List of the controls from NIST SP 800-53, that are relevant to network

security

Access Control (AC)

Controls related to managing who can access network resources and systems,
including remote access, session controls, and privileged access.

AC-3: Access Enforcement

Description: AC-3 Access Enforcement requires organizations to enforce approved authorizations for
logical access to information systems. This control ensures that access rights and permissions are
properly implemented, allowing users to access only the resources for which they have been
authorized based on the organization's access control policies.

Confidentiality Integrity Availability

By restricting access to Access enforcement ensures By controlling access, AC-3
authorized users, AC-3 that only authorized users can helps prevent unauthorized
prevents unauthorized modify or delete information. users from consuming system
disclosure of sensitive This prevents unauthorized resources or disrupting
information, ensuring that alterations to data, maintaining services, thus ensuring that
confidential data is not its accuracy and reliability. information and resources
accessed by individuals without remain available to legitimate
proper permissions. users when needed.

AC-4: Information Flow Enforcement

Description: AC-4 Information Flow Enforcement requires organizations to regulate the flow of
information within and between information systems based on predefined policies. This control
ensures that data is transmitted only through authorized pathways and prevents unauthorized
disclosure, modification, or destruction of information by controlling how data moves across networks
and systems.

Confidentiality Integrity Availability

By enforcing policies that It maintains the accuracy and By managing and regulating
restrict data flows to authorized reliability of information by information flows, AC-4 helps
channels and users, AC-4 controlling data exchanges, prevent network congestion and
prevents sensitive information ensuring that data is not altered ensures that critical information
from being accessed or or tampered with during and system resources are
intercepted by unauthorized transmission between accessible to authorized users
individuals or systems. authorized sources and when needed.
destinations.

AC-17: Remote Access

Description: AC-17 Remote Access requires organizations to establish and enforce policies and
procedures for secure remote access to their information systems. This control ensures that remote
connections are managed securely by implementing authentication mechanisms, encryption protocols,
and monitoring to protect against unauthorized access and potential security threats that can arise from
remote connectivity.
 Confidentiality Integrity Availability
By using secure authentication Ensures that data transmitted By controlling and securing
methods (e.g., multi-factor over remote connections is remote access points, AC-17
authentication) and encrypted safeguarded against helps prevent unauthorized
communication channels (e.g., unauthorized alteration. Secure remote activities that could
VPNs with strong encryption), protocols and integrity checks disrupt services or degrade
AC-17 prevents unauthorized (e.g., TLS/SSL encryption, system performance. Proper
individuals from accessing hash functions) help detect and management ensures that
sensitive information during prevent tampering with data legitimate users have reliable
remote sessions, protecting data during transmission. remote access to systems and
from eavesdropping and resources when needed.
interception.

Audit and Accountability (AU)

Controls that enable network security monitoring and forensic investigation

AU-2: Event Logging

Description: AU-2 Event Logging requires organizations to generate audit records for significant
events that affect the security and operations of information systems. This control ensures that actions
such as user activities, system accesses, and security incidents are recorded. The collected logs
facilitate monitoring, analysis, investigation, and reporting of events to support accountability and
detect potential security issues.
Confidentiality Integrity Availability
Event logging helps detect By logging events related to Recording system events, such
unauthorized access attempts or data creation, modification, and as resource usage and error
data breaches by recording deletion, AU-2 helps identify messages, assists in identifying
access to sensitive information. unauthorized changes to issues that may affect system
This enables organizations to information. This ensures that performance or lead to
respond promptly to protect any tampering or alteration of downtime. Early detection
confidential data from data can be detected and through logs allows for timely
exposure. addressed, maintaining data remediation to ensure that
accuracy and trustworthiness. systems and services remain
available to authorized users.

AU-6: Audit Record Review, Analysis, and Reporting

Description: AU-6 requires organizations to regularly review and analyze audit records to detect
inappropriate or unusual activity. This control ensures that collected audit logs are examined for signs
of security incidents, policy violations, or operational issues. Findings from the analysis are reported to
designated personnel for timely response and remediation, enhancing the organization's security
posture.

Confidentiality Integrity Availability

By analyzing audit logs, Regular review helps detect Monitoring audit records can
organizations can identify unauthorized modifications to reveal issues that may affect
unauthorized access attempts or data or system configurations. system performance or lead to
data exfiltration activities. Identifying tampering or downtime, such as denial-of-
Timely detection allows for anomalies ensures that service attacks or system errors.
 swift action to prevent or corrective measures can be Early detection enables
minimize the exposure of taken to maintain the accuracy organizations to address these
sensitive information. and trustworthiness of issues promptly, ensuring that
information systems and services remain
accessible to authorized users.

AU-8: Time Stamps

Description: AU-8 Time Stamps requires organizations to ensure that their information systems use
consistent and accurate time stamps in audit records. This control emphasizes the importance of
synchronizing system clocks across the network to facilitate reliable logging, event correlation, and
forensic analysis by providing a precise sequence of events.

Confidentiality Integrity Availability

Accurate time stamps help Consistent and precise time Synchronizing time across
detect and respond promptly to stamps are crucial for systems aids in diagnosing and
unauthorized access attempts or maintaining the integrity of resolving issues that may affect
breaches by providing exact audit logs and system records. system performance or lead to
timing of events. This enables They allow for the accurate downtime. Accurate time
organizations to identify and reconstruction of events, stamps enable quicker
mitigate potential threats to helping to identify any troubleshooting of incidents,
sensitive information before unauthorized alterations or ensuring that systems and
significant damage occurs. tampering with data, and services remain available to
ensuring the trustworthiness of authorized users without
system logs. unnecessary interruptions.

System and Communications Protection (SC)

Focuses on protecting network communication, securing data in transit,

encryption, and firewall protections.

SC-7: Boundary Protection

Description: SC-7 Boundary Protection requires organizations to monitor and control communications
at external and internal system boundaries. This control ensures that information systems have
mechanisms in place to prevent unauthorized access, data leakage, and cyber attacks by implementing
protective measures such as firewalls, gateways, and intrusion detection systems at critical points
within the network architecture.

Confidentiality Integrity Availability

By controlling and monitoring Boundary protection By defending against network-
traffic at system boundaries, mechanisms help detect and based attacks like Denial-of-
SC-7 prevents unauthorized block malicious activities, such Service (DoS), SC-7 ensures
access and eavesdropping, as injection of malicious code that critical services and
protecting sensitive information or unauthorized data resources remain accessible to
from being disclosed to modification attempts, thereby authorized users, maintaining
unauthorized parties. maintaining the integrity of the availability of information
data and systems. systems.

SC-8: Transmission Confidentiality and Integrity

Description: SC-8 requires organizations to protect the confidentiality and integrity of information
during transmission. This control ensures that data transmitted over networks is safeguarded against
unauthorized access and modification by employing security measures such as encryption and
integrity-checking mechanisms.

Confidentiality Integrity Availability

By encrypting data during The control ensures that data is While SC-8 primarily focuses
transmission, SC-8 prevents not altered or tampered with on confidentiality and integrity,
unauthorized individuals from during transit. Using securing data transmissions also
intercepting and reading mechanisms like checksums, supports availability. By
sensitive information. This digital signatures, or message protecting against interception
protects against eavesdropping authentication codes, SC-8 and tampering, it ensures that
and data breaches, ensuring that helps detect any unauthorized data reaches its intended
only intended recipients can modifications, maintaining the destination uncorrupted and on
access the transmitted accuracy and reliability of the time, maintaining trust in
information. transmitted information. communication channels and
system reliability.

SC-23: Session Authenticity

Description: SC-23 Session Authenticity requires organizations to protect the authenticity of

communications sessions. This control ensures that information systems establish and maintain secure
sessions by verifying the identities of parties involved and safeguarding session information. It
prevents unauthorized entities from intercepting, hijacking, or impersonating legitimate sessions
between users or systems.

Confidentiality Integrity Availability

By authenticating sessions, SC- Ensuring session authenticity Protecting session authenticity
23 ensures that sensitive helps prevent session hijacking helps maintain reliable
information is exchanged only and man-in-the-middle attacks, communication channels. It
between authorized parties. where an attacker could alter prevents unauthorized
This prevents unauthorized the data being transmitted. By disruptions or terminations of
access during active sessions, verifying the legitimacy of sessions, ensuring that
protecting data from sessions, the control maintains legitimate users can access
eavesdropping and interception. the accuracy and services and resources without
trustworthiness of the interruption.
information exchanged.

Identification and Authentication (IA)

This family is critical for ensuring that only authorized users and devices can
access the network.

IA-2: Identification and Authentication (Organizational Users)

Description: IA-2 requires organizations to uniquely identify and authenticate organizational users (or
processes acting on behalf of users) before granting access to information systems. This control
ensures that access is restricted to authorized individuals by verifying their identities using approved
authentication methods, such as passwords, tokens, biometrics, or multi-factor authentication.

Confidentiality Integrity Availability

 By ensuring that only Authentication mechanisms Proper identification and
authenticated and authorized prevent unauthorized users authentication prevent
users can access sensitive from altering or manipulating unauthorized users from
information, IA-2 protects data. By restricting access to consuming system resources or
against unauthorized disclosure legitimate users, IA-2 helps disrupting services. IA-2
of data, maintaining maintain the accuracy and ensures that systems and
confidentiality. trustworthiness of information. information remain available to
authorized users when needed.

IA-3: Device Identification and Authentication

Description: IA-3 requires organizations to uniquely identify and authenticate devices before allowing
them to connect to information systems. This control ensures that only authorized devices can access
the network and system resources, preventing unauthorized or compromised devices from establishing
connections. Device identification and authentication can be implemented using methods like digital
certificates, MAC address filtering, secure tokens, or device fingerprints.

Confidentiality Integrity Availability

By verifying and authenticating Ensuring that only authorized By restricting access to
devices, IA-3 prevents devices can connect reduces the authorized devices, IA-3 helps
unauthorized devices from risk of data being altered or prevent network congestion and
accessing sensitive information. tampered with by malicious potential denial-of-service
This ensures that confidential devices. Device authentication attacks from rogue devices.
data is only transmitted to and helps maintain the integrity of This ensures that system
from trusted devices, protecting data by establishing secure resources and services remain
against data breaches and communication channels available to legitimate users
unauthorized disclosure. between trusted endpoints. and devices when needed.

IA-5: Authenticator Management

Description: IA-5 requires organizations to manage authenticators (e.g., passwords, tokens, biometric
data) effectively throughout their lifecycle. This control ensures that the creation, distribution, storage,
use, and destruction of authentication credentials are conducted securely. It involves implementing
policies for password complexity, expiration, reuse, and safeguarding authenticator information to
prevent unauthorized access and credential compromise.

Confidentiality Integrity Availability

By securely managing Proper authenticator Effective management of
authenticators, IA-5 prevents management ensures that only authenticators helps prevent
unauthorized individuals from authorized users can access and unauthorized access that could
gaining access to sensitive modify information systems lead to system disruptions or
systems and data. Strong and data. This helps prevent denial-of-service attacks. By
password policies and secure unauthorized alterations, ensuring that legitimate users
storage of authentication maintaining the accuracy and have secure and reliable access
information protect against reliability of information by to authentication mechanisms,
credential theft, thereby ensuring that only trusted IA-5 supports the availability of
safeguarding confidential entities can make changes. systems and resources when
information from unauthorized needed.
disclosure.
 NIST SP 800-53 to ISO/IEC 27001:2022 control reference

ISO/IEC
NIST SP 800-53
27001:2022 Comment
Control
Control
AC-3: Access A.5.15 - Access Ensures access control policies are
Enforcement control enforced.
No direct match. ISO A.8.22
AC-4: Information Flow Segregation of networks covers network
-
Enforcement segmentation but doesn’t address specific
information flow controls like AC-4.
A.6.7 - Remote Controls secure access to organizational
AC-17: Remote Access
working systems when working remotely
Requires logging of system events for
AU-2: Event Logging A.8.15 - Logging
audit and accountability purposes.
No direct match. ISO addresses logging
AU-6: Audit Record
and monitoring (8.15 and 8.16) but lacks
Review, Analysis, and -
a control specifically for audit review
Reporting
and analysis like in AU-6.
Both ensure time stamps are
A.8.17 - Clock
AU-8: Time Stamps synchronized to ensure accurate
synchronization
recording of events across systems.
A.8.23 relates to controlling access to
external websites, which can include
SC-7: Boundary A.8.23 - Web
boundary protection. SC-7 covers
Protection filtering
broader boundary defense (firewalls,
IDS).
SC-8: Transmission Ensures confidentiality and integrity of
A.8.21 - Security of
Confidentiality and information transmitted across networks,
network services
Integrity similar to SC-8.
Both ensure that session establishment is
SC-23: Session A.8.5 - Secure
secure and authenticated to prevent
Authenticity authentication
unauthorized access.
IA-2: Identification and Manages user identities to ensure that
A.5.16 - Identity
Authentication only authorized users have access to
management
(Organizational Users) systems.
Ensures secure management of user
IA-3: Device
A.8.1 - User endpoint devices, including
Identification and
endpoint devices authenticating devices before they
Authentication
connect to the network.
A.5.17 - Manages the secure allocation, usage,
IA-5: Authenticator
Authentication and management of authenticators, such
Management
information as passwords, tokens, etc.
 List of the controls from ISO/IEC 27001:2022, that are relevant to
network security

A.5.15 - Access control

Description: Rules to control physical and logical access to information and other associated assets
shall be established and implemented based on business and information security requirements.

Confidentiality Integrity Availability

By enforcing access controls, Access control mechanisms By managing access rights
A.5.15 protects sensitive prevent unauthorized users effectively, A.5.15 ensures that
information from unauthorized from modifying or tampering legitimate users can access the
disclosure. It ensures that only with information. By restricting information and resources they
authorized individuals can access to authorized personnel, need without unnecessary
access confidential data, the control maintains the obstacles. It prevents
safeguarding it from accuracy and trustworthiness of unauthorized activities that
unauthorized users or external data, ensuring it remains could disrupt services or
threats. unaltered by unauthorized consume resources, thereby
actions. supporting the availability of
information systems to
authorized users when needed.

A.8.22 Segregation of networks

Description: groups of information services, users and information systems shall be segregated in the
organization’s networks.

Confidentiality Integrity Availability

Network segregation helps By controlling and monitoring Segregation of networks
prevent unauthorized access to the flow of information enhances availability by
sensitive information by between segregated networks, isolating network issues or
restricting communication this control reduces the risk of cyber attacks to a single
between different network unauthorized modification of segment. This containment
segments. Only authorized data. It helps prevent the spread ensures that disruptions do not
users and systems within the of malware or unauthorized cascade throughout the entire
same segment can access changes from less secure network infrastructure,
protected data, reducing the risk segments to critical systems, allowing unaffected segments
of data breaches and thereby maintaining the to continue operating normally
unauthorized disclosures. accuracy and reliability of and ensuring continuous access
information. to essential services and
resources.

A.6.7 - Remote working

Description: Security measures shall be implemented when personnel are working remotely to protect
information accessed, processed or stored outside the organization’s premises.

Confidentiality Integrity Availability

By securing remote working The control helps maintain the By providing reliable and
arrangements, A.6.7 ensures accuracy and reliability of secure remote access solutions,
that sensitive information information handled during A.6.7 ensures that authorized
 accessed or transmitted remote work. Implementing personnel can access necessary
remotely is protected from secure remote access protocols information and systems when
unauthorized access or and safeguards prevents working remotely. This
disclosure. This includes using unauthorized modifications, supports business continuity
secure communication channels ensuring that data remains and allows employees to
(e.g., VPNs), encrypting data unaltered during transmission perform their duties effectively
on devices, and enforcing or storage on remote devices. outside the traditional office
strong authentication methods environment, ensuring that
to prevent unauthorized access services remain available to
to organizational resources. clients and stakeholders.

A.8.15 - Logging

Description: Logs that record activities, exceptions, faults and other relevant events shall be produced,
stored, protected and analysed.

Confidentiality Integrity Availability

Logging helps detect Logs capture events related to Logging system events such as
unauthorized access attempts or data creation, modification, and errors, failures, and resource
breaches by recording access to deletion, enabling the detection utilization aids in identifying
sensitive information. By of unauthorized changes or issues that may affect system
monitoring logs, organizations tampering. Regular review of performance or lead to
can identify suspicious logs helps maintain the downtime. By analyzing logs,
activities and respond promptly accuracy and reliability of organizations can proactively
to protect confidential data information by ensuring that address potential problems,
from exposure. any integrity breaches are ensuring that systems and
identified and addressed. services remain available to
authorized users when needed.

A.8.16 - Monitoring activities

Description: Networks, systems and applications shall be monitored for anomalous behaviour and
appropriate actions taken to evaluate potential information security incidents.

Confidentiality Integrity Availability

By continuously monitoring Monitoring activities help Regular monitoring of system
systems and networks, identify unauthorized performance and resource
organizations can detect modifications to data or system utilization enables
unauthorized access attempts or configurations. By detecting organizations to identify issues
suspicious activities that may anomalies or changes that that could disrupt services, such
lead to data breaches. Early deviate from expected as hardware failures or denial-
detection allows for prompt behavior, organizations can of-service attacks. Proactive
action to prevent the disclosure take corrective measures to detection allows for swift
of sensitive information to maintain the accuracy and intervention to ensure that
unauthorized parties. trustworthiness of information. systems and services remain
accessible to authorized users
when needed.

A.8.17 - Clock synchronization

Description: The clocks of information processing systems used by the organization shall be
synchronized to approved time sources.
 Confidentiality Integrity Availability
Accurate time synchronization Consistent and synchronized Clock synchronization helps in
aids in promptly detecting and clocks are essential for diagnosing and resolving
responding to unauthorized maintaining the integrity of system issues that may affect
access or data breaches. By audit logs and system records. performance or lead to
providing precise timing of They ensure that events are downtime. Accurate time
events, organizations can recorded in the correct stamps enable quicker
identify suspicious activities sequence, allowing for accurate troubleshooting of incidents,
and mitigate potential threats to reconstruction of events and ensuring that systems and
sensitive information before detection of any unauthorized services remain available to
significant damage occurs, thus alterations or tampering with authorized users without
protecting confidentiality. data, thereby upholding data unnecessary interruptions, thus
integrity. supporting availability.

A.8.23 - Web filtering

Description: Access to external websites shall be managed to reduce exposure to malicious content.

Confidentiality Integrity Availability

By blocking access to Web filtering prevents the By preventing access to
malicious websites that may download of malicious code harmful websites, web filtering
host phishing attacks or that could alter or corrupt data. reduces the likelihood of
malware, web filtering protects By restricting access to security incidents that could
sensitive information from websites known to distribute disrupt system operations, such
being exposed or stolen. It malware, it helps maintain the as malware-induced system
reduces the risk of users integrity of information systems failures or network congestion
inadvertently disclosing and data by minimizing the risk from malicious traffic. This
confidential data to of infection and unauthorized ensures that systems and
unauthorized parties through modifications. services remain operational and
compromised sites. available to authorized users.

A.8.21 - Security of network services

Description: Security mechanisms, service levels and service requirements of network services shall
be identified, implemented and monitored.

Confidentiality Integrity Availability

By securing network services, The control helps maintain the Securing network services
A.8.21 ensures that sensitive accuracy and reliability of data ensures that network resources
information transmitted over transmitted over networks by and services are resilient
networks is protected from preventing unauthorized against attacks or disruptions,
unauthorized interception or modification or tampering. such as Denial-of-Service
access. This includes Security measures such as (DoS) attacks or network
implementing encryption, integrity checks, secure failures. Implementing
access controls, and secure communication protocols, and redundancy, robust network
authentication methods to network monitoring protect configurations, and proactive
prevent eavesdropping and data against data corruption and monitoring helps maintain
breaches, thereby safeguarding ensure that information remains continuous network
confidential data during unaltered during transmission. availability, ensuring that users
transmission. can access information and
services when needed..

A.8.5 - Secure authentication

Description: Secure authentication technologies and procedures shall be implemented based on
information access restrictions and the topic-specific policy on access control.

Confidentiality Integrity Availability

Secure authentication ensures Verifying the identity of users Robust authentication
that only authorized individuals and systems helps prevent mechanisms protect against
can access sensitive unauthorized modifications to unauthorized access attempts
information, protecting it from data and systems. Secure that could disrupt services or
unauthorized disclosure. By authentication ensures that consume resources, such as
implementing strong actions performed within the brute-force attacks or credential
authentication practices, system are attributable to theft. By mitigating these
organizations reduce the risk of verified entities, maintaining threats, secure authentication
data breaches and safeguard the accuracy and reliability of helps ensure that systems and
confidential data from being information by preventing resources remain available to
accessed by unauthorized users. unauthorized alterations. legitimate users when needed.

A.5.16 - Identity management

Description: The full life cycle of identities shall be managed.

Confidentiality Integrity Availability

Proper identity management By controlling who can access Ensuring that legitimate users
ensures that only authorized and modify information, have appropriate access rights
individuals have access to effective identity management allows them to access the
sensitive information. By helps prevent unauthorized information and resources they
verifying identities and alterations to data. This need without unnecessary
assigning appropriate access maintains the accuracy and delays or obstacles. This
rights, A.5.16 helps prevent reliability of information by supports the availability of
unauthorized access and ensuring that only authorized systems and services to
protects confidential data from users can make changes. authorized users when needed,
being disclosed to unauthorized facilitating efficient
parties.

A.8.1 - User endpoint devices

Description: Information stored on, processed by or accessible via user end point devices shall be
protected.

Confidentiality Integrity Availability

By securing user endpoint The control helps maintain the Securing endpoint devices
devices, A.8.1 ensures that accuracy and reliability of data ensures that users have reliable
sensitive information stored on on endpoint devices by access to necessary information
or accessed through these protecting them from malware, and services when needed. By
devices is protected from unauthorized modifications, or protecting devices from
unauthorized access or tampering. Using antivirus malware, hardware failures, and
disclosure. This includes software, regular patching, and other issues through regular
implementing encryption, secure configurations prevents maintenance and security
strong authentication methods, malicious software and measures, A.8.1 supports the
and access controls to prevent unauthorized changes that availability of information and
data breaches in the event of could compromise data systems to authorized users.
device loss or theft. integrity.

A.5.17 - Authentication information

Description: Allocation and management of authentication information shall be controlled by a
management process, including advising personnel on appropriate handling of authentication
information.

Confidentiality Integrity Availability

By securely managing Proper handling and protection Secure management of
authentication information, of authentication information authentication information
A.5.17 ensures that credentials prevent unauthorized ensures that authentication
are protected from unauthorized modification or tampering with mechanisms function reliably,
access or disclosure. This credentials. Ensuring that allowing authorized users to
prevents attackers from authentication data remains access systems and data when
obtaining authentication accurate and unaltered needed. By protecting against
information that could be used maintains the integrity of credential compromise and
to gain unauthorized access to authentication processes, so authentication system failures,
systems and sensitive data, only legitimate users can access A.5.17 supports the availability
thereby safeguarding the and perform actions within the of resources to legitimate users,
confidentiality of information system. preventing disruptions caused
assets. by security incidents.
 Control implementation matrix for controls from NIST SP 800-53
Control/ Unix
Linux (Ubuntu) Windows 11 macOS Android iOS
OS (FreeBSD)
Implemented Implemented Implemented Implemented Partially Partially
Implemented Implemented
Access enforcement is Access is enforced Managed through NTFS Access control uses
managed through file using file file permissions for POSIX The Android App Sandbox
permissions (chmod, permissions, ACLs, detailed file and folder permissions, ACLs, permission model isolates
chown) and Access and user/group access control. User and user/group regulates app access applications,
Control Lists for fine- management. The Account Control (UAC) management. sudo to system resources. restricting access to
grained control. User sudoers file prompts for manages SELinux enforces system resources.
AC-3: and group manages privileged administrative approval administrative MAC at the kernel Permissions are
Access management allows access. TrustedBSD when required. Group privileges. System level, but advanced enforced through
Enforcemen assignment of MAC frameworks Policy Objects (GPOs) Integrity access controls (e.g., user consent for
t permissions. The offer additional enforce access control Protection enhances file-level ACLs) are specific access
sudoers file security policies. policies across the security by restricted without (e.g., location,
(/etc/sudoers) controls Jails provide network. AppLocker restricting the root root access. camera).
administrative process isolation, restricts application user's ability to Comprehensive
privileges. AppArmor enforcing strict execution based on modify critical control over system
provides mandatory access controls policies. system files. App resources is limited
access control (MAC) within confined Sandbox limits without MDM.
for application-level environments. applications' access
restrictions. to system resources.
AC-4: Implemented Implemented Implemented Implemented Partially Partially
Information implemented implemented
Flow Information flow Information flow is Windows Firewall and Information flow is
Enforcemen control is managed via controlled using pf IPsec manage network managed by pf for Information flow is App Sandbox and
t iptables and nftables for network traffic information flow. Group network traffic. App controlled at the permissions restrict
for network traffic and Jails for process Policy Objects (GPOs) Sandbox controls application level apps from
control. AppArmor and resource and AppLocker regulate inter-process using SELinux accessing
can enforce restrictions isolation. The mac the flow of information communication, and policies. The unauthorized data.
on process (Mandatory Access between applications and System Integrity Android However,
communication, while Control) framework users. Active Directory Protection restricts permission model comprehensive
file-level access further regulates Rights Management modifications to restricts apps' ability system-wide
 controls (ACLs) data flow between Services can restrict the system resources to access sensitive information flow
manage data flow subjects based on flow of sensitive and ensures information, but enforcement is
between users and security policies. information controlled more granular limited to what is
groups. information flow. system-wide allowed by Apple’s
information flow security framework
control is limited. without deeper
control (e.g.,
MDM).
Implemented Implemented Implemented Implemented Partially Partially
implemented implemented
Remote access is Remote access is Remote Desktop Remote access is
primarily managed via managed through Protocol provides handled via SSH Limited to ADB for VPN support
SSH, with SSH, with detailed remote access, secured (through Remote developer access and enables secure
configuration handled configuration in with Network Level Login) or VNC for VPN for secure remote
in /etc/ssh/sshd_config /etc/ssh/sshd_config Authentication. graphical access. connections. connections, and
to control key-based . The pf can be Windows Firewall and Access controls are Lacks native support remote access is
AC-17:
authentication, login used to restrict Group Policy are used configured through for SSH/RDP and managed through
Remote
restrictions, and access access to certain IPs to control and limit the system's more advanced MDM. iOS does
Access
limits. UFW or networks. Jails remote access. IPsec is preferences and remote management not offer native
(Uncomplicated can be employed for used for encryption of /etc/ssh/sshd_config features. SSH/RDP
Firewall) can be used isolated remote remote connections. . pf is available for capabilities or
to restrict IP addresses service firewall rules to comprehensive
and ports to control management. control incoming remote access
access. connections. management
without using
MDM solutions.
AU-2: Implemented Implemented Implemented Implemented Partially Partially
Event Implemented Implemented
Logging Logs are managed by syslogd handles The Event Viewer Unified Logging
rsyslog and stored in event logging, with collects logs for System, collects system and logcat captures basic Basic logging is
/var/log. journalctl is logs stored in Security, and app logs, viewable system and provided via the
available for managing /var/log. Configured Application events. The via Console or log application logs, but os_log framework,
systemd logs. via /etc/syslog.conf, wevtutil command can command. Logs are advanced logging but access to
Configuration allows and newsyslog be used for log categorized by capabilities are detailed logs is
for filtering, manages log management, and subsystem for better limited, and there is restricted to
 forwarding, and log rotation. Windows Event organization. no native support for developers, and
rotation. Forwarding enables long-term storage or comprehensive
centralized logging. remote forwarding. system-wide
logging for regular
users is lacking.
Implemented Implemented Implemented Implemented Partially Partially
Implemented Implemented
Logs are collected by syslogd collects Event Viewer allows The Unified
rsyslog and systemd- system and reviewing and analyzing Logging system Basic log review can Logs are accessible
journald, stored in application logs system, security, and collects logs be done via logcat, via os_log,
/var/log. stored in /var/log. application logs. Custom accessible via the but comprehensive primarily for
AU-6: Administrators can Logs can be views and filters enable Console app or log audit log review and developers. Audit
Audit review and analyze logs reviewed using tools targeted log analysis. command-line tool. detailed analysis are review for end-
Record using journalctl, like tail, grep, and PowerShell cmdlets like Administrators can not natively users is limited, and
Review, ausearch for audit less. The auditd Get-EventLog and Get- filter and analyze supported. comprehensive
Analysis, logs, and command-line service enables WinEvent provide logs using log Advanced reporting audit analysis is
and tools like grep and auditing, and advanced log querying. commands. The and centralized generally only
Reporting awk. The auditd praudit is used to Logs are stored in the auditd service analysis require possible through
daemon provides analyze audit Windows Event Log provides auditing third-party tools or enterprise solutions
auditing capabilities for records. newsyslog system. capabilities, with MDM solutions. like MDM.
detailed event analysis. manages log logs analyzed using
rotation and praudit. Logs can
archiving. be exported for
further analysis.
AU-8: Time Implemented Implemented Implemented Implemented Partially Partially
Stamps Implemented Implemented
Time stamps are Logs generated by Event Viewer logs Time stamps are
included in log entries syslogd include include time stamps, and included in logs via Basic time stamps Logs via os_log
by rsyslog and time stamps, and time synchronization is Unified Logging. are included in logs include time
systemd-journald. system time handled by the Windows Time via logcat, but stamps, but time
Time is synchronized synchronization is Time Service synchronization is detailed control over synchronization
using chrony or ntpd managed via ntpd (W32Time) using NTP. managed by ntpd or time synchronization relies on network-
to ensure accurate or openntpd to Settings can be adjusted timed, automatically (e.g., NTP) is based time settings.
timestamps. ensure accurate through the Date and syncing with Apple's limited out of the Advanced
timestamps. Time settings or via time servers. Users box. Accurate time configurations
 Group Policy. can adjust settings in syncing depends on (e.g., NTP) are not
System Preferences network-provided user-accessible
under Date & Time time, and advanced without enterprise
to specify time configurations are tools like MDM.
servers. not natively
supported.
Implemented Implemented Implemented Implemented Partially Partially
Implemented Implemented
Boundary protection is Utilizes pf (Packet Windows Defender Provides boundary
achieved using iptables Filter) or ipfw to Firewall controls protection using pf App Sandbox Utilizes App
or nftables for define firewall rules inbound and outbound for firewall isolates applications, Sandbox to isolate
configuring firewall for boundary traffic through configurations. The limiting their access apps and enforce
rules and controlling protection. pf offers customizable rules. Application to system resources strict permission
network traffic. stateful packet Windows Defender Firewall controls and other apps. controls. System
SC-7: Uncomplicated inspection, filtering, Application Control incoming SELinux enforces security features
Boundary Firewall provides an and network address restricts applications connections on a mandatory access protect against
Protection easy interface to translation. based on policies. IPsec per-application control at the kernel unauthorized
manage firewall FreeBSD Jails secures network basis. System level. However, access. Native
settings. AppArmor provide system-level communications, and Integrity there is no native firewall
enforces mandatory isolation for Group Policy allows Protection prevents user-configurable configuration is not
access control, applications and centralized management unauthorized firewall for network- available for users
restricting applications' services, adding an of firewall and security modifications to level boundary to manage network-
capabilities and extra layer of settings. system files, protection.. level boundary
enhancing security. security. enhancing overall protection.
security.
SC-8: Implemented Implemented Implemented Implemented Partially Partially
Transmissio Implemented Implemented
n Transmission OpenSSL and IPsec Transmission protection TLS/SSL is used for
Confidentia confidentiality and provide encryption is ensured by TLS/SSL encrypted Transmission TLS/SSL ensures
lity and integrity are ensured for data (via Schannel) for communication, confidentiality is app-level encrypted
Integrity using OpenSSL for transmissions. SSH encrypted connections, with system-wide handled using communication, but
encrypted ensures secure IPsec for network-layer support for IPsec TLS/SSL for app system-wide
communications (e.g., remote encryption, and and SSH to ensure communication, but controls for
HTTPS, TLS). IPsec communication, and BitLocker for data-in- transmission system-wide network-layer
and SSH are available TLS is used for transit protection when confidentiality and controls over secure security (e.g.,
 for secure application-layer used in combination with integrity. FileVault transmission (e.g., IPsec) require
transmissions over the encryption. external devices. provides additional IPsec configuration) MDM for full
network. data protection when are limited out of the configuration and
used with external box without MDM control.
storage. or advanced
configuration tools.
Implemented Implemented Implemented Implemented Partially Partially
Implemented Implemented
Session authenticity is Provides session Utilizes Kerberos and Ensures session
ensured through SSH authenticity with NTLM for session authenticity with Employs TLS/SSL Uses TLS/SSL to
for secure remote SSH for secure authentication in network SSH for secure for secure secure app
sessions, using key- remote access using communications. remote access, communication communications,
based authentication to key-based Remote Desktop supporting key- within apps, providing session
SC-23:
prevent unauthorized authentication. Protocol with Network based authentication. ensuring session authenticity.
Session
access. TLS/SSL is TLS/SSL protocols Level Authentication Uses TLS/SSL authenticity. System services
Authenticit
used in applications are implemented in ensures session system-wide for However, lacks utilize TLS to
y
like Apache and Nginx services to protect authenticity before secure system-wide session protect data.
to secure web sessions. session data. establishing connections. communications. management and Comprehensive
Kerberos can be Kerberos support is TLS/SSL secures Supports Kerberos controls for session OS-level session
configured for mutual available for secure session data in for mutual integrity at the OS management
authentication in network applications like authentication in level. features are limited.
network services. authentication. Internet Information network services.
Services (IIS).
IA-2: Implemented Implemented Implemented Implemented Partially Partially
Identificatio Implemented Implemented
n and Utilizes Pluggable Manages user Employs Active Manages user
Authenticat Authentication identification and Directory for identification and Provides Supports
ion Modules for user authentication using organizational user authentication authentication using authentication via
(Organizati authentication and PAM, with support identification and through Local passwords, PINs, passcodes, Touch
onal Users) identification, for passwords and authentication in domain Directory Service pattern locks, and ID, and Face ID.
supporting passwords, SSH key-based environments, using and PAM. Supports biometric methods Does not natively
SSH keys, and authentication. Kerberos or NTLM passwords, SSH (fingerprint, face support multiple
configurable for multi- User and group protocols. Local keys, and can be recognition). user accounts for
factor authentication. accounts are handled Security Policy and configured for Limited support for organizational use.
User accounts are through Group Policy enforce multi-factor multiple user Comprehensive
 managed via files like /etc/master.passwd, password policies, authentication. profiles on some organizational user
/etc/passwd, /etc/passwd, and including complexity, User accounts are devices. identification and
/etc/shadow, and /etc/group. length, and expiration. administered via Lacks authentication
/etc/group. Password Password policies Supports multi-factor System Preferences comprehensive require enterprise
policies enforcing can be enforced via authentication with or command-line organizational user tools for full
complexity, expiration, system Windows Hello tools. Keychain management and implementation.
and reuse are set configurations and (biometrics, PIN) and securely stores user enforcement of
through PAM PAM modules. smart cards for credentials and authentication
configurations. enhanced security. certificates. policies without
enterprise solutions.
Implemented Implemented Implemented Implemented Partially Partially
Implemented Implemented
Device authentication Device identification Device authentication is Device
is primarily managed and authentication managed through Active authentication is Device identification Device
through SSH keys for are supported Directory with supported via SSH relies on unique identification relies
IA-3: secure connections. through SSH key- Kerberos and NTLM. and IPsec. MAC device IDs and on unique device
Device IPsec can be used for based IPsec secures device-to- address filtering network-based IDs and network-
Identificatio secure authentication, device communication, can be applied on authentication, but based
n and communications, and IPsec, and MAC and MAC address network equipment advanced device authentication, but
Authenticat MAC address filtering address filtering filtering can be or configured authentication (e.g., advanced device
ion can be implemented via using pf or ipfw for configured on network through pf for IPsec) requires authentication (e.g.,
iptables or network network-level devices (e.g., routers or controlling device additional IPsec) requires
configuration files for control. switches) to restrict access. configuration or additional
basic device access to specific MDM for full configuration or
authentication on a devices. management. MDM for full
local network. management.

IA-5: Implemented Implemented Implemented Implemented Partially Partially

Authenticat Implemented Implemented
or Ubuntu manages FreeBSD utilizes Authenticator macOS uses PAM
Manageme authenticators using PAM for management is handled and Open Directory Authentication is OS handles
nt PAM, which enforces authenticator via Group Policy, for authenticator managed through authentication with
password policies like management, enabling administrators management. passwords, PINs, passcodes, Touch
complexity, expiration, allowing to enforce password Password policies and biometric ID, and Face ID.
and reuse. enforcement of complexity, length, and like complexity and methods By default, it
 Configuration files password expiration. Settings are expiration can be (fingerprint, face provides basic
such as complexity, history, configured in Local configured using the recognition). Out of passcode policies
/etc/pam.d/common- and expiration Security Policy or pwpolicy command. the box, Android but does not
password and policies. Group Policy Editor Passwords are offers basic support detailed
/etc/login.defs are used Configuration is under Security Settings securely stored in password authenticator
to set password done in /etc/pam.d/. ➔ Account Policies. /var/db/dslocal/nod requirements (e.g., management such
requirements. Passwords are Passwords are securely es/Default/. The minimum length), as complexity
Passwords are securely securely stored in stored using hashed Keychain system but lacks advanced requirements or
stored in /etc/shadow /etc/master.passwd formats with NTLM or securely manages authenticator expiration policies.
using salted hashes. with encryption. Kerberos protocols. user credentials and management like Advanced
The chage command Tools like passwd certificates. enforcing management
manages password and pw manage user complexity rules or features are
aging policies. passwords and password history available through
policy settings. without additional MDM solutions in
tools. Enterprise- enterprise
level policies environments.
typically require
MDM solutions.

Control implementation matrix for controls from ISO/IEC 27001:2022

Control/ Unix
Linux (Ubuntu) Windows 11 macOS Android iOS
OS (FreeBSD)
A.5.15 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Access Implemented
control Access control is Access control is NTFS file permissions Access control is Access control is
enforced using file managed through enforce access control at enforced using managed through the App Sandbox and the
permissions file permissions, the file system level. POSIX Android permission iOS permission
(chmod, chown) and ACLs, and Active Directory permissions, ACLs, model, where apps model manage access
Access Control user/group manages user and user/group request permissions to control by restricting
Lists for granular management. authentication and management. access certain apps' access to system
permission settings. Mandatory authorization in domain System Integrity resources. Sandboxing resources. Face ID,
User and group Access Control environments. Group Protection restricts isolates apps from each Touch ID, and
management allows frameworks like Policy Objects allow even root user other. However, users passcodes secure
 administrators to TrustedBSD administrators to enforce access to critical have limited control device access.
assign permissions MAC provide access control policies system files. over granular Limited user control
appropriately. The additional across the network. User Sandboxing and permissions beyond over detailed access
Pluggable security policies. Account Control helps Gatekeeper what is provided in the permissions; advanced
Authentication Sudo or doas are prevent unauthorized enhance security by settings, and there is no access control settings
Modules framework used to delegate changes by prompting limiting applications' native support for user are not available
manages administrative for administrative access to system and group permission without MDM
authentication privileges approval. resources. management. solutions.
processes, and the securely.
sudoers file
(/etc/sudoers)
controls
administrative
privileges.
Implemented Implemented Implemented Implemented Partially Implemented Partially
Implemented
Network segregation pf and ipfw are Windows Firewall pf is available for Provides basic network
is achieved using used to define allows configuration of configuring firewall settings for Wi-Fi and Offers limited network
built-in tools like firewall rules for inbound and outbound rules and network mobile data. Lacks configuration options,
iptables or nftables network rules for network segmentation. The built-in support for including VPN
A.8.22 for configuring segmentation. segmentation. Group Application advanced network settings. Does not
Segregation firewall rules. VLANs can be Policy can configure Firewall controls segregation like support network
of networks VLANs can be set configured in Network Isolation network access at VLANs or advanced segregation or VLAN
up via network network settings, Policies. Hyper-V the application level. firewall configurations. configuration natively
interface and jails provide virtual switches enable Network interfaces without enterprise
configurations, and isolation for virtual network can be configured tools.
netplan is used to services and segmentation, and IPsec for VLANs in the
manage network applications. policies can enforce network settings.
settings. network isolation.
A.6.7 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Remote Implemented
working Supports secure Provides secure Facilitates remote Offers secure remote Supports VPN
remote working remote access via working with Remote access through SSH connections and Supports VPN
through SSH for SSH and supports Desktop Protocol and Screen Sharing includes device connections and
remote access, VPN VPN connections (RDP) secured by features. VPN encryption for data includes device
 capabilities for using IPsec or Network Level configurations are security. App encryption for data
encrypted other protocols. Authentication. Built-in available in network sandboxing isolates security. App
connections, and Firewall VPN support enables settings for applications to enhance sandboxing isolates
firewall configurations secure connections. encrypted security. applications to
configurations with pf or ipfw Windows Firewall and connections. Lacks native support enhance security.
using iptables or enhance network BitLocker encryption Firewall protection for remote desktop Lacks native support
UFW. Disk security. Disk protect data and network via pf and the access and advanced for remote desktop
encryption with encryption tools access. Group Policy Application remote management access and advanced
LUKS ensures data like GELI protect allows administrators to Firewall enhances features without remote management
protection on remote data on devices. enforce remote access security. FileVault enterprise tools. features without
devices. User access Jails offer policies and security provides disk enterprise tools.
is managed via isolation for settings. encryption to
PAM and services, safeguard data.
user/group improving System Integrity
permissions. security for Protection and
remote work Gatekeeper add
environments. additional layers of
system security.
A.8.15 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Logging Implemented
Logging is managed syslogd handles The Event Viewer The Unified Logging is provided via
by rsyslog and logging, collects logs for system, Logging system logcat, which collects Logging is handled
systemd-journald, recording system security, and application collects logs from system and application through os_log, used
which collect system and application events. Logs are stored the system and logs mainly for by developers for
and application logs logs in /var/log. in the Windows Event applications. Logs debugging purposes. application logging.
stored in /var/log. Administrators Log system. can be viewed using However, there is Access to system logs
Configuration files can configure Administrators can the Console app or limited user-level is restricted, and end-
like logging policies review logs and set up the log command- access to logs, and users have limited
/etc/rsyslog.conf using custom views using line tool. Logging comprehensive logging ability to view or
allow customization /etc/syslog.conf. Event Viewer or behavior can be features like persistent manage logs.
of logging behavior. The newsyslog manage logs via configured using log logging and advanced Advanced logging
The journalctl tool utility manages PowerShell cmdlets and configuration log management are not capabilities typically
is used to view and log rotation and the wevtutil command- profiles. natively available. require Mobile Device
manage logs from archiving. line tool. Management
systemd services. solutions in enterprise
 environments.
Implemented Implemented Implemented Implemented Partially Implemented Partially
Implemented
Monitoring is syslogd collects Monitoring is achieved Unified Logging Basic monitoring is
performed using logs for through the Event collects system and available through Monitoring is handled
rsyslog and monitoring Viewer, which logs application logs for logcat, which captures via os_log, mainly for
systemd-journald, system and system, security, and monitoring, system and application developer use. End-
which collect system application application events. accessible via the logs primarily for users have limited
and application logs activities, stored Performance Monitor Console app or log debugging purposes. ability to monitor
stored in /var/log. in /var/log. and Resource Monitor command-line tool. However, system activities, and
A.8.16 -
Administrators can auditd enables provide real-time Activity Monitor comprehensive detailed monitoring
Monitoring
use journalctl to auditing of monitoring of system provides real-time monitoring of system features are not
activities
review logs and security events. performance and monitoring of activities is limited, and natively available.
monitor system Administrators resource usage. Task processes and users have restricted
activities. The can use tools like Manager allows system resources. access to detailed
auditd daemon top, systat, and administrators to observe The auditd service monitoring tools.
provides auditing tcpdump for running processes and enables auditing of
capabilities to track real-time services. security-related
security-related monitoring of events.
events. system and
network
activities.
A.8.17 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Clock Implemented
synchroniza Clock Utilizes ntpd or The Windows Time Time Devices synchronize
tion synchronization is openntpd for Service (W32Time) synchronization is time automatically Time synchronization
managed by time synchronizes the system handled by ntpd or using network-provided occurs automatically
systemd-timesyncd synchronization clock using NTP. timed, automatically time from carriers or via network time
by default, ensuring via NTP. Settings can be adjusted syncing with Apple's Wi-Fi connections. servers. Users cannot
accurate system time Configuration is through the Date and time servers. Users There is no native manually adjust NTP
using NTP servers. done in Time settings or via can adjust settings in option to manually server settings or
For advanced /etc/ntp.conf to Group Policy in domain System Preferences configure NTP servers configure advanced
configurations, synchronize the environments. under Date & Time or advanced time synchronization
chrony or ntpd can system clock to specify time synchronization options without using
be used to with reliable time servers. settings. Mobile Device
 synchronize time sources. Management
with specified solutions.
servers.
Partially Partially Implemented Implemented Partially Implemented Implemented
Implemented Implemented
Windows Defender Screen Time with Limited web content Screen Time offers
Basic web filtering pf allows SmartScreen helps Content & Privacy restrictions are Content & Privacy
can be configured blocking of protect against malicious Restrictions lets available through Restrictions for web
using iptables or specific IP websites and downloads. users limit web Digital Wellbeing and filtering, enabling
nftables to block addresses or ports Family Safety features content by blocking Parental Controls in users to block adult
A.8.23 -
specific IP addresses for basic web enable web filtering and adult websites or Google Play settings, content or allow
Web
or ports. However, filtering. content restrictions, specifying allowed but Android does not access only to specific
filtering
Ubuntu lacks built- FreeBSD does allowing control over websites. pf (Packet provide comprehensive websites directly from
in tools for domain- not include native accessible websites and Filter) can also be web filtering device settings.
based or content- tools for domain- content categories. configured for capabilities natively.
specific web level or content- network-level
filtering without specific filtering filtering.
additional software. without external
tools.
A.8.21 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Security of Implemented
network Security of network Utilizes pf or Windows Firewall Implements security Security of network
services services is ensured ipfw for firewall controls inbound and through pf for services is handled Utilizes App Sandbox
through iptables or configurations to outbound traffic for firewall through app and the iOS
nftables for secure network network services. configurations. The sandboxing and the permission model to
configuring firewall services. Jails Windows Defender Application Android permission restrict apps' network
rules and controlling isolate network provides real-time Firewall controls model, which limit access. System
network traffic. services in protection against incoming apps' network access security features
AppArmor separate network threats. Group connections on a based on user-granted prevent unauthorized
provides mandatory environments, Policy allows per-application permissions. SELinux network service
access control to enhancing administrators to manage basis. System enforces mandatory activity. Users cannot
restrict network security and security settings for Integrity access controls at the configure network
services' capabilities. limiting potential network services across Protection restricts kernel level. However, services extensively,
Services are breaches. the domain. Network unauthorized users have limited and advanced control
managed using Services are services can be modifications to control over network over network services
 systemd, allowing managed via controlled using system services. service configurations, typically requires
control over which rc.conf, enabling Services.msc, providing Network services are and there is no native Mobile Device
network services are administrators to options to start, stop, or managed via firewall for granular Management
active and how they control the disable services. launchd and System management of solutions.
operate. activation and Preferences, network services.
configuration of allowing users to
network services. configure which
services are running.
Implemented Implemented Implemented Implemented Partially Implemented Partially
Implemented
Authentication is Utilizes PAM for Authentication is Uses Keychain for Provides authentication
managed using authentication, managed through Active secure credential using passwords, Supports
Pluggable supporting Directory using storage. PINs, pattern locks, authentication via
Authentication passwords and Kerberos or NTLM Authentication and biometric passcodes, Touch ID,
Modules, supporting SSH key-based protocols. Supports methods include methods (fingerprint, and Face ID. While
passwords and SSH authentication. password policies, passwords, Touch face recognition). secure for individual
key-based System smart cards, and ID, and Face ID (on However, lacks users, it lacks
A.8.5 -
authentication. configurations Windows Hello for supported devices). comprehensive system- advanced system-wide
Secure
PAM enforces enforce password biometric authentication PAM manages wide authentication authentication
authenticati
password policies policies. SSH (facial recognition, authentication policies and management and
on
like complexity and ensures secure fingerprint). User processes, and SSH enforcement policy enforcement
expiration. SSH remote login with Account Control supports key-based mechanisms without without using MDM
provides secure robust enhances security by authentication for enterprise tools like solutions in enterprise
remote access with authentication prompting for credentials secure remote Mobile Device environments.
public/private key methods. during administrative access. Management.
pairs, and sudo tasks.
requires user
authentication for
privilege escalation.
A.5.16 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Identity Implemented
managemen Identity Identity Identity management is Identity Identity management
t management is management is provided through Active management is primarily revolves User identity is
handled through user managed through Directory in domain handled via Local around the Google managed through the
and group accounts the environments, handling Directory services, Account, which Apple ID, which
 managed via the /etc/master.pass user, group, and with user and group manages user identity integrates with iCloud
/etc/passwd, wd, /etc/passwd, computer accounts information stored in across services and and App Store
/etc/group, and and /etc/group centrally. On standalone /var/db/dslocal/nod apps. Some devices services. In enterprise
/etc/shadow files. files. PAM systems, the Local Users es/Default/. System support multiple user and educational
Pluggable handles and Groups Preferences allows profiles and restricted settings, Managed
Authentication authentication management console management of user profiles, but this Apple IDs and the
Modules provide a processes. The (lusrmgr.msc) is used. accounts. Directory feature is limited and Shared iPad feature
framework for pw command is User Account Control Utility provides not consistent across all (available via Mobile
authentication, used for creating, enforces identity-based advanced devices. Lacks Device Management)
allowing integration modifying, and access control for management, comprehensive system- allow for multiple user
of various deleting user and administrative tasks. including integration wide identity identities on a single
authentication group accounts. Authentication protocols with directory management and device. However,
methods. Commands Tools like sudo like Kerberos and services like LDAP granular user standard iOS devices
like useradd, or doas control NTLM are used to verify or Active Directory. permissions compared lack robust multi-user
usermod, and administrative user identities. PAM facilitates to desktop operating identity management
userdel are used to access based on authentication systems. for general users.
manage user user identity. mechanisms.
identities, while
groupadd,
groupmod, and
groupdel manage
group identities. The
sudoers file
(/etc/sudoers)
controls
administrative
privileges based on
user identity.
A.8.1 - Implemented Implemented Implemented Implemented Partially Implemented Implemented
User
endpoint Ubuntu provides FreeBSD secures Windows secures macOS secures Android secures OS provides strong
devices security features for user endpoint endpoint devices with endpoint devices devices with screen security for endpoint
user endpoint devices using User Account Control, using FileVault for locks (password, PIN, devices with Touch
devices through user user and group BitLocker for disk full-disk encryption, pattern), biometric ID, Face ID, and
account management, encryption, and Gatekeeper to authentication, and passcodes for
 management, file file permissions, Windows Defender for control app device encryption. authentication. Full-
permissions, and and disk antivirus protection. installations, and Google Play Protect disk encryption is
disk encryption encryption with Group Policy allows System Integrity scans for malicious enabled by default.
with LUKS. GELI. The pf administrators to enforce Protection to apps. However, users App Sandbox and
AppArmor enforces firewall provides security settings. prevent have limited control strict App Store
application-level network security, Windows Firewall unauthorized system over system updates policies ensure
security policies, and Jails offer controls network access, modifications. User and security settings application security.
and firewall isolation for and Windows Update account without Mobile Device Regular updates are
configurations can applications. ensures the system management and Management. pushed to devices to
be managed using Security updates receives the latest permissions control Advanced security address security
UFW. Automatic are managed security patches. access, while the features like per-app vulnerabilities, and
updates help keep through the Application permissions are present users can manage
the system secure by freebsd-update Firewall manages but may not cover all privacy settings for
regularly installing tool to maintain network aspects of endpoint apps.
security patches. system integrity. connections. security.
Automatic updates
keep the system
current with security
fixes.
A.5.17 - Implemented Implemented Implemented Implemented Partially Implemented Partially
Authenticat Implemented
ion Authentication Passwords and Authentication Authentication Authentication
information information such as authentication information is securely information is stored information like Authentication
passwords is data are stored in stored in the Security securely in the passwords, PINs, and information, including
securely stored in /etc/master.pass Account Manager Keychain and biometric data is passcodes and
/etc/shadow, wd, which is database or Active system directories securely stored using biometric data, is
accessible only by protected and Directory for domain protected by the Android Keystore securely stored using
the root user. only accessible environments. Passwords permissions. System, which utilizes the Secure Enclave.
Passwords are by privileged are hashed using Passwords are hardware-backed The Keychain
hashed using secure users. Passwords algorithms like hashed and stored security when securely stores
algorithms like are hashed using NTLMv2 or Kerberos securely. PAM available. However, passwords and
SHA-512 with salts. secure and are not stored in manages user control over how credentials for apps
Pluggable algorithms. PAM plaintext. Group Policy authentication authentication and services.
Authentication manages allows administrators to processes, enforcing information is managed However, advanced
Modules manage authentication enforce password password policies. and enforced system- management and
authentication and enforces policies, including FileVault encrypts wide is limited. Third- enforcement of
processes and password complexity requirements the disk to protect party app authentication
enforce policies like policies. SSH and change intervals. data, including authentication data is policies, such as
password keys are used for Credential Guard and authentication managed individually password complexity
complexity and secure remote Windows Hello enhance information. SSH by each app, and and rotation, typically
expiration. SSH authentication, authentication security keys can be used for comprehensive require Mobile Device
keys provide secure with private keys using virtualization- secure remote enforcement of Management
key-based kept securely by based security and authentication, with authentication policies solutions.
authentication for users. biometric data. private keys stored requires Mobile Device
remote access, with securely. Management
private keys stored solutions.
securely by users.