| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
6.9 |
Azure_Security_Benchmark_v1.0_6.9 |
Azure Security Benchmark 6.9 |
Inventory and Asset Management |
Use only approved Azure services |
Customer |
Use Azure Policy to restrict which services you can provision in your environment.
How to configure and manage Azure Policy:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
How to deny a specific resource type with Azure Policy:
https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types |
n/a |
link |
2 |
| Azure_Security_Benchmark_v2.0 |
AM-3 |
Azure_Security_Benchmark_v2.0_AM-3 |
Azure Security Benchmark AM-3 |
Asset Management |
Use only approved Azure services |
Customer |
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal |
n/a |
link |
2 |
| Azure_Security_Benchmark_v3.0 |
AM-2 |
Azure_Security_Benchmark_v3.0_AM-2 |
Azure Security Benchmark AM-2 |
Asset Management |
Use only approved services
|
Shared |
**Security Principle:**
Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment.
**Azure Guidance:**
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
**Implementation and additional context:**
Configure and manage Azure Policy:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
How to deny a specific resource type with Azure Policy:
https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer:
https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal |
n/a |
link |
2 |
| CMMC_2.0_L2 |
AC.L1-3.1.1 |
CMMC_2.0_L2_AC.L1-3.1.1 |
404 not found |
|
|
|
n/a |
n/a |
|
57 |
| CMMC_2.0_L2 |
AC.L1-3.1.2 |
CMMC_2.0_L2_AC.L1-3.1.2 |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
| FedRAMP_High_R4 |
AC-3 |
FedRAMP_High_R4_AC-3 |
FedRAMP High AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
21 |
| FedRAMP_Moderate_R4 |
AC-3 |
FedRAMP_Moderate_R4_AC-3 |
FedRAMP Moderate AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
21 |
| hipaa |
0835.09n1Organizational.1-09.n |
hipaa-0835.09n1Organizational.1-09.n |
0835.09n1Organizational.1-09.n |
08 Network Protection |
0835.09n1Organizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. |
|
7 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| NIST_SP_800-171_R2_3 |
.1.1 |
NIST_SP_800-171_R2_3.1.1 |
NIST SP 800-171 R2 3.1.1 |
Access Control |
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. |
link |
55 |
| NIST_SP_800-171_R2_3 |
.1.2 |
NIST_SP_800-171_R2_3.1.2 |
NIST SP 800-171 R2 3.1.2 |
Access Control |
Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). |
link |
31 |
| NIST_SP_800-53_R4 |
AC-3 |
NIST_SP_800-53_R4_AC-3 |
NIST SP 800-53 Rev. 4 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
21 |
| NIST_SP_800-53_R5 |
AC-3 |
NIST_SP_800-53_R5_AC-3 |
NIST SP 800-53 Rev. 5 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
link |
21 |
| PCI_DSS_V3.2.1 |
10.3 |
PCI_DSS_V3.2.1_10.3 |
404 not found |
|
|
|
n/a |
n/a |
|
4 |
| PCI_DSS_V3.2.1 |
10.5.4 |
PCI_DSS_v3.2.1_10.5.4 |
PCI DSS v3.2.1 10.5.4 |
Requirement 10 |
PCI DSS requirement 10.5.4 |
shared |
n/a |
n/a |
link |
4 |
| PCI_DSS_v4.0 |
10.2.2 |
PCI_DSS_v4.0_10.2.2 |
PCI DSS v4.0 10.2.2 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events |
Shared |
n/a |
Audit logs record the following details for each auditable event:
• User identification.
• Type of event.
• Date and time.
• Success and failure indication.
• Origination of event.
• Identity or name of affected data, system component, resource, or service (for example, name and protocol). |
link |
5 |
| PCI_DSS_v4.0 |
10.3.3 |
PCI_DSS_v4.0_10.3.3 |
PCI DSS v4.0 10.3.3 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are protected from destruction and unauthorized modifications |
Shared |
n/a |
Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. |
link |
5 |
| RBI_CSF_Banks_v2016 |
13.1 |
RBI_CSF_Banks_v2016_13.1 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.1 |
|
n/a |
Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. |
|
27 |
| RMiT_v1.0 |
10.27 |
RMiT_v1.0_10.27 |
RMiT 10.27 |
Datacenter Operations |
Datacenter Operations - 10.27 |
Shared |
n/a |
A financial institution must establish real-time monitoring mechanisms to track capacity utilisation and performance of key processes and services. These monitoring mechanisms shall be capable of providing timely and actionable alerts to administrators. |
link |
2 |
| UK_NCSC_CSP |
10 |
UK_NCSC_CSP_10 |
UK NCSC CSP 10 |
Identity and authentication |
Identity and authentication |
Shared |
n/a |
All access to service interfaces should be constrained to authenticated and authorised individuals. |
link |
25 |