| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
3.3 |
Azure_Security_Benchmark_v1.0_3.3 |
Azure Security Benchmark 3.3 |
Identity and Access Control |
Use dedicated administrative accounts |
Customer |
Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ |
n/a |
link |
5 |
| CCCS |
AC-5 |
CCCS_AC-5 |
CCCS AC-5 |
Access Control |
Separation of Duties |
|
n/a |
(A) The organization:
(a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions;
(b) Documents separation of duties of individuals; and
(c) Defines information system access authorizations to support separation of duties. |
link |
7 |
| CCCS |
AC-6 |
CCCS_AC-6 |
CCCS AC-6 |
Access Control |
Least Privilege |
|
n/a |
(A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
link |
7 |
| CMMC_L3 |
AC.3.017 |
CMMC_L3_AC.3.017 |
CMMC L3 AC.3.017 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
4 |
| hipaa |
11211.01q2Organizational.11-01.q |
hipaa-11211.01q2Organizational.11-01.q |
11211.01q2Organizational.11 - 01.q |
User Identification and Authentication |
Signed electronic records shall contain information associated with the signing in human-readable format. |
Customer |
n/a |
Azure does not implement identification codes and electronic signatures, per FDA CFR 21 Part 11. |
|
1 |
| hipaa |
1127.01q2System.3-01.q |
hipaa-1127.01q2System.3-01.q |
1127.01q2System.3-01.q |
11 Access Control |
1127.01q2System.3-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. |
|
2 |
| IRS_1075_9.3 |
.1.5 |
IRS_1075_9.3.1.5 |
IRS 1075 9.3.1.5 |
Access Control |
Separation of Duties (AC-5) |
|
n/a |
The agency must:
a. Separate duties of individuals to prevent harmful activity without collusion
b. Document separation of duties of individuals
c. Define information system access authorizations to support separation of duties |
link |
7 |
| IRS_1075_9.3 |
.1.6 |
IRS_1075_9.3.1.6 |
IRS 1075 9.3.1.6 |
Access Control |
Least Privilege (AC-6) |
|
n/a |
The agency must:
a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions
b. Explicitly authorize access to FTI (CE1)
c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2)
d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5)
The information system must:
a. Audit the execution of privileged functions (CE9)
b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) |
link |
7 |
| NIST_SP_800-171_R2_3 |
.1.4 |
NIST_SP_800-171_R2_3.1.4 |
NIST SP 800-171 R2 3.1.4 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
6 |
| NZISM_Security_Benchmark_v1.1 |
AC-11 |
NZISM_Security_Benchmark_v1.1_AC-11 |
NZISM Security Benchmark AC-11 |
Access Control and Passwords |
16.4.30 Privileged Access Management |
Customer |
Agencies MUST establish a Privileged Access Management (PAM) policy.
Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
privileged access.
Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy. |
A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance. |
link |
9 |