last sync: 2024-Apr-24 17:46:58 UTC

Microsoft Managed Control 1433 - Media Transport | Regulatory Compliance - Media Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1433 - Media Transport
Id 5b879b41-2728-41c5-ad24-9ee2c37cbe65
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Media Protection control
Additional metadata Name/Id: ACF1433 / Microsoft Managed Control 1433
Category: Media Protection
Title: Media Transport - Protection During Transport
Ownership: Microsoft
Description: The organization: Protects and controls Digital media assets (see inventory) during transport outside of controlled areas using SafeNet KeySecure to manage cryptographic keys using a FIPS 140-2 Level 3 validated encryption module (cert# 1694) and HSM (cert#1178) to secure AES 256-bit encrypted data on the magnetic tapes;
Requirements: Digital media at Azure datacenters consist of servers, network devices, and magnetic tapes. Azure datacenters do not use non-digital media. Azure utilizes secure transport and data deletion to protect media that is being transported outside the datacenter. All media being transported from Azure datacenters require accurate tracking. Tickets are created to arrange and track the transportation of media. Azure has contracted with several approved vendors to provide secure shipping services. Secure Transport begins with an accurate inventory and chain of custody. Authorized asset managers are required to manage the exchange of assets. Assets are inventoried at the time of delivery to the transporter. Requirements for transporting an asset are defined according to their asset classification and data classification. If data is required to be intact, an approved policy exception request is required. The asset manager must witness the container being locked and a tamper proof seal applied. Secure Transport could have additional requirements such as a dedicated transport for only Microsoft assets, GPS tracking, and only stopping at Microsoft locations. In cases of longer transport routes, the requirement could be that there are multiple drivers and trucks with sleeping quarters to provide for non-stop delivery. At the delivery location, the transport company’s approved personnel must be present to witness the removal of the tamper proof seal and unlocking of the container. The receiving personnel inventories the shipment and send a message confirming the receipt of the assets. This inventory is validated by the Microsoft asset manager. Azure contracts with a vendor to provide equipment destruction. All assets are required to be destroyed onsite. Azure assets are cleansed/purged with methods consistent with NIST SP 800-88 prior to reuse. Prior to cleansing or destruction, an inventory is created by Datacenter Logistics. If a vendor is used for destruction, the vendor provides a certificate of destruction for each asset destroyed, which is validated by the asset manager.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC