AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Key vaults should have deletion protection enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Key vaults should have deletion protection enabled
Id 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53
Version 2.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.1.0
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Assessment(s) Assessments count: 1
Assessment Id: 4ed62ae4-5072-f9e7-8d94-51c76c48159a
DisplayName: Key vaults should have purge protection enabled
Description: Enabling purge protection on key vaults is a critical security measure to prevent permanent data loss.
This feature enforces a mandatory retention period for soft-deleted key vaults, making them immune to purging during this period.
Without this protection, a malicious insider could potentially delete and purge key vaults, leading to irreversible data loss.
Therefore, it's important to activate purge protection to safeguard against such insider threats.

Remediation description: To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to "Enable purge protection". 4. Select 'Save'. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to "Enable soft delete" first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.
Categories: IdentityAndAccess
Severity: Medium
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (3)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.KeyVault/vaults/createMode Microsoft.KeyVault vaults properties.createMode True True
Microsoft.KeyVault/vaults/enablePurgeProtection Microsoft.KeyVault vaults properties.enablePurgeProtection True True
Microsoft.KeyVault/vaults/enableSoftDelete Microsoft.KeyVault vaults properties.enableSoftDelete True True
Rule resource types IF (1)
Compliance
The following 72 compliance controls are associated with this Policy definition 'Key vaults should have deletion protection enabled' (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 7.11 Azure_Security_Benchmark_v1.0_7.11 Azure Security Benchmark 7.11 Secure Configuration Manage Azure secrets securely Customer Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications. How to integrate with Azure Managed Identities: https://docs.microsoft.com/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity How to create a Key Vault: https://docs.microsoft.com/azure/key-vault/quick-create-portal How to provide Key Vault authentication with a managed identity: https://docs.microsoft.com/azure/key-vault/managed-identity n/a link 1
Azure_Security_Benchmark_v1.0 9.4 Azure_Security_Benchmark_v1.0_9.4 Azure Security Benchmark 9.4 Data Recovery Ensure protection of backups and customer managed keys Customer For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion. How to enable Soft-Delete in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal n/a link 1
Azure_Security_Benchmark_v2.0 BR-4 Azure_Security_Benchmark_v2.0_BR-4 Azure Security Benchmark BR-4 Backup and Recovery Mitigate risk of lost keys Customer Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion. How to enable soft delete and purge protection in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal n/a link 2
Azure_Security_Benchmark_v3.0 DP-8 Azure_Security_Benchmark_v3.0_DP-8 Microsoft cloud security benchmark DP-8 Data Protection Ensure security of key and certificate repository Shared **Security Principle:** Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. **Azure Guidance:** Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: - Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least privileges principle are in place for management plane access and data plane access. - Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service - Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, and vice versa. - Use managed identity to access keys stored in the Azure Key Vault in your workload applications. - Never have the keys stored in plaintext format outside of the Azure Key Vault. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys. - Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged. **Implementation and additional context:** Azure Key Vault overview: https://docs.microsoft.com/azure/key-vault/general/overview Azure Key Vault security best practices: https://docs.microsoft.com/azure/key-vault/general/best-practices Use managed identity to access Azure Key Vault: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad n/a link 6
CIS_Azure_1.1.0 8.4 CIS_Azure_1.1.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure the key vault is recoverable Shared The customer is responsible for implementing this recommendation. The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. link 3
CIS_Azure_1.3.0 8.4 CIS_Azure_1.3.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure the key vault is recoverable Shared The customer is responsible for implementing this recommendation. The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. link 2
CIS_Azure_1.4.0 8.6 CIS_Azure_1.4.0_8.6 CIS Microsoft Azure Foundations Benchmark recommendation 8.6 8 Other Security Considerations Ensure the key vault is recoverable Shared The customer is responsible for implementing this recommendation. The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. link 2
CIS_Azure_2.0.0 8.5 CIS_Azure_2.0.0_8.5 CIS Microsoft Azure Foundations Benchmark recommendation 8.5 8 Ensure the Key Vault is Recoverable Shared Once purge-protection and soft-delete are enabled for a Key Vault, the action is irreversible. The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery. There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault: 1. `enableSoftDelete`: Setting this parameter to "true" for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged. 2. `enablePurgeProtection`: enableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to "true" ensures that the Key Vault and its objects cannot be purged. Enabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently. link 2
CIS_Controls_v8.1 11.1 CIS_Controls_v8.1_11.1 CIS Controls v8.1 11.1 Data Recovery Establish and maintain a data recovery process Shared 1. Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure there is a system in place to recover data. 2
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
CMMC_2.0_L2 MP.L2-3.8.9 CMMC_2.0_L2_MP.L2-3.8.9 404 not found n/a n/a 6
CMMC_L2_v1.9.0 MP.L1_3.8.3 CMMC_L2_v1.9.0_MP.L1_3.8.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L1 3.8.3 Media Protection Media Disposal Shared Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. To ensure that sensitive data is securely handled and preventing unauthorized access or disclosure of sensitive information. 1
CMMC_L3 SC.3.187 CMMC_L3_SC.3.187 CMMC L3 SC.3.187 System and Communications Protection Establish and manage cryptographic keys for cryptography employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. link 8
CSA_v4.0.12 BCR_08 CSA_v4.0.12_BCR_08 CSA Cloud Controls Matrix v4.0.12 BCR 08 Business Continuity Management and Operational Resilience Backup Shared n/a Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency. 7
CSA_v4.0.12 CEK_08 CSA_v4.0.12_CEK_08 CSA Cloud Controls Matrix v4.0.12 CEK 08 Cryptography, Encryption & Key Management CSC Key Management Capability Shared n/a CSPs must provide the capability for CSCs to manage their own data encryption keys. 6
CSA_v4.0.12 CEK_20 CSA_v4.0.12_CEK_20 CSA Cloud Controls Matrix v4.0.12 CEK 20 Cryptography, Encryption & Key Management Key Recovery Shared n/a Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. 24
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_11 EU_2555_(NIS2)_2022_11 EU 2022/2555 (NIS2) 2022 11 Requirements, technical capabilities and tasks of CSIRTs Shared n/a Outlines the requirements, technical capabilities, and tasks of CSIRTs. 68
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_12 EU_2555_(NIS2)_2022_12 EU 2022/2555 (NIS2) 2022 12 Coordinated vulnerability disclosure and a European vulnerability database Shared n/a Establishes a coordinated vulnerability disclosure process and a European vulnerability database. 66
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 193
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_29 EU_2555_(NIS2)_2022_29 EU 2022/2555 (NIS2) 2022 29 Cybersecurity information-sharing arrangements Shared n/a Allows entities to exchange relevant cybersecurity information on a voluntary basis. 66
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_9 EU_2555_(NIS2)_2022_9 EU 2022/2555 (NIS2) 2022 9 National cyber crisis management frameworks Shared n/a Requires Member States to establish frameworks for managing large-scale cybersecurity incidents and crises. 14
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 310
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 310
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 310
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 310
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .11 FBI_Criminal_Justice_Information_Services_v5.9.5_5.11 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.11 Policy and Implementation - Formal Audits Policy Area 11: Formal Audits Shared Internal compliance checklists should be regularly kept updated with respect to applicable statutes, regulations, policies and on the basis of findings in audit. Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. 64
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .8 FBI_Criminal_Justice_Information_Services_v5.9.5_5.8 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.8 Policy and Implementation - Media Protection Media Protection Shared Ensure proper documentation and implementation of media protection policies and procedure with appropriate security safeguards to avoid issues like data leak. Documented and implemented media protection policies and procedures ensure that access to digital and non-digital media in all forms is restricted to authorized individuals using authorized methods and processes. 1
FedRAMP_High_R4 CP-9 FedRAMP_High_R4_CP-9 FedRAMP High CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
FedRAMP_Moderate_R4 CP-9 FedRAMP_Moderate_R4_CP-9 FedRAMP Moderate CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
hipaa 1635.12b1Organizational.2-12.b hipaa-1635.12b1Organizational.2-12.b 1635.12b1Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. 6
HITRUST_CSF_v11.3 06.c HITRUST_CSF_v11.3_06.c HITRUST CSF v11.3 06.c Compliance with Legal Requirements Prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. Shared 1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 26
HITRUST_CSF_v11.3 09.l HITRUST_CSF_v11.3_09.l HITRUST CSF v11.3 09.l Information Back-Up Ensure the maintenance, integrity, and availability of organizational information. Shared 1. Restoration procedures are to be tested regularly at appropriate intervals in accordance with an agreed-upon backup policy. 2. Inventory records for the backup copies are to be maintained, and is to include the content of the backup copies, and the current location of the backup copies. 3. Full backups are to be performed weekly to separate media and incremental. 4. Differential backups are to be performed daily to separate media. Back-up copies of information and software shall be taken and tested regularly. 7
HITRUST_CSF_v11.3 10.c HITRUST_CSF_v11.3_10.c HITRUST CSF v11.3 10.c Correct Processing in Applications Incorporate validation checks into applications to detect any corruption of information through processing errors or deliberate acts. Shared Data integrity controls which manage changes, prevent sequencing errors, ensure recovery from failures, and protect against buffer overrun attacks are to be implemented. Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. 35
ISO_IEC_27002_2022 7.14 ISO_IEC_27002_2022_7.14 ISO IEC 27002 2022 7.14 Protection, Preventive, Control Secure disposal or re-use of equipment Shared Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. To prevent leakage of information from equipment to be disposed or re-used 1
New_Zealand_ISM 23.4.9.C.01 New_Zealand_ISM_23.4.9.C.01 New_Zealand_ISM_23.4.9.C.01 23. Public Cloud Security 23.4.9.C.01 Data protection mechanisms n/a For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements. 17
NIST_CSF_v2.0 PR.DS_01 NIST_CSF_v2.0_PR.DS_01 NIST CSF v2.0 PR.DS 01 PROTECT-Data Security The confidentiality, integrity, and availability of data-at-rest are protected. Shared n/a To implement safeguards for managing organization’s cybersecurity risks. 4
NIST_SP_800-171_R2_3 .8.9 NIST_SP_800-171_R2_3.8.9 NIST SP 800-171 R2 3.8.9 Media Protection Protect the confidentiality of backup CUI at storage locations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. link 8
NIST_SP_800-171_R3_3 .8.3 NIST_SP_800-171_R3_3.8.3 404 not found n/a n/a 1
NIST_SP_800-171_R3_3 .8.9 NIST_SP_800-171_R3_3.8.9 NIST 800-171 R3 3.8.9 Media Protection Control System Backup – Cryptographic Protection Shared Backup storage locations may include system-level information and user-level information System-level information includes system state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. Hardware-enabled security technologies (e.g., hardware security modules [HSM]) can be used to enhance cryptographic protection for backup information. HSM devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation/verification) are typically hosted on the HSM device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to 03.13.11. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations. 4
NIST_SP_800-53_R4 CP-9 NIST_SP_800-53_R4_CP-9 NIST SP 800-53 Rev. 4 CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
NIST_SP_800-53_R5.1.1 CP.9 NIST_SP_800-53_R5.1.1_CP.9 NIST SP 800-53 R5.1.1 CP.9 Contingency Planning Control System Backup Shared a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. 4
NIST_SP_800-53_R5.1.1 MP.6 NIST_SP_800-53_R5.1.1_MP.6 NIST SP 800-53 R5.1.1 MP.6 Media Protection Control Media Sanitization Shared a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information. 1
NIST_SP_800-53_R5.1.1 SI.7.5 NIST_SP_800-53_R5.1.1_SI.7.5 NIST SP 800-53 R5.1.1 SI.7.5 System and Information Integrity Control Software, Firmware, and Information Integrity | Automated Response to Integrity Violations Shared Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls] ] when integrity violations are discovered. Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur. 4
NIST_SP_800-53_R5 CP-9 NIST_SP_800-53_R5_CP-9 NIST SP 800-53 Rev. 5 CP-9 Contingency Planning System Backup Shared n/a a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. link 9
NZ_ISM_v3.5 CR-2 NZ_ISM_v3.5_CR-2 NZISM Security Benchmark CR-2 Cryptography 17.1.52 Data Recovery Customer n/a It is important for continuity and operational stability that cryptographic products provide a means of data recovery to allow for the recovery of data in circumstances such as where the encryption key is unavailable due to loss, damage or failure. This includes production, storage, backup and virtual systems. This is sometimes described as ???key escrow???. link 2
NZISM_Security_Benchmark_v1.1 CR-2 NZISM_Security_Benchmark_v1.1_CR-2 NZISM Security Benchmark CR-2 Cryptography 17.1.45 Data Recovery Customer Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. It is important for continuity and operational stability that cryptographic products provide a means of data recovery to allow for the recovery of data in circumstances such as where the encryption key is unavailable due to loss, damage or failure. This includes production, storage, backup and virtual systems. This is sometimes described as “key escrow”. link 2
NZISM_v3.7 12.6.4.C.01. NZISM_v3.7_12.6.4.C.01. NZISM v3.7 12.6.4.C.01. Product Sanitisation and Disposal 12.6.4.C.01. - safeguard classified information and mitigate risks during disposal. Shared n/a Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal. 1
NZISM_v3.7 12.6.4.C.02. NZISM_v3.7_12.6.4.C.02. NZISM v3.7 12.6.4.C.02. Product Sanitisation and Disposal 12.6.4.C.02. - ensure the protection of sensitive information. Shared n/a IT equipment and associated media that have processed or stored NZEO information, and cannot be sanitised, MUST be returned to New Zealand for sanitisation or destruction, declassification and disposal. 1
NZISM_v3.7 13.1.12.C.03. NZISM_v3.7_13.1.12.C.03. NZISM v3.7 13.1.12.C.03. System Decommissioning 13.1.12.C.03. - ensure continuity and resilience in the event of system failures or data loss. Shared n/a Agencies SHOULD archive essential software, system logic, system documentation and other system data to allow information to be recovered from archive. 1
NZISM_v3.7 13.1.9.C.01. NZISM_v3.7_13.1.9.C.01. NZISM v3.7 13.1.9.C.01. System Decommissioning 13.1.9.C.01. - safeguard sensitive data and minimise security risks during the transition process. Shared n/a When the Information System reaches the end of its service life in an organisation, policy and procedures SHOULD be in place to ensure secure decommissioning and transfer or disposal, in order to satisfy corporate, legal and statutory requirements. 1
NZISM_v3.7 22.1.26.C.01. NZISM_v3.7_22.1.26.C.01. NZISM v3.7 22.1.26.C.01. Cloud Computing 22.1.26.C.01. - ensure safety of data. Shared n/a Agencies MUST develop and implement a backup, recovery and archiving plan and supporting procedures. 11
NZISM_v3.7 5.1.21.C.02. NZISM_v3.7_5.1.21.C.02. NZISM v3.7 5.1.21.C.02. Documentation Fundamentals 5.1.21.C.02. - establish a systematic approach to reviewing information security documentation, Shared n/a Agencies SHOULD ensure that information security documentation is reviewed: 1. At least annually; or 2. In response to significant changes in the environment, business or system; and 3. With the date of the most recent review being recorded on each document. 6
NZISM_v3.7 6.4.6.C.01. NZISM_v3.7_6.4.6.C.01. NZISM v3.7 6.4.6.C.01. Business Continuity and Disaster Recovery 6.4.6.C.01. - enhance operational resilience. Shared n/a Agencies SHOULD: 1.Identify vital records; 2. backup all vital records; 3. store copies of critical information, with associated documented recovery procedures, offsite and secured in accordance with the requirements for the highest 4. 4. classification of the information; and 5. test backup and restoration processes regularly to confirm their effectiveness. 13
NZISM_v3.7 7.3.11.C.01. NZISM_v3.7_7.3.11.C.01. NZISM v3.7 7.3.11.C.01. Managing Information Security Incidents 7.3.11.C.01. - support comprehensive investigations and ensure accountability Shared n/a Agencies SHOULD: 1. transfer a copy of raw audit trails and other relevant data onto media for secure archiving, as well as securing manual log records for retention; and 2. ensure that all personnel involved in the investigation maintain a record of actions undertaken to support the investigation. 8
NZISM_v3.7 7.3.6.C.01. NZISM_v3.7_7.3.6.C.01. NZISM v3.7 7.3.6.C.01. Managing Information Security Incidents 7.3.6.C.01. - enhance incident management and oversight. Shared n/a Agencies SHOULD ensure that all information security incidents are recorded in a register. 8
RBI_CSF_Banks_v2016 21.1 RBI_CSF_Banks_v2016_21.1 Metrics Metrics-21.1 n/a Develop a comprehensive set of metrics that provide for prospective and retrospective measures, like key performance indicators and key risk indicators 15
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
RMiT_v1.0 10.16 RMiT_v1.0_10.16 RMiT 10.16 Cryptography Cryptography - 10.16 Shared n/a A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for: (a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation; (b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction; (c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and (d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. link 10
RMiT_v1.0 11.15 RMiT_v1.0_11.15 RMiT 11.15 Data Loss Prevention (DLP) Data Loss Prevention (DLP) - 11.15 Shared n/a A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following: (a) data in-use - data being processed by IT resources; (b) data in-motion - data being transmitted on the network; and (c) data at-rest - data stored in storage mediums such as servers, backup media and databases. link 14
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 75
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SWIFT_CSCF_2024 2.1 SWIFT_CSCF_2024_2.1 SWIFT Customer Security Controls Framework 2024 2.1 Risk Management Internal Data Flow Security Shared The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. 48
SWIFT_CSCF_2024 6.2 SWIFT_CSCF_2024_6.2 SWIFT Customer Security Controls Framework 2024 6.2 Risk Management Software Integrity Shared Software integrity checks provide a detective control against unexpected modification to operational software. To ensure the software integrity of the Swift-related components and act upon results. 16
SWIFT_CSCF_2024 6.3 SWIFT_CSCF_2024_6.3 SWIFT Customer Security Controls Framework 2024 6.3 Risk Management Database Integrity Shared Database integrity checks allow unexpected modification to records stored within the database to be detected. To ensure the integrity of the database records for the Swift messaging interface or the customer connector and act upon results. 16
SWIFT_CSCF_v2021 5.4 SWIFT_CSCF_v2021_5.4 SWIFT CSCF v2021 5.4 Manage Identities and Segregate Privileges Physical and Logical Password Storage n/a Protect physically and logically repository of recorded passwords. link 4
SWIFT_CSCF_v2022 5.4 SWIFT_CSCF_v2022_5.4 SWIFT CSCF v2022 5.4 5. Manage Identities and Segregate Privileges Protect physically and logically the repository of recorded passwords. Shared n/a Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. link 6
U.04.1 - Restore Function U.04.1 - Restore function 404 not found n/a n/a 3
U.04.2 - Restore Function U.04.2 - Restore Function 404 not found n/a n/a 3
U.04.3 - Tested U.04.3 - Tested 404 not found n/a n/a 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Enforce recommended guardrails for Azure Key Vault Enforce-Guardrails-KeyVault Key Vault GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-03-31 17:44:15 change Minor (2.0.0 > 2.1.0)
2021-06-08 15:17:13 change Major (1.1.1 > 2.0.0)
2020-12-11 15:42:52 change Patch (1.1.0 > 1.1.1)
2020-10-23 13:31:09 change Minor (1.0.0 > 1.1.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC