compliance controls are associated with this Policy definition 'Running container images should have vulnerability findings resolved' (0fc39691-5a3f-4e3e-94ee-2e6447309ad9)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
DS-6 |
Azure_Security_Benchmark_v3.0_DS-6 |
Microsoft cloud security benchmark DS-6 |
DevOps Security |
Enforce security of workload throughout DevOps lifecycle |
Shared |
**Security Principle:**
Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process:
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface.
- Ensure VMs, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow
- Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time.
**Azure Guidance:**
Guidance for Azure VMs:
- Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images.
- Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Through custom images, Azure Resource Manager template, and/or Azure Policy guest configuration to deploy and enforce these the configuration baseline.
Guidance for Azure container services:
- Use Azure Container Registry (ACR) to create your private container registry where a granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry.
- Use Defender for Azure Container Registry for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to ingrate container images scan as part of your CI/CD workflows.
For Azure serverless services, adopt the similar controls to ensure security controls are shift left to the stage prior to the deployment.
**Implementation and additional context:**
Shared Image Gallery overview:
https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries
How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations
Security considerations for Azure Container:
https://docs.microsoft.com/azure/container-instances/container-instances-image-security
Azure Defender for container registries:
https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction |
n/a |
link |
5 |
| Azure_Security_Benchmark_v3.0 |
PV-6 |
Azure_Security_Benchmark_v3.0_PV-6 |
Microsoft cloud security benchmark PV-6 |
Posture and Vulnerability Management |
Rapidly and automatically remediate vulnerabilities |
Shared |
**Security Principle:**
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
**Azure Guidance:**
Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.
Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime.
**Implementation and additional context:**
How to configure Update Management for virtual machines in Azure:
https://docs.microsoft.com/azure/automation/update-management/overview
Manage updates and patches for your Azure VMs:
https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm |
n/a |
link |
13 |
| RBI_CSF_Banks_v2016 |
2.3 |
RBI_CSF_Banks_v2016_2.3 |
|
Preventing Execution Of Unauthorised Software |
Security Update Management-2.3 |
|
n/a |
Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process. |
|
9 |
| RBI_CSF_Banks_v2016 |
6.1 |
RBI_CSF_Banks_v2016_6.1 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.1 |
|
n/a |
Incorporate/Ensure information security across all stages of application life cycle. |
|
3 |
| RBI_CSF_Banks_v2016 |
6.3 |
RBI_CSF_Banks_v2016_6.3 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.3 |
|
n/a |
Secure coding practices may also be implemented for internally /collaboratively
developed applications. |
|
3 |
| RBI_CSF_Banks_v2016 |
6.6 |
RBI_CSF_Banks_v2016_6.6 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.6 |
|
n/a |
Software/Application development approach should be based on threat
modelling, incorporate secure coding principles and security testing based on global
standards and secure rollout |
|
3 |
| RBI_CSF_Banks_v2016 |
6.7 |
RBI_CSF_Banks_v2016_6.7 |
|
Application Security Life Cycle (Aslc) |
Application Security Life Cycle (Aslc)-6.7 |
|
n/a |
Ensure that software/application development practices addresses the
vulnerabilities based on best practices baselines such as Open Web Application
Security Project (OWASP) proactively and adopt principle of defence-in-depth to
provide layered security mechanism. |
|
6 |
| RBI_CSF_Banks_v2016 |
7.1 |
RBI_CSF_Banks_v2016_7.1 |
|
Patch/Vulnerability & Change Management |
Patch/Vulnerability & Change Management-7.1 |
|
n/a |
Follow a documented risk-based strategy for inventorying IT components that
need to be patched, identification of patches and applying patches so as to minimize
the number of vulnerable systems and the time window of vulnerability/exposure. |
|
12 |
| RBI_CSF_Banks_v2016 |
7.2 |
RBI_CSF_Banks_v2016_7.2 |
|
Patch/Vulnerability & Change Management |
Patch/Vulnerability & Change Management-7.2 |
|
n/a |
Put in place systems and processes to identify, track, manage and monitor the
status of patches to operating system and application software running at end-user
devices directly connected to the internet and in respect of Server operating
Systems/Databases/Applications/ Middleware, etc. |
|
12 |
| RBI_CSF_Banks_v2016 |
7.6 |
RBI_CSF_Banks_v2016_7.6 |
|
Patch/Vulnerability & Change Management |
Patch/Vulnerability & Change Management-7.6 |
|
n/a |
As a threat mitigation strategy, identify the root cause of incident and apply
necessary patches to plug the vulnerabilities. |
|
21 |
| RBI_ITF_NBFC_v2017 |
3.3 |
RBI_ITF_NBFC_v2017_3.3 |
RBI IT Framework 3.3 |
Information and Cyber Security |
Vulnerability Management-3.3 |
|
n/a |
A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy |
link |
14 |
|
U.09.3 - Detection, prevention and recovery |
U.09.3 - Detection, prevention and recovery |
404 not found |
|
|
|
n/a |
n/a |
|
32 |