AzPolicyAdvertizer

last sync: 2023-Dec-06 18:52:29 UTC

Azure Policy definition

Container registry images should have vulnerability findings resolved

Source Azure Portal
Display name Container registry images should have vulnerability findings resolved
Id 5f0f936f-2f01-4bf5-b6be-d423792fa562
Version 2.0.1
Details on versioning
Category Security Center
Microsoft Learn
Description Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule resource types IF (1)
Microsoft.ContainerRegistry/registries
Compliance
The following 28 compliance controls are associated with this Policy definition 'Container registry images should have vulnerability findings resolved' (5f0f936f-2f01-4bf5-b6be-d423792fa562)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 PV-6 Azure_Security_Benchmark_v2.0_PV-6 Azure Security Benchmark PV-6 Posture and Vulnerability Management Perform software vulnerability assessments Customer Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Azure Security Center has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected scan solution's portal to view historical scan data. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment Exporting Azure Security Center vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results n/a link 5
Azure_Security_Benchmark_v3.0 DS-6 Azure_Security_Benchmark_v3.0_DS-6 Microsoft cloud security benchmark DS-6 DevOps Security Enforce security of workload throughout DevOps lifecycle Shared **Security Principle:** Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. **Azure Guidance:** Guidance for Azure VMs: - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Through custom images, Azure Resource Manager template, and/or Azure Policy guest configuration to deploy and enforce these the configuration baseline. Guidance for Azure container services: - Use Azure Container Registry (ACR) to create your private container registry where a granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. - Use Defender for Azure Container Registry for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to ingrate container images scan as part of your CI/CD workflows. For Azure serverless services, adopt the similar controls to ensure security controls are shift left to the stage prior to the deployment. **Implementation and additional context:** Shared Image Gallery overview: https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Security considerations for Azure Container: https://docs.microsoft.com/azure/container-instances/container-instances-image-security Azure Defender for container registries: https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction n/a link 5
Azure_Security_Benchmark_v3.0 PV-6 Azure_Security_Benchmark_v3.0_PV-6 Microsoft cloud security benchmark PV-6 Posture and Vulnerability Management Rapidly and automatically remediate vulnerabilities Shared **Security Principle:** Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. **Azure Guidance:** Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. **Implementation and additional context:** How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/update-management/overview Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm n/a link 13
CMMC_2.0_L2 RA.L2-3.11.2 CMMC_2.0_L2_RA.L2-3.11.2 404 not found n/a n/a 21
CMMC_2.0_L2 RA.L2-3.11.3 CMMC_2.0_L2_RA.L2-3.11.3 404 not found n/a n/a 21
CMMC_L3 RM.2.143 CMMC_L3_RM.2.143 CMMC L3 RM.2.143 Risk Assessment Remediate vulnerabilities in accordance with risk assessments. Shared Microsoft and the customer share responsibilities for implementing this requirement. Vulnerabilities discovered, for example, via the scanning conducted in response to RM.2.142, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. link 19
FedRAMP_High_R4 RA-5 FedRAMP_High_R4_RA-5 FedRAMP High RA-5 Risk Assessment Vulnerability Scanning Shared n/a The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. link 23
FedRAMP_Moderate_R4 RA-5 FedRAMP_Moderate_R4_RA-5 FedRAMP Moderate RA-5 Risk Assessment Vulnerability Scanning Shared n/a The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. link 23
NIST_SP_800-171_R2_3 .11.2 NIST_SP_800-171_R2_3.11.2 NIST SP 800-171 R2 3.11.2 Risk Assessment Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. [SP 800-40] provides guidance on vulnerability management. link 24
NIST_SP_800-171_R2_3 .11.3 NIST_SP_800-171_R2_3.11.3 NIST SP 800-171 R2 3.11.3 Risk Assessment Remediate vulnerabilities in accordance with risk assessments. Shared Microsoft and the customer share responsibilities for implementing this requirement. Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. link 23
NIST_SP_800-53_R4 RA-5 NIST_SP_800-53_R4_RA-5 NIST SP 800-53 Rev. 4 RA-5 Risk Assessment Vulnerability Scanning Shared n/a The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov. link 23
NIST_SP_800-53_R5 RA-5 NIST_SP_800-53_R5_RA-5 NIST SP 800-53 Rev. 5 RA-5 Risk Assessment Vulnerability Monitoring and Scanning Shared n/a a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. link 23
NZ_ISM_v3.5 ISM-4 NZ_ISM_v3.5_ISM-4 NZISM Security Benchmark ISM-4 Information security monitoring 6.2.6 Resolving vulnerabilities Customer n/a Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue. link 11
NZISM_Security_Benchmark_v1.1 ISM-4 NZISM_Security_Benchmark_v1.1_ISM-4 NZISM Security Benchmark ISM-4 Information security monitoring 6.2.6 Resolving vulnerabilities Customer Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment. Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue. link 6
RBI_CSF_Banks_v2016 18.4 RBI_CSF_Banks_v2016_18.4 Vulnerability Assessment And Penetration Test And Red Team Exercises Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4 n/a Findings of VA/PT and the follow up actions necessitated are to be monitored closely by the Information Security/Information Technology Audit team as well as Senior/Top Management. 6
RBI_CSF_Banks_v2016 2.3 RBI_CSF_Banks_v2016_2.3 Preventing Execution Of Unauthorised Software Security Update Management-2.3 n/a Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank. If a patch/series of patches is/are released by the OEM/manufacturer/vendor for protection against wellknown/well publicised/reported attacks exploiting the vulnerability patched, the banks must have a mechanism to apply them expeditiously following an emergency patch management process. 9
RBI_CSF_Banks_v2016 20.1 RBI_CSF_Banks_v2016_20.1 Risk Based Transaction Monitoring Risk Based Transaction Monitoring-20.1 n/a Risk based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system across all -delivery channels. 7
RBI_CSF_Banks_v2016 6.1 RBI_CSF_Banks_v2016_6.1 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.1 n/a Incorporate/Ensure information security across all stages of application life cycle. 3
RBI_CSF_Banks_v2016 6.3 RBI_CSF_Banks_v2016_6.3 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.3 n/a Secure coding practices may also be implemented for internally /collaboratively developed applications. 3
RBI_CSF_Banks_v2016 6.6 RBI_CSF_Banks_v2016_6.6 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.6 n/a Software/Application development approach should be based on threat modelling, incorporate secure coding principles and security testing based on global standards and secure rollout 3
RBI_CSF_Banks_v2016 6.7 RBI_CSF_Banks_v2016_6.7 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.7 n/a Ensure that software/application development practices addresses the vulnerabilities based on best practices baselines such as Open Web Application Security Project (OWASP) proactively and adopt principle of defence-in-depth to provide layered security mechanism. 6
RBI_CSF_Banks_v2016 7.1 RBI_CSF_Banks_v2016_7.1 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.1 n/a Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches so as to minimize the number of vulnerable systems and the time window of vulnerability/exposure. 12
RBI_CSF_Banks_v2016 7.2 RBI_CSF_Banks_v2016_7.2 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.2 n/a Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/ Middleware, etc. 12
RBI_CSF_Banks_v2016 7.6 RBI_CSF_Banks_v2016_7.6 Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.6 n/a As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities. 21
RBI_ITF_NBFC_v2017 1 RBI_ITF_NBFC_v2017_1 RBI IT Framework 1 IT Governance IT Governance-1 n/a IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC???s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry. link 15
RBI_ITF_NBFC_v2017 3.3 RBI_ITF_NBFC_v2017_3.3 RBI IT Framework 3.3 Information and Cyber Security Vulnerability Management-3.3 n/a A vulnerability can be defined as an inherent configuration flaw in an organization???s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy link 14
RMiT_v1.0 11.8 RMiT_v1.0_11.8 RMiT 11.8 Cybersecurity Operations Cybersecurity Operations - 11.8 Shared n/a A financial institution must ensure that its cybersecurity operations continuously prevent and detect any potential compromise of its security controls or weakening of its security posture. For large financial institutions, this must include performing a quarterly vulnerability assessment of external and internal network components that support all critical systems. link 4
U.09.3 - Detection, prevention and recovery U.09.3 - Detection, prevention and recovery 404 not found n/a n/a 32
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-07 18:14:35 change Patch (2.0.0 > 2.0.1)
2021-01-05 16:06:49 change Major (1.0.0 > 2.0.0)
2020-08-19 13:49:29 add 5f0f936f-2f01-4bf5-b6be-d423792fa562
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC