last sync: 2024-Oct-04 17:51:30 UTC

Microsoft Managed Control 1546 - Vulnerability Scanning | Regulatory Compliance - Risk Assessment

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1546 - Vulnerability Scanning
Id 2ce1ea7e-4038-4e53-82f4-63e8859333c1
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Risk Assessment control
Additional metadata Name/Id: ACF1546 / Microsoft Managed Control 1546
Category: Risk Assessment
Title: Vulnerability Scanning - Frequency of Scanning, Identifying, Reporting
Ownership: Customer, Microsoft
Description: The organization: Scans for vulnerabilities in the information system and hosted applications monthly (for operating systems, web applications, and databases) and when new vulnerabilities potentially affecting the system/applications are identified and reported;
Requirements: Azure implements vulnerability scanning by actively scanning servers, network devices, databases, and web applications in the Azure inventory with authenticated scans. All scans are performed monthly. The vulnerability scanning tools provide Azure updates as new vulnerabilities are identified and reported. Scans are also performed when newly identified vulnerabilities are added for each type of scan. The C+AI VSA team within Azure manages the vulnerability management program and provides scanning services for the environment. C+AI VSA is responsible for the identification, assessment, and notification of vulnerabilities to Azure personnel, who are responsible for the remediation of verified vulnerabilities on operating systems, network elements and applications deployed in the Azure environment. Listed below are the assets scanned each month in accordance with the monthly assignment:* Operating system (OS) Scans Conducted twice a day * Host, Guest, Native, and Pilotfish server environment * Physical server environment * Monthly operating system (OS) Scans * Azure network devices * Monthly database (DB) scans * SQL DB instances * Monthly web application scans * Web applications (hosted URLs) In addition, the Third Party Assessment Organization (3PAO) satisfies the requirements for independent third-party security assessment and scanning on an annual basis. This is done by having the Third Party Assessment Organization (3PAO) review the scanning configuration, observe the scan where possible, and review the results.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 6 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1546 - Vulnerability Scanning' (2ce1ea7e-4038-4e53-82f4-63e8859333c1)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.exp.4 Security maintenance and updates op.exp.4 Security maintenance and updates 404 not found n/a n/a 78
op.exp.5 Change management op.exp.5 Change management 404 not found n/a n/a 71
op.mon.3 Monitoring op.mon.3 Monitoring 404 not found n/a n/a 51
op.pl.1 Risk analysis op.pl.1 Risk analysis 404 not found n/a n/a 70
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC