| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1503 |
AU_ISM_1503 |
AU ISM 1503 |
Guidelines for Personnel Security - Access to systems and their resources |
Standard access to systems - 1503 |
|
n/a |
Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
6 |
| AU_ISM |
1507 |
AU_ISM_1507 |
AU ISM 1507 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1507 |
|
n/a |
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis. |
link |
4 |
| AU_ISM |
1508 |
AU_ISM_1508 |
AU ISM 1508 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1508 |
|
n/a |
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
7 |
| AU_ISM |
415 |
AU_ISM_415 |
AU ISM 415 |
Guidelines for Personnel Security - Access to systems and their resources |
User identification - 415 |
|
n/a |
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. |
link |
4 |
| AU_ISM |
445 |
AU_ISM_445 |
AU ISM 445 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 445 |
|
n/a |
Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. |
link |
4 |
| Azure_Security_Benchmark_v1.0 |
3.3 |
Azure_Security_Benchmark_v1.0_3.3 |
Azure Security Benchmark 3.3 |
Identity and Access Control |
Use dedicated administrative accounts |
Customer |
Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ |
n/a |
link |
5 |
| CCCS |
AC-5 |
CCCS_AC-5 |
CCCS AC-5 |
Access Control |
Separation of Duties |
|
n/a |
(A) The organization:
(a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions;
(b) Documents separation of duties of individuals; and
(c) Defines information system access authorizations to support separation of duties. |
link |
7 |
| CCCS |
AC-6 |
CCCS_AC-6 |
CCCS AC-6 |
Access Control |
Least Privilege |
|
n/a |
(A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
link |
7 |
| CMMC_L3 |
AC.3.017 |
CMMC_L3_AC.3.017 |
CMMC L3 AC.3.017 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
4 |
| CMMC_L3 |
SC.3.181 |
CMMC_L3_SC.3.181 |
CMMC L3 SC.3.181 |
System and Communications Protection |
Separate user functionality from system management functionality. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. |
link |
6 |
| hipaa |
11210.01q2Organizational.10-01.q |
hipaa-11210.01q2Organizational.10-01.q |
11210.01q2Organizational.10 - 01.q |
User Identification and Authentication |
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. |
Customer |
n/a |
Azure does not implement identification codes and electronic signatures, per FDA CFR 21 Part 11. |
|
1 |
| hipaa |
1125.01q2System.1-01.q |
hipaa-1125.01q2System.1-01.q |
1125.01q2System.1-01.q |
11 Access Control |
1125.01q2System.1-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Multi-factor authentication methods are used in accordance with organizational policy (e.g., for remote network access). |
|
4 |
| IRS_1075_9.3 |
.1.5 |
IRS_1075_9.3.1.5 |
IRS 1075 9.3.1.5 |
Access Control |
Separation of Duties (AC-5) |
|
n/a |
The agency must:
a. Separate duties of individuals to prevent harmful activity without collusion
b. Document separation of duties of individuals
c. Define information system access authorizations to support separation of duties |
link |
7 |
| IRS_1075_9.3 |
.1.6 |
IRS_1075_9.3.1.6 |
IRS 1075 9.3.1.6 |
Access Control |
Least Privilege (AC-6) |
|
n/a |
The agency must:
a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions
b. Explicitly authorize access to FTI (CE1)
c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2)
d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5)
The information system must:
a. Audit the execution of privileged functions (CE9)
b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) |
link |
7 |
| NIST_SP_800-171_R2_3 |
.1.4 |
NIST_SP_800-171_R2_3.1.4 |
NIST SP 800-171 R2 3.1.4 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
6 |
| NZISM_Security_Benchmark_v1.1 |
AC-11 |
NZISM_Security_Benchmark_v1.1_AC-11 |
NZISM Security Benchmark AC-11 |
Access Control and Passwords |
16.4.30 Privileged Access Management |
Customer |
Agencies MUST establish a Privileged Access Management (PAM) policy.
Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
privileged access.
Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy. |
A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance. |
link |
9 |