last sync: 2025-Mar-14 18:30:15 UTC

Windows machines should meet requirements for 'Security Options - Network Access'

Azure BuiltIn Policy definition

Source Azure Portal
Display name Windows machines should meet requirements for 'Security Options - Network Access'
Id 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd
Version 3.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
3.0.0
Built-in Versioning [Preview]
Category Guest Configuration
Microsoft Learn
Description Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.0.0'
Repository: Azure-Policy 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (7)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration True True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType True True
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType Microsoft.ConnectedVMwarevSphere virtualmachines properties.osProfile.osType True False
Microsoft.HybridCompute/imageOffer Microsoft.HybridCompute machines properties.osName True False
THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus True False
Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash Microsoft.GuestConfiguration guestConfigurationAssignments properties.parameterHash True False
Rule resource types IF (3)
Microsoft.Compute/virtualMachines
Microsoft.ConnectedVMwarevSphere/virtualMachines
Microsoft.HybridCompute/machines
Compliance
The following 69 compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'Security Options - Network Access'' (3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 1.11 Azure_Security_Benchmark_v1.0_1.11 Azure Security Benchmark 1.11 Network Security Use automated tools to monitor network resource configurations and detect changes Customer Use Azure Policy to validate (and/or remediate) configuration for network resources. How to configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Azure Policy samples for networking: https://docs.microsoft.com/azure/governance/policy/samples/#network n/a link 7
CIS_Controls_v8.1 5.1 CIS_Controls_v8.1_5.1 CIS Controls v8.1 5.1 Account Management Establish and maintain an inventory of accounts Shared 1. Establish and maintain an inventory of all accounts managed in the enterprise. 2. The inventory must include both user and administrator accounts. 3. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. 4. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. To ensure accurate tracking and management of accounts. 35
CIS_Controls_v8.1 6.8 CIS_Controls_v8.1_6.8 CIS Controls v8.1 6.8 Access Control Management Define and maintain role-based access control. Shared 1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. 2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. To implement a system of role-based access control. 30
CMMC_L2_v1.9.0 PE.L2_3.10.6 CMMC_L2_v1.9.0_PE.L2_3.10.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6 Physical Protection Alternative Work Sites Shared Enforce safeguarding measures for CUI at alternate work sites. To ensure that sensitive information is protected even when employees are working remotely or at off site locations. 11
CMMC_L3 AC.1.001 CMMC_L3_AC.1.001 CMMC L3 AC.1.001 Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002. link 31
CMMC_L3 AC.1.002 CMMC_L3_AC.1.002 CMMC L3 AC.1.002 Access Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 27
CMMC_L3 AC.2.016 CMMC_L3_AC.2.016 CMMC L3 AC.2.016 Access Control Control the flow of CUI in accordance with approved authorizations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. link 16
CMMC_L3 SC.1.175 CMMC_L3_SC.1.175 CMMC L3 SC.1.175 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. link 30
CMMC_L3 SC.3.183 CMMC_L3_SC.3.183 CMMC L3 SC.3.183 System and Communications Protection Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. link 30
CSA_v4.0.12 IAM_02 CSA_v4.0.12_IAM_02 CSA Cloud Controls Matrix v4.0.12 IAM 02 Identity & Access Management Strong Password Policy and Procedures Shared n/a Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually. 52
CSA_v4.0.12 IAM_04 CSA_v4.0.12_IAM_04 CSA Cloud Controls Matrix v4.0.12 IAM 04 Identity & Access Management Separation of Duties Shared n/a Employ the separation of duties principle when implementing information system access. 43
CSA_v4.0.12 IAM_06 CSA_v4.0.12_IAM_06 CSA Cloud Controls Matrix v4.0.12 IAM 06 Identity & Access Management User Access Provisioning Shared n/a Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets. 24
CSA_v4.0.12 IAM_07 CSA_v4.0.12_IAM_07 CSA Cloud Controls Matrix v4.0.12 IAM 07 Identity & Access Management User Access Changes and Revocation Shared n/a De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies. 56
CSA_v4.0.12 IAM_10 CSA_v4.0.12_IAM_10 CSA Cloud Controls Matrix v4.0.12 IAM 10 Identity & Access Management Management of Privileged Access Roles Shared n/a Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access. 56
CSA_v4.0.12 IAM_13 CSA_v4.0.12_IAM_13 CSA Cloud Controls Matrix v4.0.12 IAM 13 Identity & Access Management Uniquely Identifiable Users Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs. 49
CSA_v4.0.12 IAM_16 CSA_v4.0.12_IAM_16 CSA Cloud Controls Matrix v4.0.12 IAM 16 Identity & Access Management Authorization Mechanisms Shared n/a Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized. 46
Cyber_Essentials_v3.1 1 Cyber_Essentials_v3.1_1 Cyber Essentials v3.1 1 Cyber Essentials Firewalls Shared n/a Aim: to make sure that only secure and necessary network services can be accessed from the internet. 37
Cyber_Essentials_v3.1 2 Cyber_Essentials_v3.1_2 Cyber Essentials v3.1 2 Cyber Essentials Secure Configuration Shared n/a Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. 61
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
Cyber_Essentials_v3.1 5 Cyber_Essentials_v3.1_5 Cyber Essentials v3.1 5 Cyber Essentials Malware protection Shared n/a Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. 60
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
hipaa 0861.09m2Organizational.67-09.m hipaa-0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 08 Network Protection 0861.09m2Organizational.67-09.m 09.06 Network Security Management Shared n/a To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution, or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. 7
HITRUST_CSF_v11.3 01.c HITRUST_CSF_v11.3_01.c HITRUST CSF v11.3 01.c Authorized Access to Information Systems To control privileged access to information systems and services. Shared 1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization. The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. 44
HITRUST_CSF_v11.3 01.i HITRUST_CSF_v11.3_01.i HITRUST CSF v11.3 01.i Network Access Control To implement role based access to internal and external network services. Shared 1. It is to be determined who is allowed access to which network and what networked services. 2. The networks and network services to which users have authorized access is to be specified. Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment. 11
HITRUST_CSF_v11.3 01.j HITRUST_CSF_v11.3_01.j HITRUST CSF v11.3 01.j Network Access Control To prevent unauthorized access to networked services. Shared 1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted. Appropriate authentication methods shall be used to control access by remote users. 16
ISO_IEC_27002_2022 6.7 ISO_IEC_27002_2022_6.7 ISO IEC 27002 2022 6.7 Protection, Preventive, Control Remote working Shared Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. To ensure the security of information when personnel are working remotely. 11
ISO_IEC_27002_2022 8.9 ISO_IEC_27002_2022_8.9 ISO IEC 27002 2022 8.9 Protection, Preventive Control Configuration management Shared Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. 21
NIST_SP_800-171_R3_3 .1.12 NIST_SP_800-171_R3_3.1.12 NIST 800-171 R3 3.1.12 Access Control Remote Access Shared Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. b. Authorize each type of remote system access prior to establishing such connections. c. Route remote access to the system through authorized and managed access control points. d. Authorize remote execution of privileged commands and remote access to security-relevant information. 15
NIST_SP_800-171_R3_3 .1.2 NIST_SP_800-171_R3_3.1.2 NIST 800-171 R3 3.1.2 Access Control Access Enforcement Shared Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. Enforce approved authorizations for logical access to CUI and system resources. 38
NIST_SP_800-171_R3_3 .5.5 NIST_SP_800-171_R3_3.5.5 404 not found n/a n/a 43
NIST_SP_800-53_R5.1.1 AC.17 NIST_SP_800-53_R5.1.1_AC.17 NIST SP 800-53 R5.1.1 AC.17 Access Control Remote Access Shared a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3. 11
NIST_SP_800-53_R5.1.1 AC.3 NIST_SP_800-53_R5.1.1_AC.3 NIST SP 800-53 R5.1.1 AC.3 Access Control Access Enforcement Shared Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family. 22
NZISM_v3.7 14.1.10.C.01. NZISM_v3.7_14.1.10.C.01. NZISM v3.7 14.1.10.C.01. Standard Operating Environments 14.1.10.C.01. - To reduce potential vulnerabilities. Shared n/a Agencies MUST reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords before or during the installation process. 39
NZISM_v3.7 14.1.10.C.02. NZISM_v3.7_14.1.10.C.02. NZISM v3.7 14.1.10.C.02. Standard Operating Environments 14.1.10.C.02. - To reduce potential vulnerabilities. Shared n/a Agencies SHOULD reduce potential vulnerabilities in their SOEs by: 1. removing unused accounts; 2. renaming or deleting default accounts; and 3. replacing default passwords, before or during the installation process. 39
NZISM_v3.7 16.1.47.C.01. NZISM_v3.7_16.1.47.C.01. NZISM v3.7 16.1.47.C.01. Identification, Authentication and Passwords 16.1.47.C.01. - To enhance overall security posture. Shared n/a Agencies SHOULD ensure that repeated account lockouts are investigated before reauthorising access. 39
NZISM_v3.7 16.5.10.C.01. NZISM_v3.7_16.5.10.C.01. NZISM v3.7 16.5.10.C.01. Remote Access 16.5.10.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system. 11
NZISM_v3.7 16.5.10.C.02. NZISM_v3.7_16.5.10.C.02. NZISM v3.7 16.5.10.C.02. Remote Access 16.5.10.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD authenticate both the remote system user and device during the authentication process. 21
NZISM_v3.7 16.5.11.C.01. NZISM_v3.7_16.5.11.C.01. NZISM v3.7 16.5.11.C.01. Remote Access 16.5.11.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.11.C.02. NZISM_v3.7_16.5.11.C.02. NZISM v3.7 16.5.11.C.02. Remote Access 16.5.11.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.12.C.01. NZISM_v3.7_16.5.12.C.01. NZISM v3.7 16.5.12.C.01. Remote Access 16.5.12.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD establish VPN connections for all remote access connections. 11
NZISM_v3.7 17.5.7.C.01. NZISM_v3.7_17.5.7.C.01. NZISM v3.7 17.5.7.C.01. Secure Shell 17.5.7.C.01. - To enhance overall cybersecurity posture. Shared n/a Agencies SHOULD use public key-based authentication before using password-based authentication. 37
NZISM_v3.7 17.5.7.C.02. NZISM_v3.7_17.5.7.C.02. NZISM v3.7 17.5.7.C.02. Secure Shell 17.5.7.C.02. - To enhance overall cybersecurity posture. Shared n/a Agencies that allow password authentication SHOULD use techniques to block brute force attacks against the password. 42
NZISM_v3.7 20.4.4.C.01. NZISM_v3.7_20.4.4.C.01. NZISM v3.7 20.4.4.C.01. Databases 20.4.4.C.01. - To enhance data security and integrity. Shared n/a Agencies MUST protect database files from access that bypasses the database's normal access controls. 23
NZISM_v3.7 20.4.4.C.02. NZISM_v3.7_20.4.4.C.02. NZISM v3.7 20.4.4.C.02. Databases 20.4.4.C.02. - To enhance data security and integrity. Shared n/a Agencies SHOULD protect database files from access that bypass normal access controls. 23
NZISM_v3.7 20.4.5.C.01. NZISM_v3.7_20.4.5.C.01. NZISM v3.7 20.4.5.C.01. Databases 20.4.5.C.01. - To enhance data security and integrity. Shared n/a Agencies MUST enable logging and auditing of system users' actions. 22
NZISM_v3.7 20.4.5.C.02. NZISM_v3.7_20.4.5.C.02. NZISM v3.7 20.4.5.C.02. Databases 20.4.5.C.02. - To bolster data security and compliance measures. Shared n/a Agencies SHOULD ensure that databases provide functionality to allow for auditing of system users' actions. 22
NZISM_v3.7 20.4.6.C.01. NZISM_v3.7_20.4.6.C.01. NZISM v3.7 20.4.6.C.01. Databases 20.4.6.C.01. - To mitigate the risk of unauthorized access to sensitive information and ensuring compliance with security clearance requirements. Shared n/a If results from database queries cannot be appropriately filtered, agencies MUST ensure that all query results are appropriately sanitised to meet the minimum security clearances of system users. 22
NZISM_v3.7 20.4.6.C.02. NZISM_v3.7_20.4.6.C.02. NZISM v3.7 20.4.6.C.02. Databases 20.4.6.C.02. - To enhance data security. Shared n/a Agencies SHOULD ensure that system users who do not have sufficient security clearances to view database contents cannot see or interrogate associated metadata in a list of results from a search engine query. 22
PCI_DSS_v4.0.1 1.2.1 PCI_DSS_v4.0.1_1.2.1 PCI DSS v4.0.1 1.2.1 Install and Maintain Network Security Controls Configuration standards for NSC rulesets are defined, implemented, and maintained Shared n/a Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards 11
PCI_DSS_v4.0.1 1.2.7 PCI_DSS_v4.0.1_1.2.7 PCI DSS v4.0.1 1.2.7 Install and Maintain Network Security Controls Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective Shared n/a Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated 11
PCI_DSS_v4.0.1 7.2.3 PCI_DSS_v4.0.1_7.2.3 PCI DSS v4.0.1 7.2.3 Restrict Access to System Components and Cardholder Data by Business Need to Know Required privileges are approved by authorized personnel Shared n/a Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel. Examine user IDs and assigned privileges, and compare with documented approvals to verify that: Documented approval exists for the assigned privileges. The approval was by authorized personnel. Specified privileges match the roles assigned to the individual 38
PCI_DSS_v4.0.1 7.2.4 PCI_DSS_v4.0.1_7.2.4 PCI DSS v4.0.1 7.2.4 Restrict Access to System Components and Cardholder Data by Business Need to Know All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate Shared n/a Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement 40
PCI_DSS_v4.0.1 7.2.5.1 PCI_DSS_v4.0.1_7.2.5.1 PCI DSS v4.0.1 7.2.5.1 Restrict Access to System Components and Cardholder Data by Business Need to Know All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate Shared n/a Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement 39
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2023 C1.1 SOC_2023_C1.1 SOC 2023 C1.1 Additional Criteria for Confidentiality To preserve trust, compliance, and competitive advantage. Shared n/a The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. 11
SOC_2023 CC1.3 SOC_2023_CC1.3 SOC 2023 CC1.3 Control Environment To enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. Shared n/a 1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. 13
SOC_2023 CC2.2 SOC_2023_CC2.2 SOC 2023 CC2.2 Information and Communication To facilitate effective internal communication, including objectives and responsibilities for internal control. Shared n/a Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information 28
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.2 SOC_2023_CC5.2 SOC 2023 CC5.2 Control Activities To mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations. Shared n/a Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities. 15
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC6.3 SOC_2023_CC6.3 404 not found n/a n/a 56
SOC_2023 CC7.1 SOC_2023_CC7.1 SOC 2023 CC7.1 Systems Operations To maintain a proactive approach to cybersecurity and mitigate risks effectively. Shared n/a To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. 11
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.5 SOC_2023_CC7.5 SOC 2023 CC7.5 Systems Operations To ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents. Shared n/a The entity identifies, develops, and implements activities to recover from identified security incidents. 12
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SOC_2023 CC9.2 SOC_2023_CC9.2 SOC 2023 CC9.2 Risk Mitigation To ensure effective risk management throughout the supply chain and business ecosystem. Shared n/a Entity assesses and manages risks associated with vendors and business partners. 43
SOC_2023 PI1.3 SOC_2023_PI1.3 SOC 2023 PI1.3 Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) To enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. Shared n/a The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. 50
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview BuiltIn unknown
[Preview]: Windows machines should meet requirements for the Azure compute security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821 Guest Configuration Preview BuiltIn true
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-28 17:51:01 change Major (2.0.0 > 3.0.0)
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Access'
2020-08-20 14:05:01 add 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC