last sync: 2025-Mar-23 22:31:17 UTC

Cognitive Services accounts should use customer owned storage

Azure BuiltIn Policy definition

Source Azure Portal
Display name Cognitive Services accounts should use customer owned storage
Id 46aa9b05-0e60-4eae-a88b-1e9d374fa515
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]
Category Cognitive Services
Microsoft Learn
Description Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (3)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.CognitiveServices/accounts/capabilities[*] Microsoft.CognitiveServices accounts properties.capabilities[*] True False
Microsoft.CognitiveServices/accounts/capabilities[*].name Microsoft.CognitiveServices accounts properties.capabilities[*].name True False
Microsoft.CognitiveServices/accounts/userOwnedStorage[*] Microsoft.CognitiveServices accounts properties.userOwnedStorage[*] True False
Rule resource types IF (1)
Microsoft.CognitiveServices/accounts
Compliance
The following 33 compliance controls are associated with this Policy definition 'Cognitive Services accounts should use customer owned storage' (46aa9b05-0e60-4eae-a88b-1e9d374fa515)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CMMC_L2_v1.9.0 MP.L2_3.8.6 CMMC_L2_v1.9.0_MP.L2_3.8.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L2 3.8.6 Media Protection Portable Storage Encryption Shared Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. To ensure that sensitive information remains secure and confidential even if the media is lost, stolen, or intercepted during transit. 9
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 UEM_08 CSA_v4.0.12_UEM_08 CSA Cloud Controls Matrix v4.0.12 UEM 08 Universal Endpoint Management Storage Encryption Shared n/a Protect information from unauthorized disclosure on managed endpoint devices with storage encryption. 14
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
HITRUST_CSF_v11.3 06.c HITRUST_CSF_v11.3_06.c HITRUST CSF v11.3 06.c Compliance with Legal Requirements To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. Shared 1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 26
NIST_SP_800-171_R3_3 .13.8 NIST_SP_800-171_R3_3.13.8 NIST 800-171 R3 3.13.8 System and Communications Protection Control Transmission and Storage Confidentiality Shared This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e. information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to 03.13.11. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage. 12
NIST_SP_800-53_R5.1.1 SC.28.1 NIST_SP_800-53_R5.1.1_SC.28.1 NIST SP 800-53 R5.1.1 SC.28.1 System and Communications Protection Protection of Information at Rest | Cryptographic Protection Shared Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. 9
NZISM_v3.7 14.3.10.C.01. NZISM_v3.7_14.3.10.C.01. NZISM v3.7 14.3.10.C.01. Web Applications 14.3.10.C.01. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways. 24
NZISM_v3.7 14.3.10.C.02. NZISM_v3.7_14.3.10.C.02. NZISM v3.7 14.3.10.C.02. Web Applications 14.3.10.C.02. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address. 23
NZISM_v3.7 14.3.10.C.03. NZISM_v3.7_14.3.10.C.03. NZISM v3.7 14.3.10.C.03. Web Applications 14.3.10.C.03. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites. 22
NZISM_v3.7 14.3.10.C.04. NZISM_v3.7_14.3.10.C.04. NZISM v3.7 14.3.10.C.04. Web Applications 14.3.10.C.04. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective. 22
NZISM_v3.7 19.1.10.C.01. NZISM_v3.7_19.1.10.C.01. NZISM v3.7 19.1.10.C.01. Gateways 19.1.10.C.01. - To ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. Shared n/a When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. 50
NZISM_v3.7 19.1.11.C.01. NZISM_v3.7_19.1.11.C.01. NZISM v3.7 19.1.11.C.01. Gateways 19.1.11.C.01. - To ensure network protection through gateway mechanisms. Shared n/a Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. 49
NZISM_v3.7 19.1.11.C.02. NZISM_v3.7_19.1.11.C.02. NZISM v3.7 19.1.11.C.02. Gateways 19.1.11.C.02. - To maintain security and integrity across domains. Shared n/a For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. 48
NZISM_v3.7 19.1.12.C.01. NZISM_v3.7_19.1.12.C.01. NZISM v3.7 19.1.12.C.01. Gateways 19.1.12.C.01. - To minimize security risks and ensure effective control over network communications Shared n/a Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts. 47
NZISM_v3.7 19.1.14.C.01. NZISM_v3.7_19.1.14.C.01. NZISM v3.7 19.1.14.C.01. Gateways 19.1.14.C.01. - To enhance security by segregating resources from the internal network. Shared n/a Agencies MUST use demilitarised zones to house systems and information directly accessed externally. 40
NZISM_v3.7 19.1.14.C.02. NZISM_v3.7_19.1.14.C.02. NZISM v3.7 19.1.14.C.02. Gateways 19.1.14.C.02. - To enhance security by segregating resources from the internal network. Shared n/a Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. 39
NZISM_v3.7 19.1.19.C.01. NZISM_v3.7_19.1.19.C.01. NZISM v3.7 19.1.19.C.01. Gateways 19.1.19.C.01. - To enhance security posture. Shared n/a Agencies MUST limit access to gateway administration functions. 34
NZISM_v3.7 19.2.16.C.02. NZISM_v3.7_19.2.16.C.02. NZISM v3.7 19.2.16.C.02. Cross Domain Solutions (CDS) 19.2.16.C.02. - To maintain security and prevent unauthorized access or disclosure of sensitive information. Shared n/a Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network. 34
NZISM_v3.7 19.2.18.C.01. NZISM_v3.7_19.2.18.C.01. NZISM v3.7 19.2.18.C.01. Cross Domain Solutions (CDS) 19.2.18.C.01. - To enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. Shared n/a Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. 34
NZISM_v3.7 19.2.19.C.01. NZISM_v3.7_19.2.19.C.01. NZISM v3.7 19.2.19.C.01. Cross Domain Solutions (CDS) 19.2.19.C.01. - To ensure the integrity and reliability of information accessed or received. Shared n/a Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority. 34
NZISM_v3.7 19.2.19.C.02. NZISM_v3.7_19.2.19.C.02. NZISM v3.7 19.2.19.C.02. Cross Domain Solutions (CDS) 19.2.19.C.02. - To reduce the risk of unauthorized data transfers and potential breaches. Shared n/a Trusted sources MUST authorise all data to be exported from a security domain. 29
NZISM_v3.7 19.3.8.C.01. NZISM_v3.7_19.3.8.C.01. NZISM v3.7 19.3.8.C.01. Firewalls 19.3.8.C.01. - To enhance network security. Shared n/a All gateways MUST contain a firewall in both physical and virtual environments. 12
PCI_DSS_v4.0.1 3.5.1.2 PCI_DSS_v4.0.1_3.5.1.2 PCI DSS v4.0.1 3.5.1.2 Protect Stored Account Data If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: on removable electronic media OR if used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1 Shared n/a Examine encryption processes to verify that, if disk-level or partition-level encryption is used to render PAN unreadable, it is implemented only as follows: on removable electronic media, OR if used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered unreadable via another method that meets Requirement 3.5.1. Examine configurations and/or vendor documentation and observe encryption processes to verify the system is configured according to vendor documentation the result is that the disk or the partition is rendered unreadable 9
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
UK_NCSC_CAF_v3.2 C1.b UK_NCSC_CAF_v3.2_C1.b NCSC Cyber Assurance Framework (CAF) v3.2 C1.b Security Monitoring Securing Logs Shared 1. The integrity of logging data is protected, or any modification is detected and attributed. 2. The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the function itself, and the data within it. 3. Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered. 4. Logging datasets are synchronised, using an accurate common time source, so that separate datasets can be correlated in different ways. 5. Access to logging data is limited to those with business need and no others. 6. All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user. 7. Legitimate reasons for accessing logging data are given in use policies. Hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Enforce recommended guardrails for Cognitive Services Enforce-Guardrails-CognitiveServices Cognitive Services GA ALZ
Enforce recommended guardrails for Open AI (Cognitive Service) Enforce-Guardrails-OpenAI Cognitive Services GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-03-24 14:32:48 change Major (1.0.0 > 2.0.0)
2020-06-09 16:25:53 add 46aa9b05-0e60-4eae-a88b-1e9d374fa515
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC