last sync: 2025-Feb-05 19:33:00 UTC

SQL servers should use customer-managed keys to encrypt data at rest

Azure BuiltIn Policy definition

Source Azure Portal
Display name SQL servers should use customer-managed keys to encrypt data at rest
Id 0a370ff3-6cab-4e85-8995-295fd854c5b8
Version 2.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.1
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/servers/encryptionProtector/serverKeyType Microsoft.Sql servers/encryptionProtector properties.serverKeyType True False
Microsoft.Sql/servers/keyid Microsoft.Sql servers properties.keyId True False
Rule resource types IF (2)
Microsoft.Sql/servers
Microsoft.Sql/servers/encryptionProtector
Compliance
The following 103 compliance controls are associated with this Policy definition 'SQL servers should use customer-managed keys to encrypt data at rest' (0a370ff3-6cab-4e85-8995-295fd854c5b8)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 4.8 Azure_Security_Benchmark_v1.0_4.8 Azure Security Benchmark 4.8 Data Protection Encrypt sensitive information at rest Customer Use encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 7
Azure_Security_Benchmark_v2.0 DP-5 Azure_Security_Benchmark_v2.0_DP-5 Azure Security Benchmark DP-5 Data Protection Encrypt sensitive data at rest Shared To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-at-rest n/a link 13
Azure_Security_Benchmark_v3.0 DP-5 Azure_Security_Benchmark_v3.0_DP-5 Microsoft cloud security benchmark DP-5 Data Protection Use customer-managed key option in data at rest encryption when required Shared **Security Principle:** If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. **Azure Guidance:** Azure also provides encryption option using keys managed by yourself (customer-managed keys) for certain services. However, using customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke and access control, etc. **Implementation and additional context:** Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 10
Canada_Federal_PBMM_3-1-2020 CM_3(6) Canada_Federal_PBMM_3-1-2020_CM_3(6) Canada Federal PBMM 3-1-2020 CM 3(6) Configuration Change Control Configuration Change Control | Cryptography Management Shared The organization ensures that cryptographic mechanisms used to provide any cryptographic-based safeguards are under configuration management. To uphold security and integrity measures. 20
Canada_Federal_PBMM_3-1-2020 SC_12 Canada_Federal_PBMM_3-1-2020_SC_12 Canada Federal PBMM 3-1-2020 SC 12 Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management Shared The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography. To enhance overall security posture and compliance with industry best practices. 29
Canada_Federal_PBMM_3-1-2020 SC_12(1) Canada_Federal_PBMM_3-1-2020_SC_12(1) Canada Federal PBMM 3-1-2020 SC 12(1) Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management | Availability Shared The organization maintains availability of information in the event of the loss of cryptographic keys by users. To implement backup and recovery mechanisms. 29
CIS_Azure_1.1.0 4.10 CIS_Azure_1.1.0_4.10 CIS Microsoft Azure Foundations Benchmark recommendation 4.10 4 Database Services Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Shared The customer is responsible for implementing this recommendation. TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). link 6
CIS_Azure_1.3.0 4.5 CIS_Azure_1.3.0_4.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.5 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link 6
CIS_Azure_1.4.0 4.6 CIS_Azure_1.4.0_4.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.6 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link 6
CIS_Azure_2.0.0 4.1.3 CIS_Azure_2.0.0_4.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 4.1 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key Shared Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible. When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault. As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service. Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security. Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server. link 6
CMMC_2.0_L2 SC.L2-3.13.10 CMMC_2.0_L2_SC.L2-3.13.10 404 not found n/a n/a 37
CMMC_L2_v1.9.0 SC.L2_3.13.10 CMMC_L2_v1.9.0_SC.L2_3.13.10 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.10 System and Communications Protection Key Management Shared Establish and manage cryptographic keys for cryptography employed in organizational systems. To protect information assets from unauthorized access, manipulation, or disclosure. 14
CMMC_L2_v1.9.0 SC.L2_3.13.11 CMMC_L2_v1.9.0_SC.L2_3.13.11 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.11 System and Communications Protection CUI Encryption Shared Employ FIPS validated cryptography when used to protect the confidentiality of CUI. To ensure the integrity and effectiveness of cryptographic protections applied to sensitive data. 19
CMMC_L3 SC.3.177 CMMC_L3_SC.3.177 CMMC L3 SC.3.177 System and Communications Protection Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. link 25
CSA_v4.0.12 CEK_01 CSA_v4.0.12_CEK_01 CSA Cloud Controls Matrix v4.0.12 CEK 01 Cryptography, Encryption & Key Management Encryption and Key Management Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually. 14
CSA_v4.0.12 CEK_02 CSA_v4.0.12_CEK_02 CSA Cloud Controls Matrix v4.0.12 CEK 02 Cryptography, Encryption & Key Management CEK Roles and Responsibilities Shared n/a Define and implement cryptographic, encryption and key management roles and responsibilities. 25
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 CEK_04 CSA_v4.0.12_CEK_04 CSA Cloud Controls Matrix v4.0.12 CEK 04 Cryptography, Encryption & Key Management Encryption Algorithm Shared n/a Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology. 12
CSA_v4.0.12 CEK_10 CSA_v4.0.12_CEK_10 CSA Cloud Controls Matrix v4.0.12 CEK 10 Cryptography, Encryption & Key Management Key Generation Shared n/a Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used. 24
CSA_v4.0.12 CEK_11 CSA_v4.0.12_CEK_11 CSA Cloud Controls Matrix v4.0.12 CEK 11 Cryptography, Encryption & Key Management Key Purpose Shared n/a Manage cryptographic secret and private keys that are provisioned for a unique purpose. 24
CSA_v4.0.12 CEK_12 CSA_v4.0.12_CEK_12 CSA Cloud Controls Matrix v4.0.12 CEK 12 Cryptography, Encryption & Key Management Key Rotation Shared n/a Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements. 22
CSA_v4.0.12 CEK_13 CSA_v4.0.12_CEK_13 CSA Cloud Controls Matrix v4.0.12 CEK 13 Cryptography, Encryption & Key Management Key Revocation Shared n/a Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 CEK_14 CSA_v4.0.12_CEK_14 CSA Cloud Controls Matrix v4.0.12 CEK 14 Cryptography, Encryption & Key Management Key Destruction Shared n/a Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 CEK_15 CSA_v4.0.12_CEK_15 CSA Cloud Controls Matrix v4.0.12 CEK 15 Cryptography, Encryption & Key Management Key Activation Shared n/a Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements. 21
CSA_v4.0.12 CEK_16 CSA_v4.0.12_CEK_16 CSA Cloud Controls Matrix v4.0.12 CEK 16 Cryptography, Encryption & Key Management Key Suspension Shared n/a Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. 23
CSA_v4.0.12 CEK_17 CSA_v4.0.12_CEK_17 CSA Cloud Controls Matrix v4.0.12 CEK 17 Cryptography, Encryption & Key Management Key Deactivation Shared n/a Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_18 CSA_v4.0.12_CEK_18 CSA Cloud Controls Matrix v4.0.12 CEK 18 Cryptography, Encryption & Key Management Key Archival Shared n/a Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_19 CSA_v4.0.12_CEK_19 CSA Cloud Controls Matrix v4.0.12 CEK 19 Cryptography, Encryption & Key Management Key Compromise Shared n/a Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_20 CSA_v4.0.12_CEK_20 CSA Cloud Controls Matrix v4.0.12 CEK 20 Cryptography, Encryption & Key Management Key Recovery Shared n/a Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. 25
CSA_v4.0.12 CEK_21 CSA_v4.0.12_CEK_21 CSA Cloud Controls Matrix v4.0.12 CEK 21 Cryptography, Encryption & Key Management Key Inventory Management Shared n/a Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements. 12
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FedRAMP_High_R4 SC-12 FedRAMP_High_R4_SC-12 FedRAMP High SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
FedRAMP_Moderate_R4 SC-12 FedRAMP_Moderate_R4_SC-12 FedRAMP Moderate SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
hipaa 0304.09o3Organizational.1-09.o hipaa-0304.09o3Organizational.1-09.o 0304.09o3Organizational.1-09.o 03 Portable Media Security 0304.09o3Organizational.1-09.o 09.07 Media Handling Shared n/a The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. 8
HITRUST_CSF_v11.3 06.c HITRUST_CSF_v11.3_06.c HITRUST CSF v11.3 06.c Compliance with Legal Requirements To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. Shared 1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 26
ISO_IEC_27001_2022 7.5.3 ISO_IEC_27001_2022_7.5.3 ISO IEC 27001 2022 7.5.3 Support Control of documented information Shared 1. Documented information required by the information security management system and by this document shall be controlled to ensure: a. it is available and suitable for use, where and when it is needed; and b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 2. For the control of documented information, the organization shall address the following activities, as applicable: a. distribution, access, retrieval and use; b. storage and preservation, including the preservation of legibility; c. control of changes (e.g. version control); and d. retention and disposition. Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled 32
ISO_IEC_27002_2022 8.24 ISO_IEC_27002_2022_8.24 ISO IEC 27002 2022 8.24 Protection, Preventive Control Use of cryptography Shared Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 14
ISO_IEC_27017_2015 10.1.1 ISO_IEC_27017_2015_10.1.1 ISO IEC 27017 2015 10.1.1 Cryptography Policy on the use of cryptographic controls Shared For Cloud Service Customer: The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud service provider. When the cloud service provider offers cryptography, the cloud service customer should review any information supplied by the cloud service provider to confirm whether the cryptographic capabilities: (i) meet the cloud service customer's policy requirements; (ii) are compatible with any other cryptographic protection used by the cloud service customer; (iii) apply to data at rest and in transit to, from and within the cloud service. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 19
ISO_IEC_27017_2015 10.1.2 ISO_IEC_27017_2015_10.1.2 ISO IEC 27017 2015 10.1.2 Cryptography Key Management Shared For Cloud Service Customer: The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management. Where the cloud service provides key management functionality for use by the cloud service customer, the cloud service customer should request the following information on the procedures used to manage keys related to the cloud service: (i) type of keys; (ii) specifications of the key management system, including procedures for each stage of the key life-cycle, i.e., generating, changing or updating, storing, retiring, retrieving, retaining and destroying; (iii) recommended key management procedures for use by the cloud service customer. The cloud service customer should not permit the cloud service provider to store and manage the encryption keys for cryptographic operations when the cloud service customer employs its own key management or a separate and distinct key management service. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 14
ISO_IEC_27017_2015 18.1.3 ISO_IEC_27017_2015_18.1.3 ISO IEC 27017 2015 18.1.3 Compliance Protection of Records Shared For Cloud Service Customer: The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. 17
ISO_IEC_27017_2015 18.1.5 ISO_IEC_27017_2015_18.1.5 ISO IEC 27017 2015 18.1.5 Compliance Regulation of Cryptographic Controls Shared For Cloud Service Customer: The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. For Cloud Service Provider: The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations. To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. 19
LGPD_2018_Art. 16 LGPD_2018_Art._16 Brazilian General Data Protection Law (LGPD) 2018 Art. 16 Termination of Data Processing Art. 16. Personal data shall be deleted following the termination of their processing Shared n/a Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized. 18
New_Zealand_ISM 23.4.9.C.01 New_Zealand_ISM_23.4.9.C.01 New_Zealand_ISM_23.4.9.C.01 23. Public Cloud Security 23.4.9.C.01 Data protection mechanisms n/a For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements. 17
NIST_SP_800-171_R2_3 .13.10 NIST_SP_800-171_R2_3.13.10 NIST SP 800-171 R2 3.13.10 System and Communications Protection Establish and manage cryptographic keys for cryptography employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment. link 40
NIST_SP_800-171_R3_3 .13.10 NIST_SP_800-171_R3_3.13.10 NIST 800-171 R3 3.13.10 System and Communications Protection Control Cryptographic Key Establishment and Management Shared Cryptographic key establishment and management include key generation, distribution, storage, access, rotation, and destruction. Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11. Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key establishment and management]. 14
NIST_SP_800-171_R3_3 .13.11 NIST_SP_800-171_R3_3.13.11 NIST 800-171 R3 3.13.11 System and Communications Protection Control Cryptographic Protection Shared Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]. 19
NIST_SP_800-53_R4 SC-12 NIST_SP_800-53_R4_SC-12 NIST SP 800-53 Rev. 4 SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
NIST_SP_800-53_R5.1.1 SC.12 NIST_SP_800-53_R5.1.1_SC.12 NIST SP 800-53 R5.1.1 SC.12 System and Communications Protection Cryptographic Key Establishment and Management Shared Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. 13
NIST_SP_800-53_R5.1.1 SC.13 NIST_SP_800-53_R5.1.1_SC.13 NIST SP 800-53 R5.1.1 SC.13 System and Communications Protection Cryptographic Protection Shared a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 19
NIST_SP_800-53_R5.1.1 SC.28 NIST_SP_800-53_R5.1.1_SC.28 NIST SP 800-53 R5.1.1 SC.28 System and Communications Protection Protection of Information at Rest Shared Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage. 17
NIST_SP_800-53_R5 SC-12 NIST_SP_800-53_R5_SC-12 NIST SP 800-53 Rev. 5 SC-12 System and Communications Protection Cryptographic Key Establishment and Management Shared n/a Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. link 40
NL_BIO_Cloud_Theme U.05.2(2) NL_BIO_Cloud_Theme_U.05.2(2) NL_BIO_Cloud_Theme_U.05.2(2) U.05 Data protection Cryptographic measures n/a Data stored in the cloud service shall be protected to the latest state of the art with encryption and with a key length sufficient at least for the purpose, whereby the key management is not purchased as a cloud service if possible and is carried out by the CSC itself. 52
NL_BIO_Cloud_Theme U.11.3(2) NL_BIO_Cloud_Theme_U.11.3(2) NL_BIO_Cloud_Theme_U.11.3(2) U.11 Cryptoservices Encrypted n/a Sensitive data (on transport and at rest) is always encrypted, with private keys managed by the CSC. The use of a private key by the CSP is based on a controlled procedure and must be jointly agreed with the CSC organisation. 52
NZ_ISM_v3.5 CR-3 NZ_ISM_v3.5_CR-3 NZISM Security Benchmark CR-3 Cryptography 17.1.53 Reducing storage and physical transfer requirements Customer n/a When encryption is applied to media or media residing within IT equipment it provides an additional layer of defence. Whilst such measures do not reduce or alter the classification of the information itself, physical storage, handling and transfer requirements may be reduced to those of a lesser classification for the media or equipment (but not the data itself). link 12
NZISM_Security_Benchmark_v1.1 CR-3 NZISM_Security_Benchmark_v1.1_CR-3 NZISM Security Benchmark CR-3 Cryptography 17.1.46 Reducing storage and physical transfer requirements Customer If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: full disk encryption; or partial disk encryption where the access control will only allow writing to the encrypted partition holding the classified information. When encryption is applied to media or media residing within IT equipment it provides an additional layer of defence. Whilst such measures do not reduce or alter the classification of the information itself, physical storage, handling and transfer requirements may be reduced to those of a lesser classification for the media or equipment (but not the data itself). link 11
NZISM_v3.7 17.1.51.C.01. NZISM_v3.7_17.1.51.C.01. NZISM v3.7 17.1.51.C.01. Cryptographic Fundamentals 17.1.51.C.01. - To enhace overall security posture. Shared n/a Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. 20
NZISM_v3.7 17.1.52.C.01. NZISM_v3.7_17.1.52.C.01. NZISM v3.7 17.1.52.C.01. Cryptographic Fundamentals 17.1.52.C.01. - To enhace overall security posture. Shared n/a Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. 20
NZISM_v3.7 17.1.52.C.02. NZISM_v3.7_17.1.52.C.02. NZISM v3.7 17.1.52.C.02. Cryptographic Fundamentals 17.1.52.C.02. - To enhance data accessibility and integrity. Shared n/a Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. 20
NZISM_v3.7 17.1.53.C.03. NZISM_v3.7_17.1.53.C.03. NZISM v3.7 17.1.53.C.03. Cryptographic Fundamentals 17.1.53.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. 20
NZISM_v3.7 17.1.53.C.04. NZISM_v3.7_17.1.53.C.04. NZISM v3.7 17.1.53.C.04. Cryptographic Fundamentals 17.1.53.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. 20
NZISM_v3.7 17.1.54.C.01. NZISM_v3.7_17.1.54.C.01. NZISM v3.7 17.1.54.C.01. Cryptographic Fundamentals 17.1.54.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system. 20
NZISM_v3.7 17.1.55.C.01. NZISM_v3.7_17.1.55.C.01. NZISM v3.7 17.1.55.C.01. Cryptographic Fundamentals 17.1.55.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. 20
NZISM_v3.7 17.1.55.C.02. NZISM_v3.7_17.1.55.C.02. NZISM v3.7 17.1.55.C.02. Cryptographic Fundamentals 17.1.55.C.02. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks. 20
NZISM_v3.7 17.1.55.C.03. NZISM_v3.7_17.1.55.C.03. NZISM v3.7 17.1.55.C.03. Cryptographic Fundamentals 17.1.55.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. 20
NZISM_v3.7 17.1.55.C.04. NZISM_v3.7_17.1.55.C.04. NZISM v3.7 17.1.55.C.04. Cryptographic Fundamentals 17.1.55.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. 20
NZISM_v3.7 17.1.56.C.02. NZISM_v3.7_17.1.56.C.02. NZISM v3.7 17.1.56.C.02. Cryptographic Fundamentals 17.1.56.C.02. - To ensure compliance with security protocols and best practices. Shared n/a Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment. 20
NZISM_v3.7 17.1.57.C.01. NZISM_v3.7_17.1.57.C.01. NZISM v3.7 17.1.57.C.01. Cryptographic Fundamentals 17.1.57.C.01. - To ensure compliance with security protocols and best practices. Shared n/a In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit. 19
NZISM_v3.7 17.1.58.C.01. NZISM_v3.7_17.1.58.C.01. NZISM v3.7 17.1.58.C.01. Cryptographic Fundamentals 17.1.58.C.01. - To ensure compliance with security protocols and best practices. Shared n/a Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. 19
NZISM_v3.7 17.1.58.C.02. NZISM_v3.7_17.1.58.C.02. NZISM v3.7 17.1.58.C.02. Cryptographic Fundamentals 17.1.58.C.02. - To enhance overall cybersecurity posture. Shared n/a Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. 25
NZISM_v3.7 17.1.58.C.03. NZISM_v3.7_17.1.58.C.03. NZISM v3.7 17.1.58.C.03. Cryptographic Fundamentals 17.1.58.C.03. - To enhance overall cybersecurity posture. Shared n/a Agencies using HACE MUST consult the GCSB for key management requirements. 17
NZISM_v3.7 17.10.12.C.01. NZISM_v3.7_17.10.12.C.01. NZISM v3.7 17.10.12.C.01. Hardware Security Modules 17.10.12.C.01. - To enhance the overall security posture of the systems and the sensitive information they protect. Shared n/a Agencies MUST consider the use of HSMs when undertaking a security risk assessment or designing network and security architectures. 15
PCI_DSS_v4.0.1 3.5.1.1 PCI_DSS_v4.0.1_3.5.1.1 PCI DSS v4.0.1 3.5.1.1 Protect Stored Account Data Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7 Shared n/a Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable) to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures. Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. Examine data repositories to verify the PAN is rendered unreadable. Examine audit logs, including payment application logs, to verify the PAN is rendered unreadable 19
PCI_DSS_v4.0.1 3.6.1 PCI_DSS_v4.0.1_3.6.1 PCI DSS v4.0.1 3.6.1 Protect Stored Account Data Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: access to keys is restricted to the fewest number of custodians necessary. Key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys. Keys are stored securely in the fewest possible locations and forms Shared n/a Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement 16
PCI_DSS_v4.0.1 3.6.1.1 PCI_DSS_v4.0.1_3.6.1.1 PCI DSS v4.0.1 3.6.1.1 Protect Stored Account Data Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. Preventing the use of the same cryptographic keys in production and test environments. Description of the key usage for each key. Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, to support meeting Requirement 12.3.4 Shared n/a Additional testing procedure for service provider assessments only: Interview responsible personnel and examine documentation to verify that a document exists to describe the cryptographic architecture that includes all elements specified in this requirement 14
PCI_DSS_v4.0.1 3.7.1 PCI_DSS_v4.0.1_3.7.1 PCI DSS v4.0.1 3.7.1 Protect Stored Account Data Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define generation of strong cryptographic keys. Observe the method for generating keys to verify that strong keys are generated 16
PCI_DSS_v4.0.1 3.7.2 PCI_DSS_v4.0.1_3.7.2 PCI DSS v4.0.1 3.7.2 Protect Stored Account Data Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys. Observe the method for distributing keys to verify that keys are distributed securely 16
PCI_DSS_v4.0.1 3.7.3 PCI_DSS_v4.0.1_3.7.3 PCI DSS v4.0.1 3.7.3 Protect Stored Account Data Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys. Observe the method for storing keys to verify that keys are stored securely 14
PCI_DSS_v4.0.1 3.7.5 PCI_DSS_v4.0.1_3.7.5 PCI DSS v4.0.1 3.7.5 Protect Stored Account Data Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: the key has reached the end of its defined cryptoperiod. The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define retirement, replacement, or destruction of keys in accordance with all elements specified in this requirement. Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement 14
PCI_DSS_v4.0.1 3.7.6 PCI_DSS_v4.0.1_3.7.6 PCI DSS v4.0.1 3.7.6 Protect Stored Account Data Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control. Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control 16
PCI_DSS_v4.0.1 3.7.7 PCI_DSS_v4.0.1_3.7.7 PCI DSS v4.0.1 3.7.7 Protect Stored Account Data Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define prevention of unauthorized substitution of cryptographic keys. Interview personnel and/or observe processes to verify that unauthorized substitution of keys is prevented 14
PCI_DSS_v4.0.1 3.7.8 PCI_DSS_v4.0.1_3.7.8 PCI DSS v4.0.1 3.7.8 Protect Stored Account Data Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define acknowledgments for key custodians in accordance with all elements specified in this requirement. Examine documentation or other evidence showing that key custodians have provided acknowledgments in accordance with all elements specified in this requirement 14
PCI_DSS_v4.0.1 4.2.1 PCI_DSS_v4.0.1_4.2.1 PCI DSS v4.0.1 4.2.1 Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use Shared n/a Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement. Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected 19
RBI_CSF_Banks_v2016 13.4 RBI_CSF_Banks_v2016_13.4 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 n/a Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway 41
RBI_CSF_Banks_v2016 21.1 RBI_CSF_Banks_v2016_21.1 Metrics Metrics-21.1 n/a Develop a comprehensive set of metrics that provide for prospective and retrospective measures, like key performance indicators and key risk indicators 15
RMiT_v1.0 10.19 RMiT_v1.0_10.19 RMiT 10.19 Cryptography Cryptography - 10.19 Shared n/a A financial institution must ensure cryptographic controls are based on the effective implementation of suitable cryptographic protocols. The protocols shall include secret and public cryptographic key protocols, both of which shall reflect a high degree of protection to the applicable secret or private cryptographic keys. The selection of such protocols must be based on recognised international standards and tested accordingly. Commensurate with the level of risk, secret cryptographic key and private-cryptographic key storage and encryption/decryption computation must be undertaken in a protected environment, supported by a hardware security module (HSM) or trusted execution environment (TEE). link 6
RMiT_v1.0 10.53 RMiT_v1.0_10.53 RMiT 10.53 Cloud Services Cloud Services - 10.53 Shared n/a A financial institution must implement appropriate safeguards on customer and counterparty information and proprietary data when using cloud services to protect against unauthorised disclosure and access. This shall include retaining ownership, control and management of all data pertaining to customer and counterparty information, proprietary data and services hosted on the cloud, including the relevant cryptographic keys management. link 14
SO .3 - Customer-Managed Keys SO.3 - Customer-Managed Keys 404 not found n/a n/a 12
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 75
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 129
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 168
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SOC_2023 CC9.1 SOC_2023_CC9.1 SOC 2023 CC9.1 Risk Mitigation To enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. Shared n/a Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. 18
SWIFT_CSCF_2024 2.1 SWIFT_CSCF_2024_2.1 SWIFT Customer Security Controls Framework 2024 2.1 Risk Management Internal Data Flow Security Shared The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. 48
SWIFT_CSCF_2024 2.4A SWIFT_CSCF_2024_2.4A SWIFT Customer Security Controls Framework 2024 2.4A Risk Management Back Office Data Flow Security Shared Protection of data flows or connections between the back-office first hops as seen from the Swift or customer secure zone and the Swift infrastructure safeguards against person-in-the-middle attack, unintended disclosure, modification, and data access while in transit. To ensure the confidentiality, integrity, and mutual authenticity of data flowing between on-premises or remote Swift infrastructure components and the back-office first hops they connect to. 24
U.05.2 - Cryptographic measures U.05.2 - Cryptographic measures 404 not found n/a n/a 51
U.11.3 - Encrypted U.11.3 - Encrypted 404 not found n/a n/a 51
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Sovereignty Baseline - Confidential Policies 03de05a4-c324-4ccd-882f-a814ea8ab9ea Regulatory Compliance Preview BuiltIn
Brazilian General Data Protection Law (LGPD) 2018 770977b7-fceb-4c16-9d09-b7484fb8eef2 Regulatory Compliance GA BuiltIn
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn
Deny or Audit resources without Encryption with a customer-managed key (CMK) Enforce-Encryption-CMK Encryption GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO/IEC 27001 2022 5e4ff661-23bf-42fa-8e3a-309a55091cc7 Regulatory Compliance GA BuiltIn
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-07 18:14:35 change Patch (2.0.0 > 2.0.1)
2021-12-06 22:17:57 change Major, old suffix: preview (1.0.0-preview > 2.0.0)
2021-08-13 17:07:49 add 0a370ff3-6cab-4e85-8995-295fd854c5b8
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC