last sync: 2025-Apr-02 18:24:08 UTC

Azure SQL Database should be running TLS version 1.2 or newer

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure SQL Database should be running TLS version 1.2 or newer
Id 32e6bbec-16b6-44c2-be37-c5b672d103cf
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0 Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Assessment(s) Assessments count: 1
Assessment Id: 8e9a37b9-2828-4c8f-a24e-7b0ab0e89c78
DisplayName: Azure SQL Database should be running TLS version 1.2 or newer
Description: Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.
Remediation description: Steps to set minimal TLS version to 1.2: 1. Open Azure SQL Database and browse to the server pane: 2. Navigate to Security --> Firewalls and virtual networks pane via the left hand navigation menu: 3. Click on Minimal TLS Version control and select 1.2 as the value.: 4. Click Save
Categories: Data
Severity: Medium
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/servers/minimalTlsVersion Microsoft.Sql servers properties.minimalTlsVersion True True
Rule resource types IF (1)
Microsoft.Sql/servers
Compliance
The following 79 compliance controls are associated with this Policy definition 'Azure SQL Database should be running TLS version 1.2 or newer' (32e6bbec-16b6-44c2-be37-c5b672d103cf)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ACAT_Security_Policies ACAT_Security_Policies ACAT Security Policies Guidelines for M365 Certification Protecting systems and resources Shared n/a Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. link 16
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Microsoft cloud security benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link 15
Azure_Security_Benchmark_v3.0 IM-4 Azure_Security_Benchmark_v3.0_IM-4 Microsoft cloud security benchmark IM-4 Identity Management Authenticate server and services Shared **Security Principle:** Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. Note: Mutual authentication can be used when both the server and the client authenticate one-another. **Azure Guidance:** Many Azure services support TLS authentication by default. For the services supporting TLS enable/disable switch by the user, ensure it's always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. **Implementation and additional context:** Enforce Transport Layer Security (TLS) for a storage account: https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version n/a link 4
Canada_Federal_PBMM_3-1-2020 AC_4(21) Canada_Federal_PBMM_3-1-2020_AC_4(21) Canada Federal PBMM 3-1-2020 AC 4(21) Information Flow Enforcement Information Flow Enforcement | Physical / Logical Separation of Information Flows Shared The information system separates information flows logically or physically using session encryption to accomplish separation of all sessions. To enhance security measures and safeguard sensitive data from unauthorized access or interception. 27
Canada_Federal_PBMM_3-1-2020 CA_3 Canada_Federal_PBMM_3-1-2020_CA_3 Canada Federal PBMM 3-1-2020 CA 3 Information System Connections System Interconnections Shared 1. The organization authorizes connection from information system to other information system through the use of Interconnection Security Agreements. 2. The organization documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated. 3. The organization reviews and updates Interconnection Security Agreements annually. To establish and maintain secure connections between information systems. 77
Canada_Federal_PBMM_3-1-2020 CA_3(3) Canada_Federal_PBMM_3-1-2020_CA_3(3) Canada Federal PBMM 3-1-2020 CA 3(3) Information System Connections System Interconnections | Classified Non-National Security System Connections Shared The organization prohibits the direct connection of any internal network or system to an external network without the use of security controls approved by the information owner. To ensure the integrity and security of internal systems against external threats. 77
Canada_Federal_PBMM_3-1-2020 CA_3(5) Canada_Federal_PBMM_3-1-2020_CA_3(5) Canada Federal PBMM 3-1-2020 CA 3(5) Information System Connections System Interconnections | Restrictions on External Network Connections Shared The organization employs allow-all, deny-by-exception; deny-all policy for allowing any systems to connect to external information systems. To enhance security posture against unauthorized access. 77
Canada_Federal_PBMM_3-1-2020 CM_3(6) Canada_Federal_PBMM_3-1-2020_CM_3(6) Canada Federal PBMM 3-1-2020 CM 3(6) Configuration Change Control Configuration Change Control | Cryptography Management Shared The organization ensures that cryptographic mechanisms used to provide any cryptographic-based safeguards are under configuration management. To uphold security and integrity measures. 20
Canada_Federal_PBMM_3-1-2020 SC_12 Canada_Federal_PBMM_3-1-2020_SC_12 Canada Federal PBMM 3-1-2020 SC 12 Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management Shared The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with CSE-approved cryptography. To enhance overall security posture and compliance with industry best practices. 29
Canada_Federal_PBMM_3-1-2020 SC_12(1) Canada_Federal_PBMM_3-1-2020_SC_12(1) Canada Federal PBMM 3-1-2020 SC 12(1) Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management | Availability Shared The organization maintains availability of information in the event of the loss of cryptographic keys by users. To implement backup and recovery mechanisms. 29
CIS_Controls_v8.1 12.7 CIS_Controls_v8.1_12.7 CIS Controls v8.1 12.7 Network Infrastructure Management Ensure remote devices utilize a VPN and are connecting to an enterprise's AAA infrastructure. Shared Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. To create a layer of security to ensure protection of data. 7
CIS_Controls_v8.1 6.3 CIS_Controls_v8.1_6.3 CIS Controls v8.1 6.3 Access Control Management Require MFA for externally-exposed applications Shared 1. Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. 2. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard. To ensure unauthorised persons are unable to access approved applications. 7
CIS_Controls_v8.1 6.4 CIS_Controls_v8.1_6.4 CIS Controls v8.1 6.4 Access Control Management Require MFA for remote network access Shared Require MFA for remote network access. To authenticate users accessing network remotely and ensure safety of enterprise data. 7
CMMC_L2_v1.9.0 AC.L2_3.1.13 CMMC_L2_v1.9.0_AC.L2_3.1.13 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.13 Access Control Remote Access Confidentiality Shared Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. To enhance security by encrypting data transmitted over the network. 4
CMMC_L2_v1.9.0 SC.L2_3.13.11 CMMC_L2_v1.9.0_SC.L2_3.13.11 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.11 System and Communications Protection CUI Encryption Shared Employ FIPS validated cryptography when used to protect the confidentiality of CUI. To ensure the integrity and effectiveness of cryptographic protections applied to sensitive data. 19
CSA_v4.0.12 CEK_02 CSA_v4.0.12_CEK_02 CSA Cloud Controls Matrix v4.0.12 CEK 02 Cryptography, Encryption & Key Management CEK Roles and Responsibilities Shared n/a Define and implement cryptographic, encryption and key management roles and responsibilities. 25
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 CEK_10 CSA_v4.0.12_CEK_10 CSA Cloud Controls Matrix v4.0.12 CEK 10 Cryptography, Encryption & Key Management Key Generation Shared n/a Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used. 24
CSA_v4.0.12 CEK_11 CSA_v4.0.12_CEK_11 CSA Cloud Controls Matrix v4.0.12 CEK 11 Cryptography, Encryption & Key Management Key Purpose Shared n/a Manage cryptographic secret and private keys that are provisioned for a unique purpose. 24
CSA_v4.0.12 CEK_12 CSA_v4.0.12_CEK_12 CSA Cloud Controls Matrix v4.0.12 CEK 12 Cryptography, Encryption & Key Management Key Rotation Shared n/a Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements. 22
CSA_v4.0.12 CEK_15 CSA_v4.0.12_CEK_15 CSA Cloud Controls Matrix v4.0.12 CEK 15 Cryptography, Encryption & Key Management Key Activation Shared n/a Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements. 21
CSA_v4.0.12 CEK_16 CSA_v4.0.12_CEK_16 CSA Cloud Controls Matrix v4.0.12 CEK 16 Cryptography, Encryption & Key Management Key Suspension Shared n/a Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. 23
CSA_v4.0.12 DSP_04 CSA_v4.0.12_DSP_04 CSA Cloud Controls Matrix v4.0.12 DSP 04 Data Security and Privacy Lifecycle Management Data Classification Shared n/a Classify data according to its type and sensitivity level. 6
CSA_v4.0.12 DSP_07 CSA_v4.0.12_DSP_07 CSA Cloud Controls Matrix v4.0.12 DSP 07 Data Security and Privacy Lifecycle Management Data Protection by Design and Default Shared n/a Develop systems, products, and business practices based upon a principle of security by design and industry best practices. 16
CSA_v4.0.12 DSP_10 CSA_v4.0.12_DSP_10 CSA Cloud Controls Matrix v4.0.12 DSP 10 Data Security and Privacy Lifecycle Management Sensitive Data Transfer Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations. 45
CSA_v4.0.12 DSP_17 CSA_v4.0.12_DSP_17 CSA Cloud Controls Matrix v4.0.12 DSP 17 Data Security and Privacy Lifecycle Management Sensitive Data Protection Shared n/a Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle. 15
Cyber_Essentials_v3.1 1 Cyber_Essentials_v3.1_1 Cyber Essentials v3.1 1 Cyber Essentials Firewalls Shared n/a Aim: to make sure that only secure and necessary network services can be accessed from the internet. 37
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FFIEC_CAT_2017 3.1.2 FFIEC_CAT_2017_3.1.2 FFIEC CAT 2017 3.1.2 Cybersecurity Controls Access and Data Management Shared n/a Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames. 59
HITRUST_CSF_v11.3 01.j HITRUST_CSF_v11.3_01.j HITRUST CSF v11.3 01.j Network Access Control To prevent unauthorized access to networked services. Shared 1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted. Appropriate authentication methods shall be used to control access by remote users. 16
HITRUST_CSF_v11.3 09.m HITRUST_CSF_v11.3_09.m HITRUST CSF v11.3 09.m Network Security Management To ensure the protection of information in networks and protection of the supporting network infrastructure. Shared 1. Vendor default encryption keys, default SNMP community strings on wireless devices, default passwords/passphrases on access points, and other security-related wireless vendor defaults is to be changed prior to authorization of implementation of wireless access points. 2. Wireless encryption keys to be changed when anyone with knowledge of the keys leaves or changes. 3. All authorized and unauthorized wireless access to the information system is to be monitored and installation of wireless access points (WAP) is to be prohibited unless explicitly authorized. Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. 24
ISO_IEC_27017_2015 10.1.1 ISO_IEC_27017_2015_10.1.1 ISO IEC 27017 2015 10.1.1 Cryptography Policy on the use of cryptographic controls Shared For Cloud Service Customer: The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud service provider. When the cloud service provider offers cryptography, the cloud service customer should review any information supplied by the cloud service provider to confirm whether the cryptographic capabilities: (i) meet the cloud service customer's policy requirements; (ii) are compatible with any other cryptographic protection used by the cloud service customer; (iii) apply to data at rest and in transit to, from and within the cloud service. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 19
ISO_IEC_27017_2015 18.1.5 ISO_IEC_27017_2015_18.1.5 ISO IEC 27017 2015 18.1.5 Compliance Regulation of Cryptographic Controls Shared For Cloud Service Customer: The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. For Cloud Service Provider: The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations. To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. 19
New_Zealand_ISM 17.4.16.C.01 New_Zealand_ISM_17.4.16.C.01 New_Zealand_ISM_17.4.16.C.01 17. Cryptography 17.4.16.C.01 Using TLS n/a Agencies SHOULD use the current version of TLS (version 1.3). 5
NIST_SP_800-171_R3_3 .13.11 NIST_SP_800-171_R3_3.13.11 NIST 800-171 R3 3.13.11 System and Communications Protection Control Cryptographic Protection Shared Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]. 19
NIST_SP_800-171_R3_3 .13.8 NIST_SP_800-171_R3_3.13.8 NIST 800-171 R3 3.13.8 System and Communications Protection Control Transmission and Storage Confidentiality Shared This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e. information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to 03.13.11. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage. 12
NIST_SP_800-53_R5.1.1 AC.17.2 NIST_SP_800-53_R5.1.1_AC.17.2 NIST SP 800-53 R5.1.1 AC.17.2 Access Control Remote Access | Protection of Confidentiality and Integrity Using Encryption Shared Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions. 4
NIST_SP_800-53_R5.1.1 SC.13 NIST_SP_800-53_R5.1.1_SC.13 NIST SP 800-53 R5.1.1 SC.13 System and Communications Protection Cryptographic Protection Shared a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. 19
NIST_SP_800-53_R5.1.1 SC.8 NIST_SP_800-53_R5.1.1_SC.8 NIST SP 800-53 R5.1.1 SC.8 System and Communications Protection Transmission Confidentiality and Integrity Shared Protect the [Selection (one or more): confidentiality; integrity] of transmitted information. Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls. 6
NIST_SP_800-53_R5.1.1 SC.8.1 NIST_SP_800-53_R5.1.1_SC.8.1 NIST SP 800-53 R5.1.1 SC.8.1 System and Communications Protection Transmission Confidentiality and Integrity | Cryptographic Protection Shared Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission. Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes. 3
NL_BIO_Cloud_Theme U.05.1(2) NL_BIO_Cloud_Theme_U.05.1(2) NL_BIO_Cloud_Theme_U.05.1(2) U.05 Data protection Cryptographic measures n/a Data transport is secured with cryptography to the latest state of the art (in accordance with the Forum for Standardization), whereby the key management is carried out by the CSC itself if possible. 17
NZISM_v3.7 16.5.10.C.02. NZISM_v3.7_16.5.10.C.02. NZISM v3.7 16.5.10.C.02. Remote Access 16.5.10.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD authenticate both the remote system user and device during the authentication process. 21
NZISM_v3.7 17.1.51.C.01. NZISM_v3.7_17.1.51.C.01. NZISM v3.7 17.1.51.C.01. Cryptographic Fundamentals 17.1.51.C.01. - To enhace overall security posture. Shared n/a Agencies using cryptographic functionality within a product to protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. 20
NZISM_v3.7 17.1.52.C.01. NZISM_v3.7_17.1.52.C.01. NZISM v3.7 17.1.52.C.01. Cryptographic Fundamentals 17.1.52.C.01. - To enhace overall security posture. Shared n/a Cryptographic products MUST provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. 20
NZISM_v3.7 17.1.52.C.02. NZISM_v3.7_17.1.52.C.02. NZISM v3.7 17.1.52.C.02. Cryptographic Fundamentals 17.1.52.C.02. - To enhance data accessibility and integrity. Shared n/a Cryptographic products SHOULD provide a means of data recovery to allow for recovery of data in circumstances where the encryption key is unavailable due to loss, damage or failure. 20
NZISM_v3.7 17.1.53.C.03. NZISM_v3.7_17.1.53.C.03. NZISM v3.7 17.1.53.C.03. Cryptographic Fundamentals 17.1.53.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. 20
NZISM_v3.7 17.1.53.C.04. NZISM_v3.7_17.1.53.C.04. NZISM v3.7 17.1.53.C.04. Cryptographic Fundamentals 17.1.53.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: 1. full disk encryption; or 2. partial disk encryption where the access control will allow writing ONLY to the encrypted partition holding the classified information. 20
NZISM_v3.7 17.1.54.C.01. NZISM_v3.7_17.1.54.C.01. NZISM v3.7 17.1.54.C.01. Cryptographic Fundamentals 17.1.54.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST use an Approved Cryptographic Algorithm to protect NZEO information when at rest on a system. 20
NZISM_v3.7 17.1.55.C.01. NZISM_v3.7_17.1.55.C.01. NZISM v3.7 17.1.55.C.01. Cryptographic Fundamentals 17.1.55.C.01. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST use HACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. 20
NZISM_v3.7 17.1.55.C.02. NZISM_v3.7_17.1.55.C.02. NZISM v3.7 17.1.55.C.02. Cryptographic Fundamentals 17.1.55.C.02. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an Approved Cryptographic Algorithm and Protocol if information is transmitted or systems are communicating over insecure or unprotected networks, such as the Internet, public networks or non-agency controlled networks. 20
NZISM_v3.7 17.1.55.C.03. NZISM_v3.7_17.1.55.C.03. NZISM v3.7 17.1.55.C.03. Cryptographic Fundamentals 17.1.55.C.03. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. 20
NZISM_v3.7 17.1.55.C.04. NZISM_v3.7_17.1.55.C.04. NZISM v3.7 17.1.55.C.04. Cryptographic Fundamentals 17.1.55.C.04. - To ensure compliance with established security standards and enhance the effectiveness of encryption in safeguarding sensitive information. Shared n/a Agencies SHOULD encrypt agency data using an approved algorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. 20
NZISM_v3.7 17.1.56.C.02. NZISM_v3.7_17.1.56.C.02. NZISM v3.7 17.1.56.C.02. Cryptographic Fundamentals 17.1.56.C.02. - To ensure compliance with security protocols and best practices. Shared n/a Agencies MUST consult the GCSB for further advice on the powered off status and treatment of specific software, systems and IT equipment. 20
NZISM_v3.7 17.1.57.C.01. NZISM_v3.7_17.1.57.C.01. NZISM v3.7 17.1.57.C.01. Cryptographic Fundamentals 17.1.57.C.01. - To ensure compliance with security protocols and best practices. Shared n/a In addition to any encryption already in place for communication mediums, agencies MUST use an Approved Cryptographic Protocol and Algorithm to protect NZEO information when in transit. 19
NZISM_v3.7 17.1.58.C.01. NZISM_v3.7_17.1.58.C.01. NZISM v3.7 17.1.58.C.01. Cryptographic Fundamentals 17.1.58.C.01. - To ensure compliance with security protocols and best practices. Shared n/a Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. 19
NZISM_v3.7 17.1.58.C.02. NZISM_v3.7_17.1.58.C.02. NZISM v3.7 17.1.58.C.02. Cryptographic Fundamentals 17.1.58.C.02. - To enhance overall cybersecurity posture. Shared n/a Agencies SHOULD use risk assessment techniques and guidance to establish cryptoperiods. 24
NZISM_v3.7 17.1.58.C.03. NZISM_v3.7_17.1.58.C.03. NZISM v3.7 17.1.58.C.03. Cryptographic Fundamentals 17.1.58.C.03. - To enhance overall cybersecurity posture. Shared n/a Agencies using HACE MUST consult the GCSB for key management requirements. 17
PCI_DSS_v4.0.1 3.5.1.1 PCI_DSS_v4.0.1_3.5.1.1 PCI DSS v4.0.1 3.5.1.1 Protect Stored Account Data Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7 Shared n/a Examine documentation about the hashing method used to render PAN unreadable, including the vendor, type of system/process, and the encryption algorithms (as applicable) to verify that the hashing method results in keyed cryptographic hashes of the entire PAN, with associated key management processes and procedures. Examine documentation about the key management procedures and processes associated with the keyed cryptographic hashes to verify keys are managed in accordance with Requirements 3.6 and 3.7. Examine data repositories to verify the PAN is rendered unreadable. Examine audit logs, including payment application logs, to verify the PAN is rendered unreadable 19
PCI_DSS_v4.0.1 4.2.1 PCI_DSS_v4.0.1_4.2.1 PCI DSS v4.0.1 4.2.1 Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use Shared n/a Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. Examine system configurations to verify that strong cryptography and security protocols are implemented in accordance with all elements specified in this requirement. Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. Examine system configurations to verify that keys and/or certificates that cannot be verified as trusted are rejected 19
RMiT_v1.0 Appendix_5.6 RMiT_v1.0_Appendix_5.6 RMiT Appendix 5.6 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.6 Customer n/a Ensure security controls for remote access to server include the following: (a) restrict access to only hardened and locked down end-point devices; (b) use secure tunnels such as TLS and VPN IPSec; (c) deploy ‘gateway’ server with adequate perimeter defences and protection such as firewall, IPS and antivirus; and (d) close relevant ports immediately upon expiry of remote access. link 19
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC6.7 SOC_2023_CC6.7 404 not found n/a n/a 52
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SWIFT_CSCF_2024 2.1 SWIFT_CSCF_2024_2.1 SWIFT Customer Security Controls Framework 2024 2.1 Risk Management Internal Data Flow Security Shared The protection of internal data flows safeguards against unintended disclosure, modification, and access of the data while in transit. To ensure the confidentiality, integrity, and authenticity of application data flows between ’user’s Swift-related components. 48
SWIFT_CSCF_2024 2.4A SWIFT_CSCF_2024_2.4A SWIFT Customer Security Controls Framework 2024 2.4A Risk Management Back Office Data Flow Security Shared Protection of data flows or connections between the back-office first hops as seen from the Swift or customer secure zone and the Swift infrastructure safeguards against person-in-the-middle attack, unintended disclosure, modification, and data access while in transit. To ensure the confidentiality, integrity, and mutual authenticity of data flowing between on-premises or remote Swift infrastructure components and the back-office first hops they connect to. 24
SWIFT_CSCF_2024 2.6 SWIFT_CSCF_2024_2.6 SWIFT Customer Security Controls Framework 2024 2.6 Risk Management Operator Session Confidentiality and Integrity Shared 1. Operator sessions, through the jump server when accessing the on-premises or remote (that is hosted or operated by a third party, or both) Swift infrastructure, pose a unique threat because unusual or unexpected activity is more difficult to detect during interactive sessions than it is during application-to-application activity. 2. Therefore, it is important to protect the integrity and confidentiality of these operator sessions to reduce any opportunity for misuse or password theft. When used, access to the virtualisation layer (virtualisation or cloud management console) must be similarly protected. To protect the confidentiality and integrity of interactive operator sessions that connect to the on- premises or remote (operated by a service provider or outsourcing agent) Swift infrastructure or to a service provider or outsourcing agent Swift-related applications. 12
SWIFT_CSCF_v2021 2.1 SWIFT_CSCF_v2021_2.1 SWIFT CSCF v2021 2.1 Reduce Attack Surface and Vulnerabilities Internal Data Flow Security n/a Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications. link 14
SWIFT_CSCF_v2021 2.6 SWIFT_CSCF_v2021_2.6 SWIFT CSCF v2021 2.6 Reduce Attack Surface and Vulnerabilities Operator Session Confidentiality and Integrity n/a Protect the confidentiality and integrity of interactive operator sessions connecting to the local or the remote (operated by a service provider) SWIFT-related infrastructure or applications. link 8
U.05.1 - Cryptographic measures U.05.1 - Cryptographic measures 404 not found n/a n/a 17
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20240509 Encryption Deprecated ALZ
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn true
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn true
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
ACAT for Microsoft 365 Certification 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5 Regulatory Compliance GA BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20241211 Encryption GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-03-11 18:16:48 change Major (1.0.1 > 2.0.0)
2020-10-27 14:12:45 change Patch (1.0.0 > 1.0.1)
2020-07-14 15:28:17 add 32e6bbec-16b6-44c2-be37-c5b672d103cf
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC