last sync: 2024-Jun-13 18:14:14 UTC

Employ independent team for penetration testing | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Employ independent team for penetration testing
Id 611ebc63-8600-50b6-a0e3-fef272457132
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1171 - Employ independent team for penetration testing
Additional metadata Name/Id: CMA_C1171 / CMA_C1171
Category: Documentation
Title: Employ independent team for penetration testing
Ownership: Customer
Description: The customer is responsible for employing an independent agent or team to perform penetration testing on customer-deployed resources (note that this may be the 3PAO used for recurring assessments, or it may be a different independent assessor).
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 13 compliance controls are associated with this Policy definition 'Employ independent team for penetration testing' (611ebc63-8600-50b6-a0e3-fef272457132)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-8(1) FedRAMP_High_R4_CA-8(1) FedRAMP High CA-8 (1) Security Assessment And Authorization Independent Penetration Agent Or Team Shared n/a The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. link 1
FedRAMP_Moderate_R4 CA-8(1) FedRAMP_Moderate_R4_CA-8(1) FedRAMP Moderate CA-8 (1) Security Assessment And Authorization Independent Penetration Agent Or Team Shared n/a The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. link 1
hipaa 0712.10m2Organizational.4-10.m hipaa-0712.10m2Organizational.4-10.m 0712.10m2Organizational.4-10.m 07 Vulnerability Management 0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management Shared n/a Internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including both network- and application-layer tests, are performed by a qualified individual on a quarterly basis or after significant changes. 2
hipaa 0788.10m3Organizational.20-10.m hipaa-0788.10m3Organizational.20-10.m 0788.10m3Organizational.20-10.m 07 Vulnerability Management 0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management Shared n/a The organization undergoes regular penetration testing by an independent agent or team, at least every 365 days, on defined information systems or system components; conducts such testing from outside as well as inside the network perimeter; and such testing includes tests for the protection of unprotected system information that would be useful to attackers. 1
ISO27001-2013 A.12.7.1 ISO27001-2013_A.12.7.1 ISO 27001:2013 A.12.7.1 Operations Security Information systems audit controls Shared n/a Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes. link 1
ISO27001-2013 A.18.2.1 ISO27001-2013_A.18.2.1 ISO 27001:2013 A.18.2.1 Compliance Independent review of information security Shared n/a The organization's approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes occur. link 2
ISO27001-2013 A.18.2.3 ISO27001-2013_A.18.2.3 ISO 27001:2013 A.18.2.3 Compliance Technical compliance review Shared n/a Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. link 5
NIST_SP_800-53_R4 CA-8(1) NIST_SP_800-53_R4_CA-8(1) NIST SP 800-53 Rev. 4 CA-8 (1) Security Assessment And Authorization Independent Penetration Agent Or Team Shared n/a The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. link 1
NIST_SP_800-53_R5 CA-8(1) NIST_SP_800-53_R5_CA-8(1) NIST SP 800-53 Rev. 5 CA-8 (1) Assessment, Authorization, and Monitoring Independent Penetration Testing Agent or Team Shared n/a Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. link 1
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
PCI_DSS_v4.0 11.4.1 PCI_DSS_v4.0_11.4.1 PCI DSS v4.0 11.4.1 Requirement 11: Test Security of Systems and Networks Regularly External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected Shared n/a A penetration testing methodology is defined, documented, and implemented by the entity, and includes: • Industry-accepted penetration testing approaches. • Coverage for the entire CDE perimeter and critical systems. • Testing from both inside and outside the network. • Testing to validate any segmentation and scopereduction controls. • Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4. • Network-layer penetration tests that encompass all components that support network functions as well as operating systems. • Review and consideration of threats and vulnerabilities experienced in the last 12 months. • Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing. • Retention of penetration testing results and remediation activities results for at least 12 months. link 1
PCI_DSS_v4.0 11.4.3 PCI_DSS_v4.0_11.4.3 PCI DSS v4.0 11.4.3 Requirement 11: Test Security of Systems and Networks Regularly External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected Shared n/a External penetration testing is performed: • Per the entity’s defined methodology • At least once every 12 months • After any significant infrastructure or application upgrade or change • By a qualified internal resource or qualified external third party • Organizational independence of the tester exists (not required to be a QSA or ASV). link 1
SWIFT_CSCF_v2022 7.3A SWIFT_CSCF_v2022_7.3A SWIFT CSCF v2022 7.3A 7. Plan for Incident Response and Information Sharing Validate the operational security configuration and identify security gaps by performing penetration testing. Shared n/a Application, host, and network penetration testing is conducted towards the secure zone and the operator PCs or, when used, the jump server. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 611ebc63-8600-50b6-a0e3-fef272457132
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC