitor user access to enterprise-wide systems; and (b) deploy automated audit tools to flag any anomalies. | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Attack then External Connection CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary |
| 3.9.63 | A financial institution must ensure that critical systems are not running on outdated systems with known security vulnerabilities or end-of-life (EOL) technology systems. In this regard, a financial institution must clearly assign responsibilities to identified functions: (a) to continuously monitor and implement latest patch releases in a timely manner; and (b) identify critical technology systems that are approaching EOL for further remedial action. | CCF: Config Change After Attack CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Rogue Access Point Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Compromises Detected Inv | CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Compromises Detected Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary |
| 3.9.65 | A financial institution must establish a patch and EOL management framework which addresses among others the following requirements: (a) identification and risk assessment of all technology assets for potential vulnerabilities arising from undeployed patches or EOL systems; (b) conduct of compatibility testing for critical patches; (c) specification of turnaround time for deploying patches according to the severity of the patches; and (d) adherence to the workflow for end-to-end patch deployment processes including approval, monitoring and tracking of activities. | CCF: Config Change After Attack CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Rogue Access Point Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Compromises Detected Inv | CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Compromises Detected Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary |
| 3.10.66 | A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures. | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 3.10.67 | A financial institution must implement controls to authenticate and monitor all financial transactions. These controls, at a minimum, must be effective in mitigating man-in-the-middle attacks, transaction fraud, phishing and compromise of application systems and information. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 3.10.68 | A financial institution must implement additional controls to authenticate devices and users, authorise transactions and support non-repudiation and accountability for high-risk transactions or transactions above RM10,000. These measures must include, at a minimum, the following: (a) ensure transactions are performed over secured channels such as the latest version of Transport Layer Security (TLS); (b) both client and host application systems must encrypt all confidential information prior to transmission over the network; (c) adopt MFA for transactions; (d) if OTP is used as a second factor, it must be dynamic and time-bound; (e) request users to verify details of the transaction prior to execution; (f) ensure secure user and session handling management; (g) be able to capture the location of origin and destination of each transaction; (h) implement strong mutual authentication between the users’ end-point devices and financial institutions’ servers, such as the use of the latest version of Extended Validation SSL certificate (EV SSL); and provide timely notification to customers that is sufficiently descriptive of the nature of the transaction. | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: Early TLS/SSL Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Audit Log Summary |
| 3.10.74 | For financial transactions below RM10,000, a financial institution may decide on proportionate controls and authentication methods for transactions assessed by the financial institution to be of low risk. In undertaking the assessment, the financial institution must establish a set of criteria or factors that reflect the nature, size and characteristics of a financial transaction. Such criteria or factors must be consistent with the financial institution’s risk appetite and tolerance. The financial institution must periodically review the risk assessment criteria to ensure its continued relevance, having regard to the latest developments in cybersecurity risks and authentication technologies as well as fraud trends and incidents. | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Attack then External Connection CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary |
| 3.10.76 | A financial institution must ensure sufficient and relevant digital service logs are retained for investigations and forensic purposes for at least three years. | SIEM | SIEM | SIEM | SIEM |
| 3.10.78 | A financial institution must ensure that the use of more advanced technology to authenticate and deliver digital services such as biometrics, tokenisation and contactless communication18 comply with internationally recognised standards where available. The technology must be resilient against cyber threats19 including malware, phishing or data leakage. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 3.10.81 | A financial institution must perform continuous surveillance to assess the vulnerability of the operating system and the relevant technology platform used for its digital delivery channels to security breaches and implement appropriate corresponding safeguards. At a minimum, a financial institution must implement sufficient logical and physical safeguards for the following channels: (a) self-service terminal (SST); (b) non-cash SST; (c) Internet banking; and (d) mobile application and devices. In view of the evolving threat landscape, these safeguards must be continuously reviewed and updated to protect against fraud and to secure the confidentiality and integrity of customer and counterparty information and transactions. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 3.10.82 | In fulfilling paragraph 10.81, a financial institution should adopt the controls specified in the following Appendices for the respective digital delivery channel: (a) Appendix 2: Control Measures on Self-Service Terminals (SST); (b) Appendix 3: Control Measures on Internet Banking; and (c) Appendix 4: Control Measures on Mobile Application and Devices. | SIEM | SIEM | SIEM | SIEM |
| 4.1.3 | The CRF must consist of, at a minimum, the following elements: (a) development of an institutional understanding of the overall cyber risk context in relation to the financial institution’s business and operations, its exposure to cyber risks and current cybersecurity posture; (b) identification, classification and prioritisation of critical systems, information, assets and interconnectivity (with internal and external parties) to obtain a complete and accurate view of the financial institution’s information assets, critical systems, interdependencies and cyber risk profile; (c) identification of cybersecurity threats and countermeasures including measures to contain reputational damage that can undermine confidence in the financial institution; (d) layered (defense-in-depth) security controls to protect its data, Cyber Risk Management infrastructure and assets against evolving threats; (e) timely detection of cybersecurity incidents through continuous surveillance and monitoring; (f) detailed incident handling policies and procedures and a crisis response management playbook to support the swift recovery from cyber-incidents and contain any damage resulting from a cybersecurity breach; and (g) policies and procedures for timely and secure information sharing and collaboration with other financial institutions and participants in financial market infrastructure to strengthen cyber resilience. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 4.1.4 | In addition to the requirements in paragraph 11.3 above, a large financial institution is required to— (a) implement a centralised automated tracking system to manage its technology asset inventory; and (b) establish a dedicated in-house cyber risk management function to manage cyber risks or emerging cyber threats. The cyber risk management function shall be responsible for the following: (i) perform detailed analysis on cyber threats, provide risk assessments on potential cyber-attacks and ensure timely review and escalation of all high-risk cyber threats to senior management and the board; and (ii) proactively identify potential vulnerabilities including those arising from infrastructure hosted with third party service providers through the simulation of sophisticated “Red Team” attacks on its current security controls. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 4.2.5 | A financial institution must establish clear responsibilities for cybersecurity operations which shall include implementing appropriate mitigating measures in the financial institution’s conduct of business that correspond to the following phases of the cyber-attack lifecycle: (a) reconnaissance; (b) weaponisation; (c) delivery; (d) exploitation; (e) installation; (f) command and control; and (g) exfiltration. | MITRE ATT&CK | MITRE ATT&CK | MITRE ATT&CK | MITRE ATT&CK |
| 4.2.6 | Where relevant, a financial institution should adopt the control measures on cybersecurity as specified in Appendix 5 to enhance its resilience to cyber- attacks. | SIEM | SIEM | SIEM | SIEM |
| 4.2.7 | A financial institution must deploy effective tools to support the continuous and proactive monitoring and timely detection of anomalous activities in its technology infrastructure. The scope of monitoring must cover all critical systems including the supporting infrastructure. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary |
| 4.2.8 | A financial institution must ensure that its cybersecurity operations continuously prevent and detect any potential compromise of its security controls or weakening of its security posture. For large financial institutions, this must include performing a quarterly vulnerability assessment of external and internal network components that support all critical systems. | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary |
| 4.4.14 | A financial institution must establish a clear DLP strategy and processes in order to ensure that proprietary and customer and counterparty information is identified, classified and secured. At a minimum, a financial institution must: (a) ensure that data owners are accountable and responsible for identifying and appropriately classifying data; (b) undertake a data discovery process prior to the development of a data classification scheme and data inventory; and (c) ensure that data accessible by third parties is clearly identified and policies must be implemented to safeguard and control third party access. This includes adequate contractual agreements to protect the interests of the financial institution and its customers. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Physical Access Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Physical Access Summary CCF: GeoIP Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary |
| 4.4.15 | A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following: (a) data in-use – data being processed by IT resources; (b) data in-motion – data being transmitted on the network; and (c) data at-rest – data stored in storage mediums such as servers, backup media and databases. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Physical Access Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Physical Access Summary CCF: GeoIP Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary |
| 4.5.17 | A financial institution must ensure its SOC, whether managed in-house or by third party service providers, has adequate capabilities for proactive monitoring of its technology security posture. This shall enable the financial institution to detect anomalous user or network activities, flag potential breaches and establish the appropriate response supported by skilled resources based on the level of complexity of the alerts. The outcome of the SOC activities shall also inform the financial institution’s reviews of its cybersecurity posture and strategy. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 4.5.18 | The SOC must be able to perform the following functions: (a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM); (b) incident coordination and response; (c) vulnerability management; (d) threat hunting; (e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and (f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 4.5.19 | A financial institution must ensure that the SOC provides a regular threat assessment report, which shall include, at a minimum, the following: (a) trends and statistics of cyber events and incidents categorised by type of attacks, target and source IP addresses, location of data centres and criticality of applications; and (b) intelligence on emerging and potential threats including tactics, techniques and procedures (TTP). For large financial institutions, such reports shall be provided on a monthly basis. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
| 4.5.20 | A financial institution must subscribe to reputable threat intelligence services to identify emerging cyber threats, uncover new cyber-attack techniques and support the implementation of countermeasures. | Threat Intelligence | Threat Intelligence | Threat Intelligence | Threat Intelligence |
| 4.6.23 | A financial institution must establish and implement a comprehensive Cyber Incident Response Plan (CIRP). The CIRP must address the following: (a) Preparedness Establish a clear governance process, reporting structure and roles and responsibilities of the Cyber Emergency Response Team (CERT) as well as invocation and escalation procedures in the event of an incident; (b) Detection and analysis Ensure effective and expedient processes for identifying points of compromise, assessing the extent of damage and preserving sufficient evidence for forensics purposes; (c) Containment, eradication and recovery Identify and implement remedial actions to prevent or minimise damage to the financial institution, remove the known threats and resume business activities; and (d) Post-incident activity Conduct post-incident review incorporating lessons learned and develop long-term risk mitigations. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary |
Appendix 1
| Control Name | Description | Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|---|
| 1.1.1 | Deploying the latest industry-tested and accepted encryption techniques; | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | |
| 1.1.2 | Implementing authorised access control to sensitive data (e.g. password protection, user access matrix); | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 1.1.3 | Prohibiting unauthorised copying and reading from the media; | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Removable Media Activity | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary |
Appendix 2
| Control Name | Description | Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|---|
| 1.1.3 | Ensuring Cash SST operating system is running on a secure version operating system with continued developer or vendor support for security patches to fix any operating system security and vulnerabilities; | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary |
| 1.1.5 | Implementing a centralised management system to monitor and alert any unauthorised activities on Cash SST such as unauthorised shutting-down of OS or deactivation of the white-listing programme; | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary |
| 1.1.13 | Enforcing secure system parameter setting, which includes: (a) changing defaults password and other system security parameters setting of the Cash SST; (b) using a unique system administrator password for all Cash SSTs; and (c) using lowest-level privileges for programmes and users system access; | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: FIM Information CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary |
| 1.1.14 | Performing scanning and removing any known malware such as Backdoor.Padpin and Backdoor.Ploutus; | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary |
| 1.1.15 | Enforcing and monitor Cash SST end-point protection such as installing white- listing programmes. The end-point protection programme, at a minimum, shall ensure only authorised Cash SST system processes and libraries are installed and executed; | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary |
| 1.2.3 | Ensuring adequate control over network security of the self-service terminals to ensure that the kiosks are secured and segregated from the internal network; | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary |
Appendix 4
| Control Name | Description | Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|---|
| 1.1.4 | Ensure proper controls are in place to access, maintain and upload the mobile application on application distribution platforms; | CCF: Abnormal Amount of Data Transferred | CCF: Non-Encrypted Protocol Alarm | CCF: Use Of Non-Encrypted Protocols Inv . | CCF: Use Of Non-Encrypted Protocols Summary |
Appendix 5
Control Name | Description | Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|---|
| 1.1.1 | Conduct periodic review on the configuration and rules settings for all security devices. Use automated tools to review and monitor changes to configuration and rules settings. | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Audit Log Summary |
| 1.1.5 | Ensure security controls for server-to-server external network connections include the following: (a) server-to-server authentication such as Public Key Infrastructure (PKI) certificate or user ID and password; (b) use of secure tunnels such as Transport Layer Security (TLS) and Virtual Private Network (VPN) IPSec; and (c) deploying staging servers with adequate perimeter defences and protection such as firewall, IPS and antivirus. | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Abnormal Origin Location CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Object Access Summary |
| 1.1.6 | Ensure security controls for remote access to server include the following: (a) restrict access to only hardened and locked down end-point devices; (b) use secure tunnels such as TLS and VPN IPSec; (c) deploy ‘gateway’ server with adequate perimeter defences and protection such as firewall, IPS and antivirus; and (d) close relevant ports immediately upon expiry of remote access. | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Abnormal Origin Location CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Object Access Summary |
| 1.1.7 | Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti- spoofing controls; (d) end-point protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Abnormal Origin Location CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Object Access Summary |