last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

There should be more than one owner assigned to your subscription

Name There should be more than one owner assigned to your subscription
Azure Portal
Id 09024ccc-0c5f-475e-9457-b7c0d9ed487b
Version 3.0.0
details on versioning
Category Security Center
Microsoft docs
Description It is recommended to designate more than one subscription owner in order to have administrator access redundancy.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC
Role(s)
none
Rule
Aliases
THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 39 compliance controls are associated with this Policy definition 'There should be more than one owner assigned to your subscription' (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1503 AU_ISM_1503 AU ISM 1503 Guidelines for Personnel Security - Access to systems and their resources Standard access to systems - 1503 n/a Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. link 6
AU_ISM 1508 AU_ISM_1508 AU ISM 1508 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 1508 n/a Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. link 7
Azure_Security_Benchmark_v1.0 3.1 Azure_Security_Benchmark_v1.0_3.1 Azure Security Benchmark 3.1 Identity and Access Control Maintain an inventory of administrative accounts Customer Azure AD has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups. How to get a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0 How to get members of a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0 n/a link 4
Azure_Security_Benchmark_v1.0 3.3 Azure_Security_Benchmark_v1.0_3.3 Azure Security Benchmark 3.3 Identity and Access Control Use dedicated administrative accounts Customer Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts. You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager. Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ n/a link 5
Azure_Security_Benchmark_v2.0 PA-1 Azure_Security_Benchmark_v2.0_PA-1 Azure Security Benchmark PA-1 Privileged Access Protect and limit highly privileged users Customer Limit the number of highly privileged user accounts, and protect these accounts at an elevated level. The most critical built-in roles in Azure AD are Global Administrator and the Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: - Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities. - Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. Note: You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. And you may also want to apply similar controls to the administrator account of critical business assets. You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Administrator role permissions in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Use Azure Privileged Identity Management security alerts: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts Securing privileged access for hybrid and cloud deployments in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure n/a link 4
Azure_Security_Benchmark_v3.0 PA-1 Azure_Security_Benchmark_v3.0_PA-1 Azure Security Benchmark PA-1 Privileged Access Separate and limit highly privileged/administrative users Shared **Security Principle:** Ensure you are identifying all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. **Azure Guidance:** Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: - Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities. - Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. Outside of the Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. - Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. - Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. - User Access Administrator: Lets you manage user access to Azure resources. Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets. **Implementation and additional context:** Administrator role permissions in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Use Azure Privileged Identity Management security alerts: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts Securing privileged access for hybrid and cloud deployments in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure n/a link 6
CCCS AC-5 CCCS_AC-5 CCCS AC-5 Access Control Separation of Duties n/a (A) The organization: (a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions; (b) Documents separation of duties of individuals; and (c) Defines information system access authorizations to support separation of duties. link 7
CCCS AC-6 CCCS_AC-6 CCCS AC-6 Access Control Least Privilege n/a (A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. link 7
CMMC_2.0_L2 AC.L2-3.1.4 CMMC_2.0_L2_AC.L2-3.1.4 404 not found n/a n/a 1
CMMC_L3 AC.3.017 CMMC_L3_AC.3.017 CMMC L3 AC.3.017 Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. link 4
CMMC_L3 SC.3.181 CMMC_L3_SC.3.181 CMMC L3 SC.3.181 System and Communications Protection Separate user functionality from system management functionality. Shared Microsoft and the customer share responsibilities for implementing this requirement. System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. link 6
FedRAMP_High_R4 AC-5 FedRAMP_High_R4_AC-5 FedRAMP High AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
FedRAMP_Moderate_R4 AC-5 FedRAMP_Moderate_R4_AC-5 FedRAMP Moderate AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
hipaa 11208.01q1Organizational.8-01.q hipaa-11208.01q1Organizational.8-01.q 11208.01q1Organizational.8 - 01.q User Identification and Authentication The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else. Customer n/a Azure does not implement identification codes and electronic signatures, per FDA CFR 21 Part 11. 1
hipaa 1145.01c2System.1-01.c hipaa-1145.01c2System.1-01.c 1145.01c2System.1-01.c 11 Access Control 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems Shared n/a Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. 8
hipaa 1152.01c3System.2-01.c hipaa-1152.01c3System.2-01.c 1152.01c3System.2-01.c 11 Access Control 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems Shared n/a The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. 9
IRS_1075_9.3 .1.5 IRS_1075_9.3.1.5 IRS 1075 9.3.1.5 Access Control Separation of Duties (AC-5) n/a The agency must: a. Separate duties of individuals to prevent harmful activity without collusion b. Document separation of duties of individuals c. Define information system access authorizations to support separation of duties link 7
IRS_1075_9.3 .1.6 IRS_1075_9.3.1.6 IRS 1075 9.3.1.6 Access Control Least Privilege (AC-6) n/a The agency must: a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions b. Explicitly authorize access to FTI (CE1) c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2) d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5) The information system must: a. Audit the execution of privileged functions (CE9) b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) link 7
ISO27001-2013 A.6.1.2 ISO27001-2013_A.6.1.2 ISO 27001:2013 A.6.1.2 Organization of Information Security Segregation of Duties Shared n/a Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. link 5
NIST_SP_800-171_R2_3 .1.4 NIST_SP_800-171_R2_3.1.4 NIST SP 800-171 R2 3.1.4 Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. link 6
NIST_SP_800-53_R4 AC-5 NIST_SP_800-53_R4_AC-5 NIST SP 800-53 Rev. 4 AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
NIST_SP_800-53_R5 AC-5 NIST_SP_800-53_R5_AC-5 NIST SP 800-53 Rev. 5 AC-5 Access Control Separation of Duties Shared n/a a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. link 4
NZ_ISM_v3.5 AC-11 NZ_ISM_v3.5_AC-11 NZISM Security Benchmark AC-11 Access Control and Passwords 16.4.30 Privileged Access Management Customer n/a A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency???s security policy. A PAM policy is a fundamental component of an agency???s IT Governance. link 7
NZISM_Security_Benchmark_v1.1 AC-11 NZISM_Security_Benchmark_v1.1_AC-11 NZISM Security Benchmark AC-11 Access Control and Passwords 16.4.30 Privileged Access Management Customer Agencies MUST establish a Privileged Access Management (PAM) policy. Within the context of agency operations, the agency’s PAM policy MUST define: a privileged account; and privileged access. Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy. A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance. link 9
PCI_DSS_V3.2.1 7.1.1 PCI_DSS_v3.2.1_7.1.1 PCI DSS v3.2.1 7.1.1 Requirement 7 PCI DSS requirement 7.1.1 customer n/a n/a link 2
PCI_DSS_V3.2.1 7.1.2 PCI_DSS_v3.2.1_7.1.2 PCI DSS v3.2.1 7.1.2 Requirement 7 PCI DSS requirement 7.1.2 shared n/a n/a link 2
PCI_DSS_V3.2.1 7.1.3 PCI_DSS_v3.2.1_7.1.3 PCI DSS v3.2.1 7.1.3 Requirement 7 PCI DSS requirement 7.1.3 customer n/a n/a link 2
PCI_DSS_v4.0 7.2.1 PCI_DSS_v4.0_7.2.1 PCI DSS v4.0 7.2.1 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is appropriately defined and assigned Shared n/a An access control model is defined and includes granting access as follows: • Appropriate access depending on the entity’s business and access needs. • Access to system components and data resources that is based on users’ job classification and functions. • The least privileges required (for example, user, administrator) to perform a job function. link 10
PCI_DSS_v4.0 7.2.2 PCI_DSS_v4.0_7.2.2 PCI DSS v4.0 7.2.2 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is appropriately defined and assigned Shared n/a Access is assigned to users, including privileged users, based on: • Job classification and function. • Least privileges necessary to perform job responsibilities. link 7
RBI_CSF_Banks_v2016 8.3 RBI_CSF_Banks_v2016_8.3 User Access Control / Management User Access Control / Management-8.3 n/a Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process. 5
RBI_CSF_Banks_v2016 8.5 RBI_CSF_Banks_v2016_8.5 User Access Control / Management User Access Control / Management-8.5 n/a Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/superuser/administrative access to critical systems (Servers/OS/DB, applications, network devices etc.). 12
RBI_ITF_NBFC_v2017 3.1.c RBI_ITF_NBFC_v2017_3.1.c RBI IT Framework 3.1.c Information and Cyber Security Role based Access Control-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Role based Access Control ??? Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented. link 15
SOC_2 CC5.2 SOC_2_CC5.2 SOC 2 Type 2 CC5.2 Control Activities COSO Principle 11 Shared The customer is responsible for implementing this recommendation. • Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. • Establishes Relevant Technology Infrastructure Control Activities — Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. • Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. • Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. 18
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 80
SOC_2 CC6.3 SOC_2_CC6.3 SOC 2 Type 2 CC6.3 Logical and Physical Access Controls Rol based access and least privilege Shared The customer is responsible for implementing this recommendation. • Creates or Modifies Access to Protected Information Assets — Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. • Removes Access to Protected Information Assets — Processes are in place to remove access to protected information assets when an individual no longer requires access. • Uses Role-Based Access Controls — Role-based access control is utilized to support segregation of incompatible functions. • Reviews Access Roles and Rules — The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate 20
SWIFT_CSCF_v2021 1.2 SWIFT_CSCF_v2021_1.2 SWIFT CSCF v2021 1.2 SWIFT Environment Protection Operating System Privileged Account Control n/a Restrict and control the allocation and usage of administrator-level operating system accounts. link 12
SWIFT_CSCF_v2021 5.1 SWIFT_CSCF_v2021_5.1 SWIFT CSCF v2021 5.1 Manage Identities and Segregate Privileges Logical Access Control n/a Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts. link 7
SWIFT_CSCF_v2022 1.2 SWIFT_CSCF_v2022_1.2 SWIFT CSCF v2022 1.2 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Restrict and control the allocation and usage of administrator-level operating system accounts. Shared n/a Access to administrator-level operating system accounts is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, an account with the least privilege access is used. link 22
SWIFT_CSCF_v2022 5.1 SWIFT_CSCF_v2022_5.1 SWIFT CSCF v2022 5.1 5. Manage Identities and Segregate Privileges Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. Shared n/a Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. link 35
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-01-05 16:06:49 change Major (2.0.0 > 3.0.0)
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Azure Security Benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON