last sync: 2024-Mar-01 17:50:27 UTC

Enable dual or joint authorization | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Enable dual or joint authorization
Id 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0226 - Enable dual or joint authorization
Additional metadata Name/Id: CMA_0226 / CMA_0226
Category: Operational
Title: Enable dual or joint authorization
Ownership: Customer
Description: Microsoft recommends that your organization enable and enforce dual authorization to reduce organizational risks such as insider threats. It is recommended that the dual authorization mechanisms are approved by two authorized individuals and that these duties are rotated to reduce the risk of collusion. Your organization may also determine the risk of implementing dual authorization mechanisms in situations when responses are needed immediately for public and environmental safety. Your organization is recommended to implement and enforce dual authorization for: - Executing [organization-defined privileged commands and/or other organization-defined actions] - Deleting, destroying, or moving audit information - Deleting backup information - Implementing changes to [organization-defined systems] - Sanitizing [Assignment: organization-defined system media] In case of joint authorization processes, consider including multiple authorizing officials from the same organization conducting the authorization or at least one authorizing official from an organization external to the organization conducting the authorization based on your organization requirements.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 21 compliance controls are associated with this Policy definition 'Enable dual or joint authorization' (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 5.1.5 CIS_Azure_1.1.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link 3
CIS_Azure_1.1.0 5.1.6 CIS_Azure_1.1.0_5.1.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 5 Logging and Monitoring Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Shared The customer is responsible for implementing this recommendation. The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). link 4
CIS_Azure_1.3.0 5.1.3 CIS_Azure_1.3.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link 3
CIS_Azure_1.3.0 5.1.4 CIS_Azure_1.3.0_5.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 5 Logging and Monitoring Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Shared The customer is responsible for implementing this recommendation. The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). link 4
CIS_Azure_1.4.0 5.1.3 CIS_Azure_1.4.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link 3
CIS_Azure_1.4.0 5.1.4 CIS_Azure_1.4.0_5.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 5 Logging and Monitoring Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Shared The customer is responsible for implementing this recommendation. The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). link 4
CIS_Azure_2.0.0 5.1.3 CIS_Azure_2.0.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5.1 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible Shared Configuring container `Access policy` to `private` will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users. The storage account container containing the activity log export should not be publicly accessible. Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. link 3
CIS_Azure_2.0.0 5.1.4 CIS_Azure_2.0.0_5.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 5.1 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key Shared **NOTE:** You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure. Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK). Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK. link 4
FedRAMP_High_R4 AU-9 FedRAMP_High_R4_AU-9 FedRAMP High AU-9 Audit And Accountability Protection Of Audit Information Shared n/a The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. References: None. link 2
FedRAMP_Moderate_R4 AU-9 FedRAMP_Moderate_R4_AU-9 FedRAMP Moderate AU-9 Audit And Accountability Protection Of Audit Information Shared n/a The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. References: None. link 2
hipaa 1207.09aa2System.4-09.aa hipaa-1207.09aa2System.4-09.aa 1207.09aa2System.4-09.aa 12 Audit Logging & Monitoring 1207.09aa2System.4-09.aa 09.10 Monitoring Shared n/a Audit records are retained for 90 days and older audit records are archived for one year. 13
hipaa 1232.09c3Organizational.12-09.c hipaa-1232.09c3Organizational.12-09.c 1232.09c3Organizational.12-09.c 12 Audit Logging & Monitoring 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures Shared n/a Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. 21
ISO27001-2013 A.12.4.2 ISO27001-2013_A.12.4.2 ISO 27001:2013 A.12.4.2 Operations Security Protection of log information Shared n/a Logging facilities and log information shall be protected against tampering and unauthorized access. link 8
ISO27001-2013 A.12.4.3 ISO27001-2013_A.12.4.3 ISO 27001:2013 A.12.4.3 Operations Security Administrator and operator logs Shared n/a System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. link 29
ISO27001-2013 A.18.1.3 ISO27001-2013_A.18.1.3 ISO 27001:2013 A.18.1.3 Compliance Protection of records Shared n/a Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. link 15
NIST_SP_800-171_R2_3 .3.8 NIST_SP_800-171_R2_3.3.8 NIST SP 800-171 R2 3.3.8 Audit and Accountability Protect audit information and audit logging tools from unauthorized access, modification, and deletion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. link 4
NIST_SP_800-53_R4 AU-9 NIST_SP_800-53_R4_AU-9 NIST SP 800-53 Rev. 4 AU-9 Audit And Accountability Protection Of Audit Information Shared n/a The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. References: None. link 2
NIST_SP_800-53_R5 AU-9 NIST_SP_800-53_R5_AU-9 NIST SP 800-53 Rev. 5 AU-9 Audit and Accountability Protection of Audit Information Shared n/a a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. link 2
PCI_DSS_v4.0 10.3.1 PCI_DSS_v4.0_10.3.1 PCI DSS v4.0 10.3.1 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are protected from destruction and unauthorized modifications Shared n/a Read access to audit logs files is limited to those with a job-related need. link 2
PCI_DSS_v4.0 10.3.2 PCI_DSS_v4.0_10.3.2 PCI DSS v4.0 10.3.2 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are protected from destruction and unauthorized modifications Shared n/a Audit log files are protected to prevent modifications by individuals. link 2
PCI_DSS_v4.0 10.3.4 PCI_DSS_v4.0_10.3.4 PCI DSS v4.0 10.3.4 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are protected from destruction and unauthorized modifications Shared n/a File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC