metadata: id: FINOS-CCC type: ControlCatalog gemara-version: "0.20.0" version: "2024.1" description: | FINOS CCC is an open standard project that describes consistent controls for compliant public cloud deployments in the financial services sector. author: id: finos name: FINOS type: Human mapping-references: - id: CCC title: FINOS Common Cloud Controls Threats version: "2024.1" - id: CSF title: NIST Cybersecurity Framework version: "2.0" - id: CCM title: Cloud Security Alliance Cloud Controls Matrix version: "4.0" - id: ISO-27001 title: ISO/IEC 27001 version: "2013" - id: NIST-800-53 title: NIST Special Publication 800-53 version: "Rev. 5" applicability-groups: - id: tlp_clear title: TLP:Clear description: | Information may be shared without restriction. - id: tlp_green title: TLP:Green description: | Information may be shared with partners and restricted to the organization. - id: tlp_amber title: TLP:Amber description: | Information may be shared with partners and restricted to the organization. - id: tlp_red title: TLP:Red description: | Information is restricted to the organization. title: FINOS Cloud Control Catalog groups: - id: data-protection title: Data Protection description: | Data protection controls ensure that data is protected from unauthorized access, disclosure, and tampering. This includes encryption of data at rest and in transit, access controls, and data retention policies. controls: - id: CCC.C01 group: data-protection title: Prevent Unencrypted Requests objective: | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. threats: - reference-id: CCC entries: - reference-id: CCC.TH02 remarks: Data is Intercepted in Transit guidelines: - reference-id: CSF entries: - reference-id: PR.DS-02 remarks: Data-in-transit is protected - reference-id: CCM entries: - reference-id: IVS-03 - reference-id: IVS-07 - reference-id: ISO-27001 entries: - reference-id: 2013 A.13.1.1 remarks: This control is closely related to 2013 A.13.1.1. - reference-id: NIST-800-53 entries: - reference-id: SC-8 - reference-id: SC-13 assessment-requirements: - id: CCC.C01.TR01 text: | When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.2 or higher. applicability: - tlp_clear - tlp_green - tlp_amber - tlp_red - id: CCC.C01.TR02 text: | When a port is exposed for SSH network traffic, all traffic MUST include a SSH handshake AND be encrypted using SSHv2 or higher. applicability: - tlp_clear - tlp_green - tlp_amber - tlp_red - id: CCC.C06 group: data-protection title: Prevent Deployment in Restricted Regions objective: | Ensure that resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited, to comply with regulatory requirements and reduce exposure to geopolitical risks. threats: - reference-id: CCC entries: - reference-id: CCC.TH03 remarks: Deployment Region Network is Untrusted guidelines: - reference-id: CCM entries: - reference-id: DSI-06 remarks: This control is closely related to DSI-06. - reference-id: DSI-08 remarks: This control is closely related to DSI-08. - reference-id: ISO-27001 entries: - reference-id: 2013 A.11.1.1 remarks: This control is closely related to 2013 A.11.1.1. - reference-id: NIST-800-53 entries: - reference-id: AC-6 remarks: This control is closely related to AC-6. - reference-id: CSF entries: - reference-id: PR.DS-1 remarks: Data-at-rest is protected assessment-requirements: - id: CCC.C06.TR01 text: | When a deployment request is made, the service MUST validate that the deployment region is not to a restricted or regions or availability zones. applicability: - tlp_clear - tlp_green - tlp_amber - tlp_red - id: CCC.C06.TR02 text: | When a deployment request is made, the service MUST validate that replication of data, backups, and disaster recovery operations will not occur in restricted regions or availability zones. applicability: - tlp_clear - tlp_green - tlp_amber - tlp_red - id: CCC.C08 group: data-protection title: Enable Multi-zone or Multi-region Data Replication objective: | Ensure that data is replicated across multiple zones or regions to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. threats: - reference-id: CCC entries: - reference-id: CCC.TH06 remarks: Data is Lost or Corrupted guidelines: - reference-id: CSF entries: - reference-id: PR.DS-5 remarks: Protections against data leaks are implemented - reference-id: CCM entries: - reference-id: BCR-08 remarks: Backup - reference-id: NIST-800-53 entries: - reference-id: CP-2 remarks: Contingency plan - reference-id: CP-10 remarks: Information system recovery and reconstitution assessment-requirements: - id: CCC.C08.TR01 text: | When data is stored, the service MUST ensure that data is replicated across multiple availability zones or regions. applicability: - tlp_green - tlp_amber - tlp_red - id: CCC.C08.TR02 text: | When data is replicated across multiple zones or regions, the service MUST be able to verify the replication state, including the replication locations and data synchronization status. applicability: - tlp_green - tlp_amber - tlp_red - id: CCC.C09 group: data-protection title: Prevent Tampering, Deletion, or Unauthorized Access to Access Logs objective: | Access logs should always be considered sensitive. Ensure that access logs are protected against unauthorized access, tampering, or deletion. threats: - reference-id: CCC entries: - reference-id: CCC.TH07 remarks: Logs are Tampered with or Deleted - reference-id: CCC.TH09 remarks: Logs or Monitoring Data are Read by Unauthorized Users - reference-id: CCC.TH04 remarks: Data is Replicated to Untrusted or External Locations guidelines: - reference-id: CCM entries: - reference-id: LOG-02 remarks: Audit log protection - reference-id: LOG-04 remarks: Audit log access and accountability - reference-id: LOG-09 remarks: Log protection - reference-id: NIST-800-53 entries: - reference-id: AU-9 remarks: Protection of audit information assessment-requirements: - id: CCC.C09.TR01 text: | When access logs are stored, the service MUST ensure that access logs cannot be accessed without proper authorization. applicability: - tlp_amber - tlp_red - tlp_green - tlp_clear - id: CCC.C09.TR02 text: | When access logs are stored, the service MUST ensure that access logs cannot be modified without proper authorization. applicability: - tlp_amber - tlp_red - tlp_green - tlp_clear - id: CCC.C09.TR03 text: | When access logs are stored, the service MUST ensure that access logs cannot be deleted without proper authorization. applicability: - tlp_amber - tlp_red - tlp_green - tlp_clear - id: CCC.C10 group: data-protection title: | Prevent Data Replication to Destinations Outside of Defined Trust Perimeter objective: | Prevent replication of data to untrusted destinations outside of defined trust perimeter. An untrusted destination is defined as a resource that exists outside of a specified trusted identity or network or data perimeter. threats: - reference-id: CCC entries: - reference-id: CCC.TH04 remarks: Data is Replicated to Untrusted or External Locations guidelines: - reference-id: CSF entries: - reference-id: PR.DS-5 remarks: Protections against data leaks are implemented - reference-id: CCM entries: - reference-id: DSP-10 remarks: Sensitive data transfer - reference-id: DSP-19 remarks: Data location - reference-id: NIST-800-53 entries: - reference-id: AC-4 remarks: Information flow enforcement assessment-requirements: - id: CCC.C10.TR01 text: | When data is replicated, the service MUST ensure that replication is restricted to explicitly trusted destinations. applicability: - tlp_green - tlp_amber - tlp_red