compliance controls are associated with this Policy definition 'Service Bus Premium namespaces should use a customer-managed key for encryption' (295fc8b1-dc9f-4f53-9c61-3f313ceab40a)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CMMC_2.0_L2 |
SC.L2-3.13.10 |
CMMC_2.0_L2_SC.L2-3.13.10 |
404 not found |
|
|
|
n/a |
n/a |
|
37 |
| DORA_2022_2554 |
9.3c |
DORA_2022_2554_9.3c |
DORA 2022 2554 9.3c |
9 |
Prevent Data Availability and Integrity Issues in ICT Systems |
Shared |
n/a |
Implement measures in information and communication technology (ICT) to prevent issues related to data availability, authenticity, integrity, confidentiality breaches, and data loss. |
|
58 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FedRAMP_High_R4 |
SC-12 |
FedRAMP_High_R4_SC-12 |
FedRAMP High SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| FedRAMP_Moderate_R4 |
SC-12 |
FedRAMP_Moderate_R4_SC-12 |
FedRAMP Moderate SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
408 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
385 |
| K_ISMS_P_2018 |
2.7.1b |
K_ISMS_P_2018_2.7.1b |
K ISMS P 2018 2.7.1b |
2.7 |
Ensure Data is Encrypted at Rest and In-Transit |
Shared |
n/a |
Ensure data is encrypted when storing and transmitting personal and important information. |
|
68 |
| K_ISMS_P_2018 |
2.7.2 |
K_ISMS_P_2018_2.7.2 |
K ISMS P 2018 2.7.2 |
2.7 |
Establish Encryption Key Management Procedures |
Shared |
n/a |
Establish and implement procedures for securely creating, using, storing, distributing, and destroying encryption keys. Additionally, establish and implement procedures for recovering encryption keys, if necessary. |
|
48 |
| K_ISMS_P_2018 |
3.4.3 |
K_ISMS_P_2018_3.4.3 |
K ISMS P 2018 3.4.3 |
3.4 |
Implement Measure to Protect the Personal Information of Dormant Users |
Shared |
n/a |
Implement measures to protect the personal information of dormant users including notification of relevant matters, or disposal of storage of personal information. |
|
31 |
| NIST_SP_800-171_R2_3 |
.13.10 |
NIST_SP_800-171_R2_3.13.10 |
NIST SP 800-171 R2 3.13.10 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment. |
link |
40 |
| NIST_SP_800-53_R4 |
SC-12 |
NIST_SP_800-53_R4_SC-12 |
NIST SP 800-53 Rev. 4 SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| NIST_SP_800-53_R5 |
SC-12 |
NIST_SP_800-53_R5_SC-12 |
NIST SP 800-53 Rev. 5 SC-12 |
System and Communications Protection |
Cryptographic Key Establishment and Management |
Shared |
n/a |
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
link |
40 |
|
U.05.2 - Cryptographic measures |
U.05.2 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
U.11.3 - Encrypted |
U.11.3 - Encrypted |
404 not found |
|
|
|
n/a |
n/a |
|
52 |