| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
7.11 |
Azure_Security_Benchmark_v1.0_7.11 |
Azure Security Benchmark 7.11 |
Secure Configuration |
Manage Azure secrets securely |
Customer |
Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.
How to integrate with Azure Managed Identities:
https://docs.microsoft.com/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity
How to create a Key Vault:
https://docs.microsoft.com/azure/key-vault/quick-create-portal
How to provide Key Vault authentication with a managed identity:
https://docs.microsoft.com/azure/key-vault/managed-identity |
n/a |
link |
1 |
| Azure_Security_Benchmark_v1.0 |
9.4 |
Azure_Security_Benchmark_v1.0_9.4 |
Azure Security Benchmark 9.4 |
Data Recovery |
Ensure protection of backups and customer managed keys |
Customer |
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.
How to enable Soft-Delete in Key Vault:
https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal |
n/a |
link |
1 |
| Azure_Security_Benchmark_v2.0 |
BR-4 |
Azure_Security_Benchmark_v2.0_BR-4 |
Azure Security Benchmark BR-4 |
Backup and Recovery |
Mitigate risk of lost keys |
Customer |
Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.
How to enable soft delete and purge protection in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal |
n/a |
link |
2 |
| Azure_Security_Benchmark_v3.0 |
DP-8 |
Azure_Security_Benchmark_v3.0_DP-8 |
Azure Security Benchmark DP-8 |
Data Protection |
Ensure security of key and certificate repository |
Shared |
**Security Principle:**
Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security.
**Azure Guidance:**
Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls:
- Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least privileges principle are in place for management plane access and data plane access.
- Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service
- Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, and vice versa.
- Use managed identity to access keys stored in the Azure Key Vault in your workload applications.
- Never have the keys stored in plaintext format outside of the Azure Key Vault.
- When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged.
- Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys.
- Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged.
**Implementation and additional context:**
Azure Key Vault overview:
https://docs.microsoft.com/azure/key-vault/general/overview
Azure Key Vault security best practices:
https://docs.microsoft.com/azure/key-vault/general/best-practices
Use managed identity to access Azure Key Vault:
https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
|
n/a |
link |
6 |
| CIS_Azure_1.1.0 |
8.4 |
CIS_Azure_1.1.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
3 |
| CIS_Azure_1.3.0 |
8.4 |
CIS_Azure_1.3.0_8.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.4 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
2 |
| CIS_Azure_1.4.0 |
8.6 |
CIS_Azure_1.4.0_8.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.6 |
8 Other Security Considerations |
Ensure the key vault is recoverable |
Shared |
The customer is responsible for implementing this recommendation. |
The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects.
It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. |
link |
2 |
| CMMC_2.0_L2 |
MP.L2-3.8.9 |
CMMC_2.0_L2_MP.L2-3.8.9 |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
| CMMC_L3 |
SC.3.187 |
CMMC_L3_SC.3.187 |
CMMC L3 SC.3.187 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. |
link |
8 |
| FedRAMP_High_R4 |
CP-9 |
FedRAMP_High_R4_CP-9 |
FedRAMP High CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| FedRAMP_Moderate_R4 |
CP-9 |
FedRAMP_Moderate_R4_CP-9 |
FedRAMP Moderate CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| hipaa |
1635.12b1Organizational.2-12.b |
hipaa-1635.12b1Organizational.2-12.b |
1635.12b1Organizational.2-12.b |
16 Business Continuity & Disaster Recovery |
1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management |
Shared |
n/a |
Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. |
|
6 |
| NIST_SP_800-171_R2_3 |
.8.9 |
NIST_SP_800-171_R2_3.8.9 |
NIST SP 800-171 R2 3.8.9 |
Media Protection |
Protect the confidentiality of backup CUI at storage locations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. |
link |
8 |
| NIST_SP_800-53_R4 |
CP-9 |
NIST_SP_800-53_R4_CP-9 |
NIST SP 800-53 Rev. 4 CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| NIST_SP_800-53_R5 |
CP-9 |
NIST_SP_800-53_R5_CP-9 |
NIST SP 800-53 Rev. 5 CP-9 |
Contingency Planning |
System Backup |
Shared |
n/a |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
link |
9 |
| NZ_ISM_v3.5 |
CR-2 |
NZ_ISM_v3.5_CR-2 |
NZISM Security Benchmark CR-2 |
Cryptography |
17.1.52 Data Recovery |
Customer |
n/a |
It is important for continuity and operational stability that cryptographic products provide a means of data recovery to allow for the recovery of data in circumstances such as where the encryption key is unavailable due to loss, damage or failure. This includes production, storage, backup and virtual systems. This is sometimes described as ???key escrow???. |
link |
2 |
| NZISM_Security_Benchmark_v1.1 |
CR-2 |
NZISM_Security_Benchmark_v1.1_CR-2 |
NZISM Security Benchmark CR-2 |
Cryptography |
17.1.45 Data Recovery |
Customer |
Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. |
It is important for continuity and operational stability that cryptographic products provide a means of data recovery to allow for the recovery of data in circumstances such as where the encryption key is unavailable due to loss, damage or failure. This includes production, storage, backup and virtual systems. This is sometimes described as “key escrow”. |
link |
2 |
| RBI_CSF_Banks_v2016 |
21.1 |
RBI_CSF_Banks_v2016_21.1 |
|
Metrics |
Metrics-21.1 |
|
n/a |
Develop a comprehensive set of metrics that provide for prospective and
retrospective measures, like key performance indicators and key risk indicators |
|
15 |
| RBI_ITF_NBFC_v2017 |
3.1.h |
RBI_ITF_NBFC_v2017_3.1.h |
RBI IT Framework 3.1.h |
Information and Cyber Security |
Public Key Infrastructure (PKI)-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. |
link |
32 |
| RMiT_v1.0 |
10.16 |
RMiT_v1.0_10.16 |
RMiT 10.16 |
Cryptography |
Cryptography - 10.16 |
Shared |
n/a |
A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for:
(a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation;
(b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction;
(c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and
(d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. |
link |
10 |
| RMiT_v1.0 |
11.15 |
RMiT_v1.0_11.15 |
RMiT 11.15 |
Data Loss Prevention (DLP) |
Data Loss Prevention (DLP) - 11.15 |
Shared |
n/a |
A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following:
(a) data in-use - data being processed by IT resources;
(b) data in-motion - data being transmitted on the network; and
(c) data at-rest - data stored in storage mediums such as servers, backup media and databases. |
link |
14 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
80 |
| SWIFT_CSCF_v2021 |
5.4 |
SWIFT_CSCF_v2021_5.4 |
SWIFT CSCF v2021 5.4 |
Manage Identities and Segregate Privileges |
Physical and Logical Password Storage |
|
n/a |
Protect physically and logically repository of recorded passwords. |
link |
4 |
| SWIFT_CSCF_v2022 |
5.4 |
SWIFT_CSCF_v2022_5.4 |
SWIFT CSCF v2022 5.4 |
5. Manage Identities and Segregate Privileges |
Protect physically and logically the repository of recorded passwords. |
Shared |
n/a |
Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. |
link |
6 |