compliance controls are associated with this Policy definition 'Azure Key Vault should use RBAC permission model' (12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Canada_Federal_PBMM_3-1-2020 |
IA_5(3) |
Canada_Federal_PBMM_3-1-2020_IA_5(3) |
Canada Federal PBMM 3-1-2020 IA 5(3) |
Authenticator Management |
Authenticator Management | In-Person or Trusted Third-Party Registration |
Shared |
The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles. |
To enhance security and accountability within the organization's registration procedures. |
|
25 |
CIS_Azure_2.0.0 |
8.6 |
CIS_Azure_2.0.0_8.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 8.6 |
8 |
Enable Role Based Access Control for Azure Key Vault |
Shared |
Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs. |
WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.
The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management. |
link |
1 |
CIS_Controls_v8.1 |
12.8 |
CIS_Controls_v8.1_12.8 |
CIS Controls v8.1 12.8 |
Network Infrastructure Management |
Establish and maintain dedicated computing resources for all administrative work |
Shared |
1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access.
2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access. |
To ensure administrative work is on a different system on which access to data and internet is restricted. |
|
22 |
CIS_Controls_v8.1 |
5.4 |
CIS_Controls_v8.1_5.4 |
CIS Controls v8.1 5.4 |
Account Management |
Restrict administrator privileges to dedicated administrator accounts. |
Shared |
1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets.
2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. |
To restrict access to privileged accounts. |
|
22 |
CMMC_L2_v1.9.0 |
AC.L1_3.1.2 |
CMMC_L2_v1.9.0_AC.L1_3.1.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.2 |
Access Control |
Transaction & Function Control |
Shared |
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
To restrict information system access. |
|
3 |
CSA_v4.0.12 |
IAM_06 |
CSA_v4.0.12_IAM_06 |
CSA Cloud Controls Matrix v4.0.12 IAM 06 |
Identity & Access Management |
User Access Provisioning |
Shared |
n/a |
Define and implement a user access provisioning process which authorizes,
records, and communicates access changes to data and assets. |
|
24 |
CSA_v4.0.12 |
IAM_16 |
CSA_v4.0.12_IAM_16 |
CSA Cloud Controls Matrix v4.0.12 IAM 16 |
Identity & Access Management |
Authorization Mechanisms |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to verify access to data and system functions is authorized. |
|
46 |
Cyber_Essentials_v3.1 |
2 |
Cyber_Essentials_v3.1_2 |
Cyber Essentials v3.1 2 |
Cyber Essentials |
Secure Configuration |
Shared |
n/a |
Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. |
|
61 |
Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
Cyber_Essentials_v3.1 |
5 |
Cyber_Essentials_v3.1_5 |
Cyber Essentials v3.1 5 |
Cyber Essentials |
Malware protection |
Shared |
n/a |
Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. |
|
60 |
EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
311 |
EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
311 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
HITRUST_CSF_v11.3 |
01.c |
HITRUST_CSF_v11.3_01.c |
HITRUST CSF v11.3 01.c |
Authorized Access to Information Systems |
To control privileged access to information systems and services. |
Shared |
1. Privileged role assignments to be automatically tracked and monitored.
2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions.
3. Critical security functions to be executable only after granting of explicit authorization. |
The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. |
|
44 |
ISO_IEC_27002_2022 |
5.15 |
ISO_IEC_27002_2022_5.15 |
ISO IEC 27002 2022 5.15 |
Protection,
Preventive Control |
Access control |
Shared |
Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
|
To ensure authorized access and to prevent unauthorized access to information and other associated assets. |
|
4 |
ISO_IEC_27002_2022 |
5.18 |
ISO_IEC_27002_2022_5.18 |
ISO IEC 27002 2022 5.18 |
Protection,
Preventive Control |
Access rights |
Shared |
Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
|
To ensure access to information and other associated assets is defined and authorized according to the business requirements. |
|
20 |
ISO_IEC_27002_2022 |
8.2 |
ISO_IEC_27002_2022_8.2 |
ISO IEC 27002 2022 8.2 |
Protection,
Preventive, Control |
Privileged access rights |
Shared |
The allocation and use of privileged access rights should be restricted and managed.
|
To ensure only authorized users, software components and services are provided with privileged access rights. |
|
29 |
ISO_IEC_27002_2022 |
8.3 |
ISO_IEC_27002_2022_8.3 |
ISO IEC 27002 2022 8.3 |
Protection,
Preventive, Control |
Information access restriction |
Shared |
Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. |
To ensure only authorized access and to prevent unauthorized access to information and other associated assets. |
|
4 |
New_Zealand_ISM |
17.9.35.C.01 |
New_Zealand_ISM_17.9.35.C.01 |
New_Zealand_ISM_17.9.35.C.01 |
17. Cryptography |
17.9.35.C.01 Cryptographic system administrator access |
|
n/a |
Before personnel are granted cryptographic system administrator access, agencies MUST ensure the requirements for access are met. For a full list see the control published here https://www.nzism.gcsb.govt.nz/ism-document#SubSection-16122 |
|
1 |
NIST_CSF_v2.0 |
PR.AA |
NIST_CSF_v2.0_PR.AA |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
NIST_SP_800-171_R3_3 |
.8.2 |
NIST_SP_800-171_R3_3.8.2 |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
NIST_SP_800-53_R5.1.1 |
AC.2.1 |
NIST_SP_800-53_R5.1.1_AC.2.1 |
NIST SP 800-53 R5.1.1 AC.2.1 |
Access Control |
Account Management | Automated System Account Management |
Shared |
Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. |
Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications. |
|
2 |
NIST_SP_800-53_R5.1.1 |
AC.3.7 |
NIST_SP_800-53_R5.1.1_AC.3.7 |
NIST SP 800-53 R5.1.1 AC.3.7 |
Access Control |
Access Enforcement | Role-based Access Control |
Shared |
Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy. |
|
2 |
NZISM_v3.7 |
16.3.6.C.01. |
NZISM_v3.7_16.3.6.C.01. |
NZISM v3.7 16.3.6.C.01. |
Privileged User Access |
16.3.6.C.01. - To safeguard sensitive national data. |
Shared |
n/a |
Agencies MUST NOT allow foreign nationals, including seconded foreign nationals, to have privileged access to systems that process, store or communicate NZEO information. |
|
2 |
NZISM_v3.7 |
16.4.32.C.02. |
NZISM_v3.7_16.4.32.C.02. |
NZISM v3.7 16.4.32.C.02. |
Privileged Access Management |
16.4.32.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. |
Shared |
n/a |
Privileged Access credentials MUST NOT be issued until approval has been formally granted. |
|
20 |
NZISM_v3.7 |
2.3.26.C.01. |
NZISM_v3.7_2.3.26.C.01. |
NZISM v3.7 2.3.26.C.01. |
Using Cloud Services |
2.3.26.C.01. - To enhance security measures and minimise trust assumptions in cloud environments. |
Shared |
n/a |
Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts. |
|
4 |
PCI_DSS_v4.0.1 |
7.2.4 |
PCI_DSS_v4.0.1_7.2.4 |
PCI DSS v4.0.1 7.2.4 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate |
Shared |
n/a |
Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement |
|
40 |
PCI_DSS_v4.0.1 |
7.2.5.1 |
PCI_DSS_v4.0.1_7.2.5.1 |
PCI DSS v4.0.1 7.2.5.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate |
Shared |
n/a |
Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement |
|
39 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes_Oxley_Act_(1)_2022_1 |
Sarbanes Oxley Act 2022 1 |
PUBLIC LAW |
Sarbanes Oxley Act 2022 (SOX) |
Shared |
n/a |
n/a |
|
92 |
SOC_2023 |
CC6.2 |
SOC_2023_CC6.2 |
SOC 2023 CC6.2 |
Logical and Physical Access Controls |
To ensure effective access control and ensuring the security of the organization's systems and data. |
Shared |
n/a |
1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.
2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
|
50 |
SOC_2023 |
CC6.3 |
SOC_2023_CC6.3 |
404 not found |
|
|
|
n/a |
n/a |
|
56 |
SWIFT_CSCF_2024 |
1.2 |
SWIFT_CSCF_2024_1.2 |
SWIFT Customer Security Controls Framework 2024 1.2 |
Privileged Account Control |
Operating System Privileged Account Control |
Shared |
Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). |
To restrict and control the allocation and usage of administrator-level operating system accounts. |
|
53 |
SWIFT_CSCF_2024 |
11.2 |
SWIFT_CSCF_2024_11.2 |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
SWIFT_CSCF_2024 |
5.1 |
SWIFT_CSCF_2024_5.1 |
SWIFT Customer Security Controls Framework 2024 5.1 |
Access Control |
Logical Access Control |
Shared |
1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure.
2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack. |
To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
|
26 |
UK_NCSC_CAF_v3.2 |
B4.b |
UK_NCSC_CAF_v3.2_B4.b |
NCSC Cyber Assurance Framework (CAF) v3.2 B4.b |
System Security |
Secure Configuration |
Shared |
1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function.
2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment.
3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented.
4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration.
5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation.
6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. |
Securely configure the network and information systems that support the operation of essential functions. |
|
37 |