compliance controls are associated with this Policy definition 'Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled' (40e85574-ef33-47e8-a854-7a65c7500560)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
DP-4 |
Azure_Security_Benchmark_v3.0_DP-4 |
Microsoft cloud security benchmark DP-4 |
Data Protection |
Enable data at rest encryption by default |
Shared |
**Security Principle:**
To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
**Azure Guidance:**
Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key.
Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs for storage level, file level, or database level encryption.
**Implementation and additional context:**
Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services
Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models
Encryption model and key management table:
https://docs.microsoft.com/azure/security/fundamentals/encryption-models |
n/a |
link |
8 |
| Canada_Federal_PBMM_3-1-2020 |
AC_5 |
Canada_Federal_PBMM_3-1-2020_AC_5 |
Canada Federal PBMM 3-1-2020 AC 5 |
Separation of Duties |
Separation of Duties |
Shared |
The organization:
1. Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions;
2. Documents separation of duties of individuals; and
3. Defines information system access authorizations to support separation of duties.
|
To facilitate proper separation of duties within the organization.
|
|
18 |
| CIS_Controls_v8.1 |
3.3 |
CIS_Controls_v8.1_3.3 |
CIS Controls v8.1 3.3 |
Data Protection |
Configure data access control lists |
Shared |
1. Configure data access control lists based on a user’s need to know.
2. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
|
To ensure that users have access only to the data necessary for their roles. |
|
25 |
| CIS_Controls_v8.1 |
6.8 |
CIS_Controls_v8.1_6.8 |
CIS Controls v8.1 6.8 |
Access Control Management |
Define and maintain role-based access control. |
Shared |
1. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties.
2. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. |
To implement a system of role-based access control. |
|
30 |
| Cyber_Essentials_v3.1 |
2 |
Cyber_Essentials_v3.1_2 |
Cyber Essentials v3.1 2 |
Cyber Essentials |
Secure Configuration |
Shared |
n/a |
Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. |
|
61 |
| Cyber_Essentials_v3.1 |
4 |
Cyber_Essentials_v3.1_4 |
Cyber Essentials v3.1 4 |
Cyber Essentials |
User Access Control |
Shared |
n/a |
Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. |
|
74 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.5 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 |
Policy and Implementation - Access Control |
Access Control |
Shared |
Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. |
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. |
|
97 |
| HITRUST_CSF_v11.3 |
01.c |
HITRUST_CSF_v11.3_01.c |
HITRUST CSF v11.3 01.c |
Authorized Access to Information Systems |
Control privileged access to information systems and services. |
Shared |
1. Privileged role assignments to be automatically tracked and monitored.
2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions.
3. Critical security functions to be executable only after granting of explicit authorization. |
The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. |
|
44 |
| New_Zealand_ISM |
16.1.32.C.01 |
New_Zealand_ISM_16.1.32.C.01 |
New_Zealand_ISM_16.1.32.C.01 |
16. Access Control and Passwords |
16.1.32.C.01 System user identification |
|
n/a |
Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system. |
|
18 |
| NIST_CSF_v2.0 |
PR.AA |
NIST_CSF_v2.0_PR.AA |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
| NIST_CSF_v2.0 |
PR.AA_05 |
NIST_CSF_v2.0_PR.AA_05 |
NIST CSF v2.0 PR.AA 05 |
PROTECT- Identity Management, Authentication, and Access |
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties. |
Shared |
n/a |
To implement safeguards for managing organization’s cybersecurity risks. |
|
29 |
| NIST_SP_800-53_R5.1.1 |
AC.3.3 |
NIST_SP_800-53_R5.1.1_AC.3.3 |
NIST SP 800-53 R5.1.1 AC.3.3 |
Access Control |
Access Enforcement | Mandatory Access Control |
Shared |
Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
(a) Is uniformly enforced across the covered subjects and objects within the system;
(b) Specifies that a subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
(4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
(5) Changing the rules governing access control; and
(c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. |
Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25. The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).
The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-3(4). A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information. |
|
1 |
| NIST_SP_800-53_R5.1.1 |
AC.3.4 |
NIST_SP_800-53_R5.1.1_AC.3.4 |
NIST SP 800-53 R5.1.1 AC.3.4 |
Access Control |
Access Enforcement | Discretionary Access Control |
Shared |
Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the system, or the system’s components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15). A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control. |
|
1 |
| NZISM_v3.7 |
16.1.33.C.01. |
NZISM_v3.7_16.1.33.C.01. |
NZISM v3.7 16.1.33.C.01. |
Identification, Authentication and Passwords |
16.1.33.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies MUST NOT use shared credentials to access accounts. |
|
25 |
| NZISM_v3.7 |
16.1.33.C.02. |
NZISM_v3.7_16.1.33.C.02. |
NZISM v3.7 16.1.33.C.02. |
Identification, Authentication and Passwords |
16.1.33.C.02. - promote security and accountability within the agency's systems. |
Shared |
n/a |
Agencies SHOULD NOT use shared credentials to access accounts. |
|
25 |
| NZISM_v3.7 |
16.1.34.C.01. |
NZISM_v3.7_16.1.34.C.01. |
NZISM v3.7 16.1.34.C.01. |
Identification, Authentication and Passwords |
16.1.34.C.01. - promote security and accountability within the agency's systems. |
Shared |
n/a |
If agencies choose to allow shared, non user-specific accounts they MUST ensure that an independent means of determining the identification of the system user is implemented. |
|
25 |
| NZISM_v3.7 |
16.1.35.C.02. |
NZISM_v3.7_16.1.35.C.02. |
NZISM v3.7 16.1.35.C.02. |
Identification, Authentication and Passwords |
16.1.35.C.02. - implement additional authentication factors to enhance security.
|
Shared |
n/a |
Agencies SHOULD ensure that they combine the use of multiple methods when identifying and authenticating system users. |
|
25 |
| NZISM_v3.7 |
16.1.36.C.01. |
NZISM_v3.7_16.1.36.C.01. |
NZISM v3.7 16.1.36.C.01. |
Identification, Authentication and Passwords |
16.1.36.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT allow storage of unprotected authentication information that grants system access, or decrypts an encrypted device, to be located on, or with the system or device, to which the authentication information grants access. |
|
17 |
| NZISM_v3.7 |
16.1.37.C.01. |
NZISM_v3.7_16.1.37.C.01. |
NZISM v3.7 16.1.37.C.01. |
Identification, Authentication and Passwords |
16.1.37.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST ensure that system authentication data is protected when in transit on agency networks or All-of-Government systems. |
|
17 |
| NZISM_v3.7 |
16.1.39.C.01. |
NZISM_v3.7_16.1.39.C.01. |
NZISM v3.7 16.1.39.C.01. |
Identification, Authentication and Passwords |
16.1.39.C.01. - enhance overall security posture. |
Shared |
n/a |
Where systems contain NZEO or other nationalities releasability marked or protectively marked information, agencies MUST provide a mechanism that allows system users and processes to identify users who are foreign nationals, including seconded foreign nationals. |
|
17 |
| NZISM_v3.7 |
16.1.39.C.02. |
NZISM_v3.7_16.1.39.C.02. |
NZISM v3.7 16.1.39.C.02. |
Identification, Authentication and Passwords |
16.1.39.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies using NZEO systems SHOULD ensure that identification includes specific nationality for all foreign nationals, including seconded foreign nationals. |
|
17 |
| NZISM_v3.7 |
16.1.41.C.02. |
NZISM_v3.7_16.1.41.C.02. |
NZISM v3.7 16.1.41.C.02. |
Identification, Authentication and Passwords |
16.1.41.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST NOT:
1. allow predictable reset passwords;
2. reuse passwords when resetting multiple accounts;
3. store passwords in the clear on the system;
4. allow passwords to be reused within eight password changes; and
5. allow system users to use sequential passwords. |
|
17 |
| NZISM_v3.7 |
16.1.43.C.01. |
NZISM_v3.7_16.1.43.C.01. |
NZISM v3.7 16.1.43.C.01. |
Identification, Authentication and Passwords |
16.1.43.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD disable LAN Manager for password authentication on workstations and servers. |
|
17 |
| NZISM_v3.7 |
16.1.46.C.01. |
NZISM_v3.7_16.1.46.C.01. |
NZISM v3.7 16.1.46.C.01. |
Identification, Authentication and Passwords |
16.1.46.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies MUST:
1. Record all successful and failed logon attempts;
2. lock system user accounts after three failed logon attempts;
3. have a system administrator reset locked accounts;
4. remove or suspend system user accounts as soon as possible when personnel no longer need access due to changing roles or leaving the agency; and
5. remove or suspend inactive accounts after a specified number of days. |
|
2 |
| NZISM_v3.7 |
16.1.46.C.02. |
NZISM_v3.7_16.1.46.C.02. |
NZISM v3.7 16.1.46.C.02. |
Identification, Authentication and Passwords |
16.1.46.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD:
1. lock system user accounts after three failed logon attempts;
2. have a system administrator reset locked accounts;
3. remove or suspend system user accounts as soon as possible when personnel no longer need access due to changing roles or leaving the agency; and
4. remove or suspend inactive accounts after a specified number of days. |
|
2 |
| NZISM_v3.7 |
16.1.48.C.02. |
NZISM_v3.7_16.1.48.C.02. |
NZISM v3.7 16.1.48.C.02. |
Identification, Authentication and Passwords |
16.1.48.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD seek legal advice on the exact wording of logon banners. |
|
16 |
| NZISM_v3.7 |
16.1.49.C.01. |
NZISM_v3.7_16.1.49.C.01. |
NZISM v3.7 16.1.49.C.01. |
Identification, Authentication and Passwords |
16.1.49.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD configure systems to display the date and time of the system user's previous login during the login process. |
|
15 |
| NZISM_v3.7 |
16.1.50.C.01. |
NZISM_v3.7_16.1.50.C.01. |
NZISM v3.7 16.1.50.C.01. |
Identification, Authentication and Passwords |
16.1.50.C.01. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD NOT permit the display of last logged on username, credentials or other identifying details. |
|
15 |
| NZISM_v3.7 |
16.1.50.C.02. |
NZISM_v3.7_16.1.50.C.02. |
NZISM v3.7 16.1.50.C.02. |
Identification, Authentication and Passwords |
16.1.50.C.02. - enhance overall security posture. |
Shared |
n/a |
Agencies SHOULD NOT permit the caching of credentials unless specifically required. |
|
15 |
| PCI_DSS_v4.0.1 |
7.3.1 |
PCI_DSS_v4.0.1_7.3.1 |
PCI DSS v4.0.1 7.3.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
Shared |
n/a |
Examine vendor documentation and system settings to verify that access is managed for each system component via an access control system(s) that restricts access based on a user’s need to know and covers all system components |
|
27 |
| SOC_2023 |
CC1.3 |
SOC_2023_CC1.3 |
SOC 2023 CC1.3 |
Control Environment |
Enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. |
Shared |
n/a |
1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers.
2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. |
|
13 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC6.2 |
SOC_2023_CC6.2 |
SOC 2023 CC6.2 |
Logical and Physical Access Controls |
Ensure effective access control and ensuring the security of the organization's systems and data. |
Shared |
n/a |
1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.
2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
|
50 |
| SOC_2023 |
CC6.3 |
SOC_2023_CC6.3 |
404 not found |
|
|
|
n/a |
n/a |
|
56 |
| SOC_2023 |
CC6.7 |
SOC_2023_CC6.7 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
| SOC_2023 |
CC7.2 |
SOC_2023_CC7.2 |
SOC 2023 CC7.2 |
Systems Operations |
Maintain robust security measures and ensure operational resilience. |
Shared |
n/a |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. |
|
167 |
| SOC_2023 |
CC8.1 |
SOC_2023_CC8.1 |
SOC 2023 CC8.1 |
Change Management |
Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. |
Shared |
n/a |
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. |
|
147 |
|
U.10.2 - Users |
U.10.2 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
25 |
|
U.10.3 - Users |
U.10.3 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
U.10.5 - Competent |
U.10.5 - Competent |
404 not found |
|
|
|
n/a |
n/a |
|
33 |