AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Azure Backup should be enabled for Virtual Machines

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure Backup should be enabled for Virtual Machines
Id 013e242c-8828-4970-87b3-ab247555486d
Version 3.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
3.0.0
Built-in Versioning [Preview]
Category Backup
Microsoft Learn
Description Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '3.*.*'
Assessment(s) Assessments count: 1
Assessment Id: f2f595ec-5dc6-68b4-82ef-b63563e9c610
DisplayName: Azure Backup should be enabled for virtual machines
Description: Azure Backup is a cost-effective data protection solution native to Azure that safeguards data on Azure virtual machines.
It creates recovery points stored in geo-redundant recovery vaults, allowing for the restoration of either the entire VM or specific files.
If Azure Backup is not enabled, data loss may occur without the possibility of recovery, posing a significant risk to business continuity and data integrity.

Remediation description: 1. To enable Azure Backup for a virtual machine, navigate to the virtual machine on the Azure portal and select 'Backup' from the menu. In the screen that appears, choose whether to backup the machine to a new or existing Recovery Services vault in the same location and subscription. Learn more at https://aka.ms/AzureVMBackupDoc 2. To enable Azure Backup for multiple virtual machines, assign the policy 'Configure backup on VMs of a location to an existing central Vault in the same location' to the relevant scope. This policy can be assigned to one subscription-location pair at a time. Learn more at http://aka.ms/AzureBackupVMGovernance. Charges are based on the number and size of VMs being protected. Learn more about pricing at https://azure.microsoft.com/pricing/details/backup/
Categories: Compute
Severity: Low
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id		 True
True
True

False
False
False
Rule resource types IF (1)
THEN-Details (1)
Compliance
The following 60 compliance controls are associated with this Policy definition 'Azure Backup should be enabled for Virtual Machines' (013e242c-8828-4970-87b3-ab247555486d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 9.1 Azure_Security_Benchmark_v1.0_9.1 Azure Security Benchmark 9.1 Data Recovery Ensure regular automated back ups Customer Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period. How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ n/a link 5
Azure_Security_Benchmark_v1.0 9.2 Azure_Security_Benchmark_v1.0_9.2 Azure Security Benchmark 9.2 Data Recovery Perform complete system backups and backup any customer managed keys Customer Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault. How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ How to backup key vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 n/a link 5
Azure_Security_Benchmark_v2.0 BR-1 Azure_Security_Benchmark_v2.0_BR-1 Azure Security Benchmark BR-1 Backup and Recovery Ensure regular automated backups Customer Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period. For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore. Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore n/a link 5
Azure_Security_Benchmark_v2.0 BR-2 Azure_Security_Benchmark_v2.0_BR-2 Azure Security Benchmark BR-2 Backup and Recovery Encrypt backup data Customer Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope. Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted. Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks n/a link 5
Azure_Security_Benchmark_v3.0 BR-1 Azure_Security_Benchmark_v3.0_BR-1 Microsoft cloud security benchmark BR-1 Backup and Recovery Ensure regular automated backups Shared **Security Principle:** Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. **Azure Guidance:** For Azure Backup supported resources, enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server, HANA databases, or File Shares) on the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. For resources not supported by Azure Backup, enable the backup as part of its resource creation. Where applicable, use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. **Implementation and additional context:** How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ Auto-Enable Backup on VM Creation using Azure Policy: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup n/a link 4
Azure_Security_Benchmark_v3.0 BR-2 Azure_Security_Benchmark_v3.0_BR-2 Microsoft cloud security benchmark BR-2 Backup and Recovery Protect backup and recovery data Shared **Security Principle:** Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. **Azure Guidance:** Use Azure RBAC and multi-factor-authentication to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the Azure Key Vault is also in the backup scope. If you use customer-managed key options, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. Safeguard backup data from accidental or malicious deletion (such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable cross-region restore to ensure backup data is restorable when there is a disaster in primary region. Note: If you use resource's native backup feature or backup services other than Azure Backup, refer to the Azure Security Benchmark (and service baselines) to implement the above controls. **Implementation and additional context:** Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks Azure Backup - set cross region restore https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore n/a link 4
CMMC_2.0_L2 MP.L2-3.8.9 CMMC_2.0_L2_MP.L2-3.8.9 404 not found n/a n/a 6
CMMC_L3 RE.2.137 CMMC_L3_RE.2.137 CMMC L3 RE.2.137 Recovery Regularly perform and test data back-ups. Customer The customer is responsible for implementing this requirement. Backups are used to recover data in the event of a hardware or software failure. Backups should be performed and tested regularly based on an organizational defined frequency. link 6
CMMC_L3 RE.3.139 CMMC_L3_RE.3.139 CMMC L3 RE.3.139 Recovery Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Customer The customer is responsible for implementing this requirement. The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted data. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine. This practice is based on the following CIS controls: 10.1 Ensure that all system data is automatically backed up on a regular basis. 10.2 Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. 10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. link 6
CSA_v4.0.12 BCR_08 CSA_v4.0.12_BCR_08 CSA Cloud Controls Matrix v4.0.12 BCR 08 Business Continuity Management and Operational Resilience Backup Shared n/a Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency. 7
CSA_v4.0.12 CEK_08 CSA_v4.0.12_CEK_08 CSA Cloud Controls Matrix v4.0.12 CEK 08 Cryptography, Encryption & Key Management CSC Key Management Capability Shared n/a CSPs must provide the capability for CSCs to manage their own data encryption keys. 6
CSA_v4.0.12 CEK_20 CSA_v4.0.12_CEK_20 CSA Cloud Controls Matrix v4.0.12 CEK 20 Cryptography, Encryption & Key Management Key Recovery Shared n/a Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. 24
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_9 EU_2555_(NIS2)_2022_9 EU 2022/2555 (NIS2) 2022 9 National cyber crisis management frameworks Shared n/a Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. 14
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 310
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 310
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 310
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 310
FedRAMP_High_R4 CP-9 FedRAMP_High_R4_CP-9 FedRAMP High CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
FedRAMP_Moderate_R4 CP-9 FedRAMP_Moderate_R4_CP-9 FedRAMP Moderate CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
hipaa 1620.09l1Organizational.8-09.l hipaa-1620.09l1Organizational.8-09.l 1620.09l1Organizational.8-09.l 16 Business Continuity & Disaster Recovery 1620.09l1Organizational.8-09.l 09.05 Information Back-Up Shared n/a When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. 5
hipaa 1625.09l3Organizational.34-09.l hipaa-1625.09l3Organizational.34-09.l 1625.09l3Organizational.34-09.l 16 Business Continuity & Disaster Recovery 1625.09l3Organizational.34-09.l 09.05 Information Back-Up Shared n/a Three generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. 2
hipaa 1699.09l1Organizational.10-09.l hipaa-1699.09l1Organizational.10-09.l 1699.09l1Organizational.10 - 09.l Back-up Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices. Customer n/a Portable/mobile device usage is not permitted within production data and datacenter hosting environments; thus, the control is not applicable. 1
HITRUST_CSF_v11.3 06.c HITRUST_CSF_v11.3_06.c HITRUST CSF v11.3 06.c Compliance with Legal Requirements Prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. Shared 1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 26
HITRUST_CSF_v11.3 09.l HITRUST_CSF_v11.3_09.l HITRUST CSF v11.3 09.l Information Back-Up Ensure the maintenance, integrity, and availability of organizational information. Shared 1. Restoration procedures are to be tested regularly at appropriate intervals in accordance with an agreed-upon backup policy. 2. Inventory records for the backup copies are to be maintained, and is to include the content of the backup copies, and the current location of the backup copies. 3. Full backups are to be performed weekly to separate media and incremental. 4. Differential backups are to be performed daily to separate media. Back-up copies of information and software shall be taken and tested regularly. 7
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
NIS2 BR._Backup_and_Recovery_3 NIS2_BR._Backup_and_Recovery_3 NIS2_BR._Backup_and_Recovery_3 BR. Backup and Recovery Business continuity and crisis management n/a Directive (EU) 2016/1148 of the European Parliament and the Council (4) aimed to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents, thus contributing to the Union’s security and to the effective functioning of its economy and society. 25
NIST_CSF_v2.0 PR.DS_01 NIST_CSF_v2.0_PR.DS_01 NIST CSF v2.0 PR.DS 01 PROTECT-Data Security The confidentiality, integrity, and availability of data-at-rest are protected. Shared n/a To implement safeguards for managing organization’s cybersecurity risks. 4
NIST_SP_800-171_R2_3 .8.9 NIST_SP_800-171_R2_3.8.9 NIST SP 800-171 R2 3.8.9 Media Protection Protect the confidentiality of backup CUI at storage locations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. link 8
NIST_SP_800-171_R3_3 .8.9 NIST_SP_800-171_R3_3.8.9 NIST 800-171 R3 3.8.9 Media Protection Control System Backup – Cryptographic Protection Shared Backup storage locations may include system-level information and user-level information System-level information includes system state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. Hardware-enabled security technologies (e.g., hardware security modules [HSM]) can be used to enhance cryptographic protection for backup information. HSM devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation/verification) are typically hosted on the HSM device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to 03.13.11. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations. 4
NIST_SP_800-53_R4 CP-9 NIST_SP_800-53_R4_CP-9 NIST SP 800-53 Rev. 4 CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
NIST_SP_800-53_R5.1.1 CP.9 NIST_SP_800-53_R5.1.1_CP.9 NIST SP 800-53 R5.1.1 CP.9 Contingency Planning Control System Backup Shared a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. 4
NIST_SP_800-53_R5 CP-9 NIST_SP_800-53_R5_CP-9 NIST SP 800-53 Rev. 5 CP-9 Contingency Planning System Backup Shared n/a a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. link 9
NZISM_v3.7 22.1.26.C.01. NZISM_v3.7_22.1.26.C.01. NZISM v3.7 22.1.26.C.01. Cloud Computing 22.1.26.C.01. - ensure safety of data. Shared n/a Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. 11
NZISM_v3.7 5.1.21.C.02. NZISM_v3.7_5.1.21.C.02. NZISM v3.7 5.1.21.C.02. Documentation Fundamentals 5.1.21.C.02. - establish a systematic approach to reviewing information security documentation, Shared n/a Agencies SHOULD ensure that information security documentation is reviewed: 1. At least annually; or 2. In response to significant changes in the environment, business or system; and 3. With the date of the most recent review being recorded on each document. 6
NZISM_v3.7 6.4.6.C.01. NZISM_v3.7_6.4.6.C.01. NZISM v3.7 6.4.6.C.01. Business Continuity and Disaster Recovery 6.4.6.C.01. - enhance operational resilience. Shared n/a Agencies SHOULD: 1.Identify vital records; 2. backup all vital records; 3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4. 4. classification of the information; and 5. test backup and restoration processes regularly to confirm their effectiveness. 13
NZISM_v3.7 7.3.11.C.01. NZISM_v3.7_7.3.11.C.01. NZISM v3.7 7.3.11.C.01. Managing Information Security Incidents 7.3.11.C.01. - support comprehensive investigations and ensure accountability Shared n/a Agencies SHOULD: 1. transfer a copy of raw audit trails and other relevant data onto media for secure archiving, as well as securing manual log records for retention; and 2. ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation. 8
NZISM_v3.7 7.3.6.C.01. NZISM_v3.7_7.3.6.C.01. NZISM v3.7 7.3.6.C.01. Managing Information Security Incidents 7.3.6.C.01. - enhance incident management and oversight. Shared n/a Agencies SHOULD ensure that all information security incidents are recorded in a register. 8
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
RBI_CSF_Banks_v2016 13.3 RBI_CSF_Banks_v2016_13.3 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.3 n/a Consider implementing whitelisting of internet websites/systems. 12
RBI_CSF_Banks_v2016 19.5 RBI_CSF_Banks_v2016_19.5 Incident Response & Management Recovery From Cyber - Incidents-19.5 n/a Banks shall ensure such capabilities in all interconnected systems and networks including those of vendors and partners and readiness demonstrated through collaborative & co-ordinated resilience testing that meet the bank???s recovery time objectives. 5
RBI_ITF_NBFC_v2017 5.2 RBI_ITF_NBFC_v2017_5.2 RBI IT Framework 5.2 IS Audit Coverage-5.2 n/a IS Audit should cover effectiveness of policy and oversight of IT systems, evaluating adequacy of processes and internal controls, recommend corrective action to address deficiencies and follow-up. IS Audit should also evaluate the effectiveness of business continuity planning, disaster recovery set up and ensure that BCP is effectively implemented in the organization. During the process of IS Audit, due importance shall be given to compliance of all the applicable legal and statutory requirements. link 4
RBI_ITF_NBFC_v2017 6 RBI_ITF_NBFC_v2017_6 RBI IT Framework 6 Business Continuity Planning Business Continuity Planning (BCP) and Disaster Recovery-6 n/a BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features link 9
RBI_ITF_NBFC_v2017 6.2 RBI_ITF_NBFC_v2017_6.2 RBI IT Framework 6.2 Business Continuity Planning Recovery strategy / Contingency Plan-6.2 n/a NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. link 8
RBI_ITF_NBFC_v2017 6.3 RBI_ITF_NBFC_v2017_6.3 RBI IT Framework 6.3 Business Continuity Planning Recovery strategy / Contingency Plan-6.3 n/a NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. link 7
RMiT_v1.0 10.30 RMiT_v1.0_10.30 RMiT 10.30 Datacenter Operations Datacenter Operations - 10.30 Shared n/a A financial institution is required to undertake an independent risk assessment of its end-to-end backup storage and delivery management to ensure that existing controls are adequate in protecting sensitive data at all times. A financial institution must also maintain a sufficient number of backup copies of critical data, the updated version of the operating system software, production programs, system utilities, all master and transaction files and event logs for recovery purposes. Backup media must be stored in an environmentally secure and access-controlled backup site. link 2
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SOC_2 PI1.5 SOC_2_PI1.5 SOC 2 Type 2 PI1.5 Additional Criteria For Processing Integrity Store inputs and outputs completely, accurately, and timely Shared The customer is responsible for implementing this recommendation. • Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications. • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner 10
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SWIFT_CSCF_v2021 2.5A SWIFT_CSCF_v2021_2.5A SWIFT CSCF v2021 2.5A Reduce Attack Surface and Vulnerabilities External Transmission Data Protection n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 11
SWIFT_CSCF_v2021 6.4 SWIFT_CSCF_v2021_6.4 SWIFT CSCF v2021 6.4 Detect Anomalous Activity to Systems or Transaction Records Logging and Monitoring n/a Record security events and detect anomalous actions and operations within the local SWIFT environment. link 32
SWIFT_CSCF_v2022 2.5A SWIFT_CSCF_v2022_2.5A SWIFT CSCF v2022 2.5A 2. Reduce Attack Surface and Vulnerabilities External Transmission Data Protection Customer n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 6
SWIFT_CSCF_v2022 6.4 SWIFT_CSCF_v2022_6.4 SWIFT CSCF v2022 6.4 6. Detect Anomalous Activity to Systems or Transaction Records Record security events and detect anomalous actions and operations within the local SWIFT environment. Shared n/a Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. link 50
U.03.1 - Redundancy U.03.1 - Redundancy 404 not found n/a n/a 2
U.03.2 - Continuity requirements U.03.2 - Continuity requirements 404 not found n/a n/a 2
U.17.1 - Encrypted U.17.1 - Encrypted 404 not found n/a n/a 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: NIS2 32ff9e30-4725-4ca7-ba3a-904a7721ee87 Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-11-12 16:23:07 change Major (2.0.0 > 3.0.0)
2021-04-21 13:28:46 change Major (1.0.1 > 2.0.0)
2019-12-11 09:18:30 add 013e242c-8828-4970-87b3-ab247555486d
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC