Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
2.11 |
CIS_Azure_1.1.0_2.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.11 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable storage encryption recommendations. |
link |
4 |
CIS_Azure_1.1.0 |
2.15 |
CIS_Azure_1.1.0_2.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.15 |
2 Security Center |
Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable SQL encryption recommendations. |
link |
5 |
CIS_Azure_1.1.0 |
2.6 |
CIS_Azure_1.1.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Disk encryption recommendations for virtual machines. |
link |
5 |
CIS_Azure_1.1.0 |
4.10 |
CIS_Azure_1.1.0_4.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.10 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). |
link |
6 |
CIS_Azure_1.1.0 |
4.9 |
CIS_Azure_1.1.0_4.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.9 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
CIS_Azure_1.1.0 |
7.1 |
CIS_Azure_1.1.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure that 'OS disk' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) are encrypted, where possible. |
link |
5 |
CIS_Azure_1.1.0 |
7.2 |
CIS_Azure_1.1.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'Data disks' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that data disks (non-boot volumes) are encrypted, where possible. |
link |
5 |
CIS_Azure_1.1.0 |
7.3 |
CIS_Azure_1.1.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted. |
link |
4 |
CIS_Azure_1.3.0 |
3.9 |
CIS_Azure_1.3.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 Storage Accounts |
Ensure storage for critical data are encrypted with Customer Managed Key |
Shared |
The customer is responsible for implementing this recommendation. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
link |
5 |
CIS_Azure_1.3.0 |
4.1.2 |
CIS_Azure_1.3.0_4.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
CIS_Azure_1.3.0 |
4.5 |
CIS_Azure_1.3.0_4.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.5 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). |
link |
6 |
CIS_Azure_1.3.0 |
7.2 |
CIS_Azure_1.3.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'OS and Data' disks are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. |
link |
5 |
CIS_Azure_1.3.0 |
7.3 |
CIS_Azure_1.3.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
link |
4 |
CIS_Azure_1.3.0 |
7.7 |
CIS_Azure_1.3.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 Virtual Machines |
Ensure that VHD's are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. |
link |
4 |
CIS_Azure_1.4.0 |
3.9 |
CIS_Azure_1.4.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 Storage Accounts |
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys |
Shared |
The customer is responsible for implementing this recommendation. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
link |
5 |
CIS_Azure_1.4.0 |
4.1.2 |
CIS_Azure_1.4.0_4.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
CIS_Azure_1.4.0 |
4.3.8 |
CIS_Azure_1.4.0_4.3.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 |
4 Database Services |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable encryption at rest for PostgreSQL Databases. |
link |
4 |
CIS_Azure_1.4.0 |
4.6 |
CIS_Azure_1.4.0_4.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.6 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). |
link |
6 |
CIS_Azure_1.4.0 |
7.2 |
CIS_Azure_1.4.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys).
Customer Managed keys can be either ADE or Server Side Encryption(SSE) |
link |
5 |
CIS_Azure_1.4.0 |
7.3 |
CIS_Azure_1.4.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
link |
4 |
CIS_Azure_1.4.0 |
7.7 |
CIS_Azure_1.4.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 Virtual Machines |
Ensure that VHD's are Encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. |
link |
4 |
FedRAMP_High_R4 |
SC-28 |
FedRAMP_High_R4_SC-28 |
FedRAMP High SC-28 |
System And Communications Protection |
Protection Of Information At Rest |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7.
References: NIST Special Publications 800-56, 800-57, 800-111. |
link |
17 |
FedRAMP_Moderate_R4 |
SC-28 |
FedRAMP_Moderate_R4_SC-28 |
FedRAMP Moderate SC-28 |
System And Communications Protection |
Protection Of Information At Rest |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7.
References: NIST Special Publications 800-56, 800-57, 800-111. |
link |
17 |
hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
hipaa |
0947.09y2Organizational.2-09.y |
hipaa-0947.09y2Organizational.2-09.y |
0947.09y2Organizational.2-09.y |
09 Transmission Protection |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. |
|
11 |
hipaa |
1008.01d2System.3-01.d |
hipaa-1008.01d2System.3-01.d |
1008.01d2System.3-01.d |
10 Password Management |
1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Users sign a statement acknowledging their responsibility to keep passwords confidential. |
|
15 |
hipaa |
1132.01v2System.3-01.v |
hipaa-1132.01v2System.3-01.v |
1132.01v2System.3-01.v |
11 Access Control |
1132.01v2System.3-01.v 01.06 Application and Information Access Control |
Shared |
n/a |
Covered information is encrypted when stored in non-secure areas and, if not encrypted at rest, the organization documents its rationale. |
|
2 |
hipaa |
1134.01v3System.1-01.v |
hipaa-1134.01v3System.1-01.v |
1134.01v3System.1-01.v |
11 Access Control |
1134.01v3System.1-01.v 01.06 Application and Information Access Control |
Shared |
n/a |
Copy, move, print, and storage of sensitive data are prohibited when accessed remotely without a defined business need. |
|
3 |
hipaa |
1903.06d1Organizational.3456711-06.d |
hipaa-1903.06d1Organizational.3456711-06.d |
1903.06d1Organizational.3456711-06.d |
19 Data Protection & Privacy |
1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The confidentiality and integrity of covered information at rest is protected using an encryption method appropriate to the medium where it is stored; where the organization chooses not to encrypt covered information, a documented rationale for not doing so is maintained or alternative compensating controls are used if the method is approved and reviewed annually by the CISO. |
|
5 |
ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
NIST_SP_800-171_R2_3 |
.13.16 |
NIST_SP_800-171_R2_3.13.16 |
NIST SP 800-171 R2 3.13.16 |
System and Communications Protection |
Protect the confidentiality of CUI at rest. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. |
link |
19 |
NIST_SP_800-53_R4 |
SC-28 |
NIST_SP_800-53_R4_SC-28 |
NIST SP 800-53 Rev. 4 SC-28 |
System And Communications Protection |
Protection Of Information At Rest |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7.
References: NIST Special Publications 800-56, 800-57, 800-111. |
link |
17 |
NIST_SP_800-53_R5 |
SC-28 |
NIST_SP_800-53_R5_SC-28 |
NIST SP 800-53 Rev. 5 SC-28 |
System and Communications Protection |
Protection of Information at Rest |
Shared |
n/a |
Protect the [Selection (OneOrMore): confidentiality;integrity] of the following information at rest: [Assignment: organization-defined information at rest]. |
link |
17 |
PCI_DSS_v4.0 |
3.5.1 |
PCI_DSS_v4.0_3.5.1 |
PCI DSS v4.0 3.5.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
PAN is rendered unreadable anywhere it is stored by using any of the following approaches:
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
– If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
• Index tokens.
• Strong cryptography with associated keymanagement processes and procedures. |
link |
12 |
PCI_DSS_v4.0 |
3.5.1.1 |
PCI_DSS_v4.0_3.5.1.1 |
PCI DSS v4.0 3.5.1.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7. |
link |
4 |
PCI_DSS_v4.0 |
3.5.1.2 |
PCI_DSS_v4.0_3.5.1.2 |
PCI DSS v4.0 3.5.1.2 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
• On removable electronic media, OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1. |
link |
4 |
PCI_DSS_v4.0 |
3.5.1.3 |
PCI_DSS_v4.0_3.5.1.3 |
PCI DSS v4.0 3.5.1.3 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows:
• Logical access is managed separately and independently of native operating system authentication and access control mechanisms.
• Decryption keys are not associated with user accounts. |
link |
4 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
80 |
SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |