last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Audit virtual machines without disaster recovery configured

Name Audit virtual machines without disaster recovery configured
Azure Portal
Id 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56
Version 1.0.0
details on versioning
Category Compute
Microsoft docs
Description Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed
auditIfNotExists
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.ClassicCompute/virtualMachines
Compliance The following 23 compliance controls are associated with this Policy definition 'Audit virtual machines without disaster recovery configured' (0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1511 AU_ISM_1511 AU ISM 1511 Guidelines for System Management - Data backup and restoration Performing backups - 1511 n/a Backups of important data, software and configuration settings are performed at least daily. link 1
CCCS CP-7 CCCS_CP-7 CCCS CP-7 Contingency Planning Alternative Processing Site n/a (A) The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. (B) The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. (C) The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. link 1
CMMC_L3 RE.2.137 CMMC_L3_RE.2.137 CMMC L3 RE.2.137 Recovery Regularly perform and test data back-ups. Customer The customer is responsible for implementing this requirement. Backups are used to recover data in the event of a hardware or software failure. Backups should be performed and tested regularly based on an organizational defined frequency. link 6
CMMC_L3 RE.3.139 CMMC_L3_RE.3.139 CMMC L3 RE.3.139 Recovery Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Customer The customer is responsible for implementing this requirement. The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. link 6
FedRAMP_High_R4 CP-7 FedRAMP_High_R4_CP-7 FedRAMP High CP-7 Contingency Planning Alternate Processing Site Shared n/a The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. References: NIST Special Publication 800-34. link 2
FedRAMP_Moderate_R4 CP-7 FedRAMP_Moderate_R4_CP-7 FedRAMP Moderate CP-7 Contingency Planning Alternate Processing Site Shared n/a The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. References: NIST Special Publication 800-34. link 2
hipaa 1634.12b1Organizational.1-12.b hipaa-1634.12b1Organizational.1-12.b 1634.12b1Organizational.1-12.b 16 Business Continuity & Disaster Recovery 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization identifies the critical business processes requiring business continuity. 5
hipaa 1638.12b2Organizational.345-12.b hipaa-1638.12b2Organizational.345-12.b 1638.12b2Organizational.345-12.b 16 Business Continuity & Disaster Recovery 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business continuity risk assessments: (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and, (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. 5
IRS_1075_9.3 .6.6 IRS_1075_9.3.6.6 IRS 1075 9.3.6.6 Contingency Planning Alternate Processing Site (CP-7) n/a The agency must: a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of information system operations, in accordance with the agency's contingency plan when the primary processing capabilities are unavailable b. Ensure that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the agency-defined time period for transfer/resumption c. Ensure that the alternate storage site provides information security safeguards that meet the minimum protection standards and the disclosure provisions of IRC 6103 link 1
NIST_SP_800-53_R4 CP-7 NIST_SP_800-53_R4_CP-7 NIST SP 800-53 Rev. 4 CP-7 Contingency Planning Alternate Processing Site Shared n/a The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. References: NIST Special Publication 800-34. link 2
NIST_SP_800-53_R5 CP-7 NIST_SP_800-53_R5_CP-7 NIST SP 800-53 Rev. 5 CP-7 Contingency Planning Alternate Processing Site Shared n/a a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site. link 2
NZ_ISM_v3.5 ISM-7 NZ_ISM_v3.5_ISM-7 NZISM Security Benchmark ISM-7 Information security monitoring 6.4.5 Availability requirements Customer n/a Availability and recovery requirements will vary based on each agency???s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes. link 1
NZISM_Security_Benchmark_v1.1 ISM-7 NZISM_Security_Benchmark_v1.1_ISM-7 NZISM Security Benchmark ISM-7 Information security monitoring 6.4.5 Availability requirements Customer Agencies MUST determine availability and recovery requirements for their systems and implement measures consistent with the agency's SRMP to support them. Availability and recovery requirements will vary based on each agency’s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes. link 1
RBI_CSF_Banks_v2016 19.4 RBI_CSF_Banks_v2016_19.4 Incident Response & Management Recovery From Cyber - Incidents-19.4 n/a Bank???s BCP/DR capabilities shall adequately and effectively support the Bank???s cyber resilience objectives and should be so designed to enable the bank to recover rapidly from cyber-attacks/other incidents and safely resume critical operations aligned with recovery time objectives while ensuring security of processes and data is protected. 2
RBI_ITF_NBFC_v2017 6 RBI_ITF_NBFC_v2017_6 RBI IT Framework 6 Business Continuity Planning Business Continuity Planning (BCP) and Disaster Recovery-6 n/a BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features link 9
RBI_ITF_NBFC_v2017 6.2 RBI_ITF_NBFC_v2017_6.2 RBI IT Framework 6.2 Business Continuity Planning Recovery strategy / Contingency Plan-6.2 n/a NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. link 8
RBI_ITF_NBFC_v2017 6.4 RBI_ITF_NBFC_v2017_6.4 RBI IT Framework 6.4 Business Continuity Planning Recovery strategy / Contingency Plan-6.4 n/a NBFCs shall test the BCP either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan. The test should be based on ???worst case scenarios???. The results along with the gap analysis may be placed before the CIO and the Board. The GAP Analysis along with Board???s insight should form the basis for construction of the updated BCP. link 4
RMiT_v1.0 10.51 RMiT_v1.0_10.51 RMiT 10.51 Cloud Services Cloud Services - 10.51 Shared n/a A financial institution is required to consult the Bank prior to the use of public cloud for critical systems. The financial institution is expected to demonstrate that specific risks associated with the use of cloud services for critical systems have been adequately considered and addressed. The risk assessment shall address the risks outlined in paragraph 10.49 as well as the following areas: (a) the adequacy of the overarching cloud adoption strategy of the financial institution including: (i) board oversight over cloud strategy and cloud operational management; (ii) senior management roles and responsibilities on cloud management; (iii) conduct of day-to-day operational management functions; (iv) management and oversight by the financial institution of cloud service providers; (v) quality of risk management and internal control functions; and (vi) strength of in-house competency and experience; (b) the availability of independent, internationally recognised certifications of the cloud service providers, at a minimum, in the following areas: (i) information security management framework, including cryptographic modules such as used for encryption and decryption of user data; and (ii) cloud-specific security controls for protection of customer and counterparty or proprietary information including payment transaction data in use, in storage and in transit; and (c) the degree to which the selected cloud configuration adequately addresses the following attributes: (i) geographical redundancy; (ii) high availability; (iii) scalability; (iv) portability; (v) interoperability; and (vi) strong recovery and resumption capability including appropriate alternate Internet path to protect against potential Internet faults. link 7
SWIFT_CSCF_v2021 2.5A SWIFT_CSCF_v2021_2.5A SWIFT CSCF v2021 2.5A Reduce Attack Surface and Vulnerabilities External Transmission Data Protection n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 12
SWIFT_CSCF_v2021 6.4 SWIFT_CSCF_v2021_6.4 SWIFT CSCF v2021 6.4 Detect Anomalous Activity to Systems or Transaction Records Logging and Monitoring n/a Record security events and detect anomalous actions and operations within the local SWIFT environment. link 35
SWIFT_CSCF_v2022 2.5A SWIFT_CSCF_v2022_2.5A SWIFT CSCF v2022 2.5A 2. Reduce Attack Surface and Vulnerabilities External Transmission Data Protection Customer n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 7
SWIFT_CSCF_v2022 6.4 SWIFT_CSCF_v2022_6.4 SWIFT CSCF v2022 6.4 6. Detect Anomalous Activity to Systems or Transaction Records Record security events and detect anomalous actions and operations within the local SWIFT environment. Shared n/a Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. link 53
UK_NCSC_CSP 5.3 UK_NCSC_CSP_5.3 UK NCSC CSP 5.3 Operational security Protective Monitoring Shared n/a A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. link 4
History none
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
JSON