last sync: 2024-Dec-06 18:53:17 UTC

Transparent Data Encryption on SQL databases should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Transparent Data Encryption on SQL databases should be enabled
Id 17k78e20-9358-41c9-923c-fb736d382a12
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/servers/databases/transparentDataEncryption/state Microsoft.Sql servers/databases/transparentDataEncryption properties.state True True
Microsoft.Sql/transparentDataEncryption.status Microsoft.Sql servers/databases/transparentDataEncryption properties.status True False
Rule resource types IF (1)
Microsoft.Sql/servers/databases
Compliance
The following 54 compliance controls are associated with this Policy definition 'Transparent Data Encryption on SQL databases should be enabled' (17k78e20-9358-41c9-923c-fb736d382a12)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1425 AU_ISM_1425 AU ISM 1425 Guidelines for Database Systems - Database servers Protecting database server contents - 1425 n/a Hard disks of database servers are encrypted using full disk encryption. link 1
Azure_Security_Benchmark_v1.0 4.8 Azure_Security_Benchmark_v1.0_4.8 Azure Security Benchmark 4.8 Data Protection Encrypt sensitive information at rest Customer Use encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 7
Azure_Security_Benchmark_v2.0 DP-2 Azure_Security_Benchmark_v2.0_DP-2 Azure Security Benchmark DP-2 Data Protection Protect sensitive data Shared Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases). To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities. Azure Role Based Access Control (RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview Understand customer data protection in Azure: https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data n/a link 6
Azure_Security_Benchmark_v2.0 DP-5 Azure_Security_Benchmark_v2.0_DP-5 Azure Security Benchmark DP-5 Data Protection Encrypt sensitive data at rest Shared To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-at-rest n/a link 13
Azure_Security_Benchmark_v3.0 DP-4 Azure_Security_Benchmark_v3.0_DP-4 Microsoft cloud security benchmark DP-4 Data Protection Enable data at rest encryption by default Shared **Security Principle:** To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. **Azure Guidance:** Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs for storage level, file level, or database level encryption. **Implementation and additional context:** Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models n/a link 8
CCCS SC-28 CCCS_SC-28 CCCS SC-28 System and Communications Protection Protection of Information at Rest n/a (A) The information system protects the confidentiality and integrity ofall information not cleared for public release and all data with a higher than low integrity requirement. link 3
CIS_Azure_1.1.0 2.15 CIS_Azure_1.1.0_2.15 CIS Microsoft Azure Foundations Benchmark recommendation 2.15 2 Security Center Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable SQL encryption recommendations. link 5
CIS_Azure_1.1.0 4.9 CIS_Azure_1.1.0_4.9 CIS Microsoft Azure Foundations Benchmark recommendation 4.9 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.3.0 4.1.2 CIS_Azure_1.3.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.4.0 4.1.2 CIS_Azure_1.4.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_2.0.0 4.1.5 CIS_Azure_2.0.0_4.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.5 4.1 Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared n/a Enable Transparent Data Encryption on every SQL server. Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. link 5
CMMC_2.0_L2 SC.L2-3.13.16 CMMC_2.0_L2_SC.L2-3.13.16 404 not found n/a n/a 14
CMMC_L3 SC.3.177 CMMC_L3_SC.3.177 CMMC L3 SC.3.177 System and Communications Protection Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. link 25
CMMC_L3 SC.3.191 CMMC_L3_SC.3.191 CMMC L3 SC.3.191 System and Communications Protection Protect the confidentiality of CUI at rest. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. link 13
FedRAMP_High_R4 SC-28 FedRAMP_High_R4_SC-28 FedRAMP High SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 16
FedRAMP_High_R4 SC-28(1) FedRAMP_High_R4_SC-28(1) FedRAMP High SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 16
FedRAMP_Moderate_R4 SC-28 FedRAMP_Moderate_R4_SC-28 FedRAMP Moderate SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 16
FedRAMP_Moderate_R4 SC-28(1) FedRAMP_Moderate_R4_SC-28(1) FedRAMP Moderate SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 16
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
IRS_1075_9.3 .16.15 IRS_1075_9.3.16.15 IRS 1075 9.3.16.15 System and Communications Protection Protection of Information at Rest (SC-28) n/a The information system must protect the confidentiality and integrity of FTI at rest. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. Agencies may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms, file share scanning, and integrity protection. Agencies may also employ other security controls, including, for example, secure offline storage in lieu of online storage, when adequate protection of information at rest cannot otherwise be achieved or when continuously monitoring to identify malicious code at rest. The confidentiality and integrity of information at rest shall be protected when located on a secondary (non-mobile) storage device (e.g., disk drive, tape drive) with cryptography mechanisms FTI stored on deployed user workstations, in non-volatile storage, shall be encrypted with FIPS-validated or National Security Agency (NSA)-approved encryption during storage (regardless of location) except when no approved encryption technology solution is available that addresses the specific technology. Mobile devices do require encryption at rest (see Section 9.3.1.14, Access Control for Mobile Devices (AC-19), and Section 9.4.8, Mobile Devices). link 3
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
New_Zealand_ISM 23.4.9.C.01 New_Zealand_ISM_23.4.9.C.01 New_Zealand_ISM_23.4.9.C.01 23. Public Cloud Security 23.4.9.C.01 Data protection mechanisms n/a For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements. 17
NIST_SP_800-171_R2_3 .13.16 NIST_SP_800-171_R2_3.13.16 NIST SP 800-171 R2 3.13.16 System and Communications Protection Protect the confidentiality of CUI at rest. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. link 18
NIST_SP_800-53_R4 SC-28 NIST_SP_800-53_R4_SC-28 NIST SP 800-53 Rev. 4 SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 16
NIST_SP_800-53_R4 SC-28(1) NIST_SP_800-53_R4_SC-28(1) NIST SP 800-53 Rev. 4 SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 16
NIST_SP_800-53_R5 SC-28 NIST_SP_800-53_R5_SC-28 NIST SP 800-53 Rev. 5 SC-28 System and Communications Protection Protection of Information at Rest Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of the following information at rest: [Assignment: organization-defined information at rest]. link 16
NIST_SP_800-53_R5 SC-28(1) NIST_SP_800-53_R5_SC-28(1) NIST SP 800-53 Rev. 5 SC-28 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. link 16
NL_BIO_Cloud_Theme U.05.2(2) NL_BIO_Cloud_Theme_U.05.2(2) NL_BIO_Cloud_Theme_U.05.2(2) U.05 Data protection Cryptographic measures n/a Data stored in the cloud service shall be protected to the latest state of the art with encryption and with a key length sufficient at least for the purpose, whereby the key management is not purchased as a cloud service if possible and is carried out by the CSC itself. 52
NL_BIO_Cloud_Theme U.07.3(2) NL_BIO_Cloud_Theme_U.07.3(2) NL_BIO_Cloud_Theme_U.07.3(2) U.07 Data separation Management features n/a Isolation of CSC data is ensured by separating it at least logically from the data of other CSCs under all operating conditions. 19
NL_BIO_Cloud_Theme U.11.1(2) NL_BIO_Cloud_Theme_U.11.1(2) NL_BIO_Cloud_Theme_U.11.1(2) U.11 Cryptoservices Policy n/a The cryptography policy includes at least the following topics: when cryptography is used; who is responsible for the implementation of cryptology; who is responsible for key management; which standards serve as a basis for cryptography and the way in which the standards of the Standardisation Forum are applied; the way in which the level of protection is determined; in the case of communication between organizations, the policy is determined among themselves. 18
NL_BIO_Cloud_Theme U.11.2(2) NL_BIO_Cloud_Theme_U.11.2(2) NL_BIO_Cloud_Theme_U.11.2(2) U.11 Cryptoservices Cryptographic measures n/a In the case of PKIoverheid certificates: apply the PKIoverheid requirements with regard to key management. In other situations: use the ISO 11770 standard for managing cryptographic keys. 18
NL_BIO_Cloud_Theme U.11.3(2) NL_BIO_Cloud_Theme_U.11.3(2) NL_BIO_Cloud_Theme_U.11.3(2) U.11 Cryptoservices Encrypted n/a Sensitive data (on transport and at rest) is always encrypted, with private keys managed by the CSC. The use of a private key by the CSP is based on a controlled procedure and must be jointly agreed with the CSC organisation. 52
NZ_ISM_v3.5 CR-3 NZ_ISM_v3.5_CR-3 NZISM Security Benchmark CR-3 Cryptography 17.1.53 Reducing storage and physical transfer requirements Customer n/a When encryption is applied to media or media residing within IT equipment it provides an additional layer of defence. Whilst such measures do not reduce or alter the classification of the information itself, physical storage, handling and transfer requirements may be reduced to those of a lesser classification for the media or equipment (but not the data itself). link 12
NZISM_Security_Benchmark_v1.1 CR-3 NZISM_Security_Benchmark_v1.1_CR-3 NZISM Security Benchmark CR-3 Cryptography 17.1.46 Reducing storage and physical transfer requirements Customer If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: full disk encryption; or partial disk encryption where the access control will only allow writing to the encrypted partition holding the classified information. When encryption is applied to media or media residing within IT equipment it provides an additional layer of defence. Whilst such measures do not reduce or alter the classification of the information itself, physical storage, handling and transfer requirements may be reduced to those of a lesser classification for the media or equipment (but not the data itself). link 11
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
PCI_DSS_V3.2.1 3.4 PCI_DSS_v3.2.1_3.4 PCI DSS v3.2.1 3.4 Requirement 3 PCI DSS requirement 3.4 customer n/a n/a link 7
PCI_DSS_V3.2.1 4.1 PCI_DSS_v3.2.1_4.1 PCI DSS v3.2.1 4.1 Requirement 4 PCI DSS requirement 4.1 customer n/a n/a link 7
PCI_DSS_V3.2.1 6.5.3 PCI_DSS_v3.2.1_6.5.3 PCI DSS v3.2.1 6.5.3 Requirement 6 PCI DSS requirement 6.5.3 shared n/a n/a link 7
PCI_DSS_v4.0 3.5.1 PCI_DSS_v4.0_3.5.1 PCI DSS v4.0 3.5.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a PAN is rendered unreadable anywhere it is stored by using any of the following approaches: • One-way hashes based on strong cryptography of the entire PAN. • Truncation (hashing cannot be used to replace the truncated segment of PAN). – If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. • Index tokens. • Strong cryptography with associated keymanagement processes and procedures. link 11
PCI_DSS_v4.0 6.2.4 PCI_DSS_v4.0_6.2.4 PCI DSS v4.0 6.2.4 Requirement 06: Develop and Maintain Secure Systems and Software Bespoke and custom software are developed securely Shared n/a Software engineering techniques or other methods are defined and in use for bespoke and custom software by software development personnel to prevent or mitigate common software attacks and related vulnerabilities, including but not limited to the following: • Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. • Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. • Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation. • Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, clientside functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF). • Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms. • Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1. link 7
RBI_CSF_Banks_v2016 13.4 RBI_CSF_Banks_v2016_13.4 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 n/a Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway 41
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
RMiT_v1.0 10.16 RMiT_v1.0_10.16 RMiT 10.16 Cryptography Cryptography - 10.16 Shared n/a A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for: (a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation; (b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction; (c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and (d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. link 10
RMiT_v1.0 11.15 RMiT_v1.0_11.15 RMiT 11.15 Data Loss Prevention (DLP) Data Loss Prevention (DLP) - 11.15 Shared n/a A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following: (a) data in-use - data being processed by IT resources; (b) data in-motion - data being transmitted on the network; and (c) data at-rest - data stored in storage mediums such as servers, backup media and databases. link 14
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SWIFT_CSCF_v2021 2.5A SWIFT_CSCF_v2021_2.5A SWIFT CSCF v2021 2.5A Reduce Attack Surface and Vulnerabilities External Transmission Data Protection n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 11
SWIFT_CSCF_v2021 6.3 SWIFT_CSCF_v2021_6.3 SWIFT CSCF v2021 6.3 Detect Anomalous Activity to Systems or Transaction Records Database Integrity n/a Ensure the integrity of the database records for the SWIFT messaging interface and act upon results link 12
U.05.2 - Cryptographic measures U.05.2 - Cryptographic measures 404 not found n/a n/a 51
U.07.3 - Management features U.07.3 - Management features 404 not found n/a n/a 19
U.11.1 - Policy U.11.1 - Policy 404 not found n/a n/a 18
U.11.2 - Cryptographic measures U.11.2 - Cryptographic measures 404 not found n/a n/a 18
U.11.3 - Encrypted U.11.3 - Encrypted 404 not found n/a n/a 51
UK_NCSC_CSP 2.3 UK_NCSC_CSP_2.3 UK NCSC CSP 2.3 Asset protection and resilience Data at rest protection Shared n/a To ensure data is not available to unauthorised parties with physical access to infrastructure, user data held within the service should be protected regardless of the storage media on which it’s held. Without appropriate measures in place, data may be inadvertently disclosed on discarded, lost or stolen media. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-07-16 14:58:38 change Major (1.0.0 > 2.0.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC