compliance controls are associated with this Policy definition 'Azure API Management platform version should be stv2' (1dc2fc00-2245-4143-99f4-874c937f13ef)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
AM-2 |
Azure_Security_Benchmark_v3.0_AM-2 |
Microsoft cloud security benchmark AM-2 |
Asset Management |
Use only approved services
|
Shared |
**Security Principle:**
Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment.
**Azure Guidance:**
Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
**Implementation and additional context:**
Configure and manage Azure Policy:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
How to deny a specific resource type with Azure Policy:
https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer:
https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal |
n/a |
link |
3 |
| Azure_Security_Benchmark_v3.0 |
PV-2 |
Azure_Security_Benchmark_v3.0_PV-2 |
Microsoft cloud security benchmark PV-2 |
Posture and Vulnerability Management |
Audit and enforce secure configurations |
Shared |
**Security Principle:**
Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration.
**Azure Guidance:**
Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement.
**Implementation and additional context:**
Understand Azure Policy effects:
https://docs.microsoft.com/azure/governance/policy/concepts/effects
Create and manage policies to enforce compliance:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Get compliance data of Azure resources:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data |
n/a |
link |
27 |
|
C.04.7 - Evaluated |
C.04.7 - Evaluated |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
16 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.2 |
CMMC_L2_v1.9.0_CM.L2_3.4.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 |
Configuration Management |
Security Configuration Enforcement |
Shared |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
To mitigate vulnerabilities and enhance overall security posture. |
|
10 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.6 |
CMMC_L2_v1.9.0_CM.L2_3.4.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 |
Configuration Management |
Least Functionality |
Shared |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
To reduce the risk of unauthorized access or exploitation of system vulnerabilities. |
|
10 |
| CSA_v4.0.12 |
AIS_02 |
CSA_v4.0.12_AIS_02 |
CSA Cloud Controls Matrix v4.0.12 AIS 02 |
Application & Interface Security |
Application Security Baseline Requirements |
Shared |
n/a |
Establish, document and maintain baseline requirements for securing
different applications. |
|
10 |
| CSA_v4.0.12 |
CCC_02 |
CSA_v4.0.12_CCC_02 |
CSA Cloud Controls Matrix v4.0.12 CCC 02 |
Change Control and Configuration Management |
Quality Testing |
Shared |
n/a |
Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards. |
|
11 |
| CSA_v4.0.12 |
CCC_03 |
CSA_v4.0.12_CCC_03 |
CSA Cloud Controls Matrix v4.0.12 CCC 03 |
Change Control and Configuration Management |
Change Management Technology |
Shared |
n/a |
Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced). |
|
30 |
| CSA_v4.0.12 |
UEM_03 |
CSA_v4.0.12_UEM_03 |
CSA Cloud Controls Matrix v4.0.12 UEM 03 |
Universal Endpoint Management |
Compatibility |
Shared |
n/a |
Define and implement a process for the validation of the endpoint
device's compatibility with operating systems and applications. |
|
10 |
| CSA_v4.0.12 |
UEM_05 |
CSA_v4.0.12_UEM_05 |
CSA Cloud Controls Matrix v4.0.12 UEM 05 |
Universal Endpoint Management |
Endpoint Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data. |
|
10 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.7 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
95 |
| HITRUST_CSF_v11.3 |
10.k |
HITRUST_CSF_v11.3_10.k |
HITRUST CSF v11.3 10.k |
Security In Development and Support Processes |
Ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled. |
Shared |
1. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management is to be formally addressed.
2. Changes to mobile device operating systems, patch levels, and/or applications is to be managed through a formal change management process.
3. A baseline configuration of the information system is to be developed, documented, and maintained under configuration control. |
The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. |
|
33 |
| ISO_IEC_27002_2022 |
8.9 |
ISO_IEC_27002_2022_8.9 |
ISO IEC 27002 2022 8.9 |
Protection,
Preventive Control |
Configuration management |
Shared |
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
|
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. |
|
20 |
| NIST_SP_800-171_R3_3 |
.4.1 |
NIST_SP_800-171_R3_3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
9 |
| NIST_SP_800-53_R5.1.1 |
CM.2.2 |
NIST_SP_800-53_R5.1.1_CM.2.2 |
NIST SP 800-53 R5.1.1 CM.2.2 |
Configuration Management Control |
Baseline Configuration | Automation Support for Accuracy and Currency |
Shared |
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. |
Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities. |
|
1 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |