last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Adaptive application controls for defining safe applications should be enabled on your machines

Name Adaptive application controls for defining safe applications should be enabled on your machines
Azure Portal
Id 47a6b606-51aa-4496-8bb7-64b11cf66adc
Version 3.0.0
details on versioning
Category Security Center
Microsoft docs
Description Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC
Role(s)
none
Rule
Aliases
THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule
ResourceTypes
IF (1)
Microsoft.ClassicCompute/virtualMachines
Compliance The following 67 compliance controls are associated with this Policy definition 'Adaptive application controls for defining safe applications should be enabled on your machines' (47a6b606-51aa-4496-8bb7-64b11cf66adc)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1490 AU_ISM_1490 AU ISM 1490 Guidelines for System Hardening - Operating system hardening Application control - 1490 n/a Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. link 1
Azure_Security_Benchmark_v1.0 6.10 Azure_Security_Benchmark_v1.0_6.10 Azure Security Benchmark 6.10 Inventory and Asset Management Implement approved application list Customer Use Azure Security Center Adaptive Application Controls to specify which file types a rule may or may not apply to. Implement third party solution if this does not meet the requirement. How to use Azure Security Center Adaptive Application Controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application n/a link 1
Azure_Security_Benchmark_v1.0 6.8 Azure_Security_Benchmark_v1.0_6.8 Azure Security Benchmark 6.8 Inventory and Asset Management Use only approved applications Customer Use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. How to use Azure Security Center Adaptive Application Controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application n/a link 1
Azure_Security_Benchmark_v2.0 AM-6 Azure_Security_Benchmark_v2.0_AM-6 Azure Security Benchmark AM-6 Asset Management Use only approved applications in compute resources Customer Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure Portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace. Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. You can also use a third-party solution to discover and identify unapproved software. How to use Azure Security Center adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 n/a link 1
Azure_Security_Benchmark_v3.0 AM-5 Azure_Security_Benchmark_v3.0_AM-5 Azure Security Benchmark AM-5 Asset Management Use only approved applications in virtual machine Shared **Security Principle:** Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. **Azure Guidance:** Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace. Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. You can also use a third-party solution to discover and identify unapproved software. **Implementation and additional context:** How to use Microsoft Defender for Cloud adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 n/a link 2
CCCS CM-11 CCCS_CM-11 CCCS CM-11 Configuration Management User-Installed Software n/a (A) The organization establishes organization-defined policies governing the installation of software by users. (B) The organization enforces software installation policies through organization-defined methods. (C) The organization monitors policy compliance continuously via 7(5). link 1
CCCS CM-7(5) CCCS_CM-7(5) CCCS CM-7(5) Configuration Management Least Functionality | Authorized Software / Whitelisting n/a (a) The organization identifie authorized software programs in baseline configuration and information system component inventory; (b) The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) The organization reviews and updates the list of authorized software programs at least annually or when there is a change. link 1
CIS_Azure_1.1.0 2.13 CIS_Azure_1.1.0_2.13 CIS Microsoft Azure Foundations Benchmark recommendation 2.13 2 Security Center Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable adaptive application controls. link 1
CMMC_2.0_L2 CM.L2-3.4.6 CMMC_2.0_L2_CM.L2-3.4.6 404 not found n/a n/a 3
CMMC_2.0_L2 CM.L2-3.4.7 CMMC_2.0_L2_CM.L2-3.4.7 404 not found n/a n/a 2
CMMC_2.0_L2 CM.L2-3.4.8 CMMC_2.0_L2_CM.L2-3.4.8 404 not found n/a n/a 2
CMMC_2.0_L2 CM.L2-3.4.9 CMMC_2.0_L2_CM.L2-3.4.9 404 not found n/a n/a 2
CMMC_L3 CA.2.158 CMMC_L3_CA.2.158 CMMC L3 CA.2.158 Security Assessment Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. link 10
CMMC_L3 CA.3.161 CMMC_L3_CA.3.161 CMMC L3 CA.3.161 Security Assessment Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Shared Microsoft and the customer share responsibilities for implementing this requirement. Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. link 10
CMMC_L3 CM.2.061 CMMC_L3_CM.2.061 CMMC L3 CM.2.061 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. link 3
CMMC_L3 CM.2.063 CMMC_L3_CM.2.063 CMMC L3 CM.2.063 Configuration Management Control and monitor user-installed software. Shared Microsoft and the customer share responsibilities for implementing this requirement. Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. link 4
CMMC_L3 CM.3.068 CMMC_L3_CM.3.068 CMMC L3 CM.3.068 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Shared Microsoft and the customer share responsibilities for implementing this requirement. Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. link 25
CMMC_L3 CM.3.069 CMMC_L3_CM.3.069 CMMC L3 CM.3.069 Configuration Management Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Shared Microsoft and the customer share responsibilities for implementing this requirement. The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. link 1
FedRAMP_High_R4 CM-10 FedRAMP_High_R4_CM-10 FedRAMP High CM-10 Configuration Management Software Usage Restrictions Shared n/a The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. References: None. link 4
FedRAMP_High_R4 CM-11 FedRAMP_High_R4_CM-11 FedRAMP High CM-11 Configuration Management User-Installed Software Shared n/a The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. References: None. link 2
FedRAMP_High_R4 CM-7 FedRAMP_High_R4_CM-7 FedRAMP High CM-7 Configuration Management Least Functionality Shared n/a The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. References: DoD Instruction 8551.01. link 3
FedRAMP_High_R4 CM-7(2) FedRAMP_High_R4_CM-7(2) FedRAMP High CM-7 (2) Configuration Management Prevent Program Execution Shared n/a The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. link 2
FedRAMP_High_R4 CM-7(5) FedRAMP_High_R4_CM-7(5) FedRAMP High CM-7 (5) Configuration Management Authorized Software / Whitelisting Shared n/a The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. link 2
FedRAMP_Moderate_R4 CM-10 FedRAMP_Moderate_R4_CM-10 FedRAMP Moderate CM-10 Configuration Management Software Usage Restrictions Shared n/a The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. References: None. link 4
FedRAMP_Moderate_R4 CM-11 FedRAMP_Moderate_R4_CM-11 FedRAMP Moderate CM-11 Configuration Management User-Installed Software Shared n/a The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. References: None. link 2
FedRAMP_Moderate_R4 CM-7 FedRAMP_Moderate_R4_CM-7 FedRAMP Moderate CM-7 Configuration Management Least Functionality Shared n/a The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. References: DoD Instruction 8551.01. link 3
FedRAMP_Moderate_R4 CM-7(2) FedRAMP_Moderate_R4_CM-7(2) FedRAMP Moderate CM-7 (2) Configuration Management Prevent Program Execution Shared n/a The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. link 2
FedRAMP_Moderate_R4 CM-7(5) FedRAMP_Moderate_R4_CM-7(5) FedRAMP Moderate CM-7 (5) Configuration Management Authorized Software / Whitelisting Shared n/a The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. link 2
hipaa 0201.09j1Organizational.124-09.j hipaa-0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 02 Endpoint Protection 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. 18
hipaa 0607.10h2System.23-10.h hipaa-0607.10h2System.23-10.h 0607.10h2System.23 - 10.h Control of Operational Software The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Customer n/a Evidence that SDL changes can be rolled back (e.g., to resolve post-deployment issues). 2
hipaa 1197.01l3Organizational.3-01.l hipaa-1197.01l3Organizational.3-01.l 1197.01l3Organizational.3-01.l 11 Access Control 1197.01l3Organizational.3-01.l 01.04 Network Access Control Shared n/a The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. 1
IRS_1075_9.3 .16.5 IRS_1075_9.3.16.5 IRS 1075 9.3.16.5 System and Communications Protection Boundary Protection (SC-7) n/a The information system must: a. Monitor and control communications at the external boundary of the system and at key internal boundaries within the system b. Implement subnetworks for publicly accessible system components that are physically and logically separated from internal agency networks c. Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with agency security architecture requirements Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within the security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). The agency must limit the number of external network connections to the information system. (CE3) The agency must: (CE4) a. Implement a secure managed interface for each external telecommunication service b. Establish a traffic flow policy for each managed interface d. Protect the confidentiality and integrity of the information being transmitted across each interface e. Document each exception to the traffic flow policy with a supporting mission/business need and duration of that need, and accept the associated risk f. Review exceptions to the traffic flow policy at a minimum annually, and remove exceptions that are no longer supported by an explicit mission/business need The information system at managed interfaces must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (CE5) The information system must, in conjunction with a remote device, prevent the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (CE7) Additional requirements for protecting FTI on networks are provided in Section 9.4.10, Network Protections. link 4
IRS_1075_9.3 .5.11 IRS_1075_9.3.5.11 IRS 1075 9.3.5.11 Configuration Management User-Installed Software (CM-11) n/a The agency must: a. Establish policies governing the installation of software by users b. Enforce software installation policies through automated methods c. Monitor policy compliance on a continual basis All FTI that is transmitted to agencies is backed up and protected within IRS facilities. As such, the focus of contingency planning controls is on the protection of FTI stored in backup media or used at alternative facilities and not focused on the availability of data. Agencies must develop applicable contingencies for ensuring that FTI is available, based upon their individual risk-based approaches. link 1
IRS_1075_9.3 .5.7 IRS_1075_9.3.5.7 IRS 1075 9.3.5.7 Configuration Management Least Functionality (CM-7) n/a The agency must: a. Configure the information system to provide only essential capabilities b. Prohibit or restrict the use of the functions, ports, protocols, or services as defined in Office of Safeguards-approved compliance requirements (e.g., SCSEMs, assessment tools) c. Review the information system as part of vulnerability assessments to identify unnecessary or non-secure functions, ports, protocols, and services (see Section 9.3.14.3, Vulnerability Scanning (RA-5)) d. Disable defined functions, ports, protocols, and services within the information system deemed to be unnecessary or non-secure link 1
ISO27001-2013 A.12.5.1 ISO27001-2013_A.12.5.1 ISO 27001:2013 A.12.5.1 Operations Security Installation of software on operational systems Shared n/a Procedures shall be implemented to control the installation of software on operational systems. link 19
ISO27001-2013 A.12.6.2 ISO27001-2013_A.12.6.2 ISO 27001:2013 A.12.6.2 Operations Security Restrictions on software installation Shared n/a Rules governing the installation of software by users shall be established and implemented. link 19
NIST_SP_800-171_R2_3 .4.6 NIST_SP_800-171_R2_3.4.6 NIST SP 800-171 R2 3.4.6 Configuration Management Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Shared Microsoft and the customer share responsibilities for implementing this requirement. Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. link 3
NIST_SP_800-171_R2_3 .4.7 NIST_SP_800-171_R2_3.4.7 NIST SP 800-171 R2 3.4.7 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Shared Microsoft and the customer share responsibilities for implementing this requirement. Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. link 2
NIST_SP_800-171_R2_3 .4.8 NIST_SP_800-171_R2_3.4.8 NIST SP 800-171 R2 3.4.8 Configuration Management Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Shared Microsoft and the customer share responsibilities for implementing this requirement. The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. [SP 800-167] provides guidance on application whitelisting. link 2
NIST_SP_800-171_R2_3 .4.9 NIST_SP_800-171_R2_3.4.9 NIST SP 800-171 R2 3.4.9 Configuration Management Control and monitor user-installed software. Shared Microsoft and the customer share responsibilities for implementing this requirement. Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. link 2
NIST_SP_800-53_R4 CM-10 NIST_SP_800-53_R4_CM-10 NIST SP 800-53 Rev. 4 CM-10 Configuration Management Software Usage Restrictions Shared n/a The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. References: None. link 4
NIST_SP_800-53_R4 CM-11 NIST_SP_800-53_R4_CM-11 NIST SP 800-53 Rev. 4 CM-11 Configuration Management User-Installed Software Shared n/a The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. References: None. link 2
NIST_SP_800-53_R4 CM-7 NIST_SP_800-53_R4_CM-7 NIST SP 800-53 Rev. 4 CM-7 Configuration Management Least Functionality Shared n/a The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. References: DoD Instruction 8551.01. link 3
NIST_SP_800-53_R4 CM-7(2) NIST_SP_800-53_R4_CM-7(2) NIST SP 800-53 Rev. 4 CM-7 (2) Configuration Management Prevent Program Execution Shared n/a The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. link 2
NIST_SP_800-53_R4 CM-7(5) NIST_SP_800-53_R4_CM-7(5) NIST SP 800-53 Rev. 4 CM-7 (5) Configuration Management Authorized Software / Whitelisting Shared n/a The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. link 2
NIST_SP_800-53_R5 CM-10 NIST_SP_800-53_R5_CM-10 NIST SP 800-53 Rev. 5 CM-10 Configuration Management Software Usage Restrictions Shared n/a a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. link 4
NIST_SP_800-53_R5 CM-11 NIST_SP_800-53_R5_CM-11 NIST SP 800-53 Rev. 5 CM-11 Configuration Management User-installed Software Shared n/a a. Establish [Assignment: organization-defined policies] governing the installation of software by users; b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and c. Monitor policy compliance [Assignment: organization-defined frequency]. link 2
NIST_SP_800-53_R5 CM-7 NIST_SP_800-53_R5_CM-7 NIST SP 800-53 Rev. 5 CM-7 Configuration Management Least Functionality Shared n/a a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. link 3
NIST_SP_800-53_R5 CM-7(2) NIST_SP_800-53_R5_CM-7(2) NIST SP 800-53 Rev. 5 CM-7 (2) Configuration Management Prevent Program Execution Shared n/a Prevent program execution in accordance with [Selection (OneOrMore): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] ;rules authorizing the terms and conditions of software program usage] . link 2
NIST_SP_800-53_R5 CM-7(5) NIST_SP_800-53_R5_CM-7(5) NIST SP 800-53 Rev. 5 CM-7 (5) Configuration Management Authorized Software ??? Allow-by-exception Shared n/a (a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. link 2
NZ_ISM_v3.5 SS-5 NZ_ISM_v3.5_SS-5 NZISM Security Benchmark SS-5 Software security 14.2.4 Application Whitelisting Customer n/a Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code. Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running. Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. link 2
NZISM_Security_Benchmark_v1.1 SS-5 NZISM_Security_Benchmark_v1.1_SS-5 NZISM Security Benchmark SS-5 Software security 14.2.4 Application Whitelisting Customer Agencies SHOULD implement application whitelisting as part of the SOE for workstations, servers and any other network device. Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code. Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running. Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. link 2
RBI_CSF_Banks_v2016 13.1 RBI_CSF_Banks_v2016_13.1 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 n/a Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. 27
RBI_CSF_Banks_v2016 13.3 RBI_CSF_Banks_v2016_13.3 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.3 n/a Consider implementing whitelisting of internet websites/systems. 15
RBI_CSF_Banks_v2016 14.1 RBI_CSF_Banks_v2016_14.1 Anti-Phishing Anti-Phishing-14.1 n/a Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. 32
RBI_CSF_Banks_v2016 2.1 RBI_CSF_Banks_v2016_2.1 Preventing Execution Of Unauthorised Software Software Inventory-2.1 n/a Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications / software/libraries, etc. 2
RBI_CSF_Banks_v2016 2.2 RBI_CSF_Banks_v2016_2.2 Preventing Execution Of Unauthorised Software Authorised Software Installation-2.2 n/a Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems. 2
RBI_CSF_Banks_v2016 4.2 RBI_CSF_Banks_v2016_4.2 Network Management And Security Network Inventory-4.2 n/a Maintain an up-to-date/centralised inventory of authorised devices connected to bank???s network (within/outside bank???s premises) and authorised devices enabling the bank???s network. The bank may consider implementing solutions to automate network discovery and management. 6
RBI_ITF_NBFC_v2017 2 RBI_ITF_NBFC_v2017_2 RBI IT Framework 2 IT Policy IT Policy-2 n/a NBFCs may formulate a Board approved IT Policy, in line with the objectives of their organisation comprising the following: a. An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC; b. NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT Operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management. c. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available. d. The NBFCs which are currently not using IPv6 platform should migrate to the same as per National Telecom Policy issued by the Government of India in 2012. (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012) link 2
RMiT_v1.0 Appendix_5.2 RMiT_v1.0_Appendix_5.2 RMiT Appendix 5.2 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.2 Customer n/a Update checklists on the latest security hardening of operating systems. link 2
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 54
SOC_2 CC7.1 SOC_2_CC7.1 SOC 2 Type 2 CC7.1 System Operations Detection and monitoring of new vulnerabilities Shared The customer is responsible for implementing this recommendation. • Uses Defined Configuration Standards — Management has defined configuration standards. • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. • Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. • Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components. • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis 17
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 30
SWIFT_CSCF_v2022 1.1 SWIFT_CSCF_v2022_1.1 SWIFT CSCF v2022 1.1 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. Shared n/a A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. link 22
SWIFT_CSCF_v2022 1.5A SWIFT_CSCF_v2022_1.5A SWIFT CSCF v2022 1.5A 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. Shared n/a A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. link 26
UK_NCSC_CSP 11 UK_NCSC_CSP_11 UK NCSC CSP 11 External interface protection External interface protection Shared n/a All external or less trusted interfaces of the service should be identified and appropriately defended. link 8
UK_NCSC_CSP 5.3 UK_NCSC_CSP_5.3 UK NCSC CSP 5.3 Operational security Protective Monitoring Shared n/a A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. link 4
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-01-05 16:06:49 change Major (2.0.0 > 3.0.0)
2020-07-14 15:28:17 change Previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines
2020-06-08 18:42:36 change Previous DisplayName: Adaptive Application Controls should be enabled on virtual machines
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Azure Security Benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
JSON
changes

JSON