compliance controls are associated with this Policy definition 'Audit Windows machines that have the specified members in the Administrators group' (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1503 |
AU_ISM_1503 |
AU ISM 1503 |
Guidelines for Personnel Security - Access to systems and their resources |
Standard access to systems - 1503 |
|
n/a |
Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
6 |
| AU_ISM |
1507 |
AU_ISM_1507 |
AU ISM 1507 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1507 |
|
n/a |
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis. |
link |
4 |
| AU_ISM |
1508 |
AU_ISM_1508 |
AU ISM 1508 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1508 |
|
n/a |
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
7 |
| AU_ISM |
415 |
AU_ISM_415 |
AU ISM 415 |
Guidelines for Personnel Security - Access to systems and their resources |
User identification - 415 |
|
n/a |
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. |
link |
4 |
| AU_ISM |
445 |
AU_ISM_445 |
AU ISM 445 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 445 |
|
n/a |
Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. |
link |
4 |
| Azure_Security_Benchmark_v1.0 |
3.3 |
Azure_Security_Benchmark_v1.0_3.3 |
Azure Security Benchmark 3.3 |
Identity and Access Control |
Use dedicated administrative accounts |
Customer |
Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Microsoft Entra Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ |
n/a |
link |
5 |
| CCCS |
AC-5 |
CCCS_AC-5 |
CCCS AC-5 |
Access Control |
Separation of Duties |
|
n/a |
(A) The organization:
(a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions;
(b) Documents separation of duties of individuals; and
(c) Defines information system access authorizations to support separation of duties. |
link |
7 |
| CCCS |
AC-6 |
CCCS_AC-6 |
CCCS AC-6 |
Access Control |
Least Privilege |
|
n/a |
(A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
link |
7 |
| CMMC_L2_v1.9.0 |
AU.L2_3.3.1 |
CMMC_L2_v1.9.0_AU.L2_3.3.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 |
Audit and Accountability |
System Auditing |
Shared |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
To enhance security and accountability measures. |
|
40 |
| CMMC_L2_v1.9.0 |
AU.L2_3.3.3 |
CMMC_L2_v1.9.0_AU.L2_3.3.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 |
Audit and Accountability |
Event Review |
Shared |
Review and update logged events. |
To enhance the effectiveness of security measures. |
|
33 |
| CMMC_L2_v1.9.0 |
IA.L1_3.5.1 |
CMMC_L2_v1.9.0_IA.L1_3.5.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L1 3.5.1 |
Identification and Authentication |
Identification |
Shared |
Identify information system users, processes acting on behalf of users, or devices. |
To enable effective monitoring, authentication, and access control measures to be implemented within the system. |
|
23 |
| CMMC_L2_v1.9.0 |
PS.L2_3.9.2 |
CMMC_L2_v1.9.0_PS.L2_3.9.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PS.L2 3.9.2 |
Personnel Security |
Personnel Actions |
Shared |
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
To ensure that organizational systems containing CUI are protected during and after personnel actions, such as terminations and transfers. |
|
17 |
| CMMC_L3 |
AC.3.017 |
CMMC_L3_AC.3.017 |
CMMC L3 AC.3.017 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
4 |
| CMMC_L3 |
SC.3.181 |
CMMC_L3_SC.3.181 |
CMMC L3 SC.3.181 |
System and Communications Protection |
Separate user functionality from system management functionality. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. |
link |
6 |
| hipaa |
11210.01q2Organizational.10-01.q |
hipaa-11210.01q2Organizational.10-01.q |
11210.01q2Organizational.10 - 01.q |
User Identification and Authentication |
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. |
Customer |
n/a |
Azure does not implement identification codes and electronic signatures, per FDA CFR 21 Part 11. |
|
1 |
| hipaa |
1125.01q2System.1-01.q |
hipaa-1125.01q2System.1-01.q |
1125.01q2System.1-01.q |
11 Access Control |
1125.01q2System.1-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Multi-factor authentication methods are used in accordance with organizational policy (e.g., for remote network access). |
|
4 |
| IRS_1075_9.3 |
.1.5 |
IRS_1075_9.3.1.5 |
IRS 1075 9.3.1.5 |
Access Control |
Separation of Duties (AC-5) |
|
n/a |
The agency must:
a. Separate duties of individuals to prevent harmful activity without collusion
b. Document separation of duties of individuals
c. Define information system access authorizations to support separation of duties |
link |
7 |
| IRS_1075_9.3 |
.1.6 |
IRS_1075_9.3.1.6 |
IRS 1075 9.3.1.6 |
Access Control |
Least Privilege (AC-6) |
|
n/a |
The agency must:
a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions
b. Explicitly authorize access to FTI (CE1)
c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2)
d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5)
The information system must:
a. Audit the execution of privileged functions (CE9)
b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) |
link |
7 |
| NIST_SP_800-171_R2_3 |
.1.4 |
NIST_SP_800-171_R2_3.1.4 |
NIST SP 800-171 R2 3.1.4 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
6 |
| NZISM_Security_Benchmark_v1.1 |
AC-11 |
NZISM_Security_Benchmark_v1.1_AC-11 |
NZISM Security Benchmark AC-11 |
Access Control and Passwords |
16.4.30 Privileged Access Management |
Customer |
Agencies MUST establish a Privileged Access Management (PAM) policy.
Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
privileged access.
Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy. |
A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance. |
link |
9 |
| PCI_DSS_v4.0.1 |
10.4.2.1 |
PCI_DSS_v4.0.1_10.4.2.1 |
PCI DSS v4.0.1 10.4.2.1 |
Log and Monitor All Access to System Components and Cardholder Data |
Frequency of Log Reviews |
Shared |
n/a |
The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 |
|
25 |
| PCI_DSS_v4.0.1 |
7.2.1 |
PCI_DSS_v4.0.1_7.2.1 |
PCI DSS v4.0.1 7.2.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function |
Shared |
n/a |
Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement |
|
43 |
| PCI_DSS_v4.0.1 |
7.2.2 |
PCI_DSS_v4.0.1_7.2.2 |
PCI DSS v4.0.1 7.2.2 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities |
Shared |
n/a |
Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement |
|
43 |
| PCI_DSS_v4.0.1 |
7.2.3 |
PCI_DSS_v4.0.1_7.2.3 |
PCI DSS v4.0.1 7.2.3 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
Required privileges are approved by authorized personnel |
Shared |
n/a |
Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel. Examine user IDs and assigned privileges, and compare with documented approvals to verify that: Documented approval exists for the assigned privileges. The approval was by authorized personnel. Specified privileges match the roles assigned to the individual |
|
38 |
| PCI_DSS_v4.0.1 |
7.2.4 |
PCI_DSS_v4.0.1_7.2.4 |
PCI DSS v4.0.1 7.2.4 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate |
Shared |
n/a |
Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement |
|
40 |
| PCI_DSS_v4.0.1 |
7.2.5 |
PCI_DSS_v4.0.1_7.2.5 |
PCI DSS v4.0.1 7.2.5 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use |
Shared |
n/a |
Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement |
|
44 |
| PCI_DSS_v4.0.1 |
7.2.5.1 |
PCI_DSS_v4.0.1_7.2.5.1 |
PCI DSS v4.0.1 7.2.5.1 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate |
Shared |
n/a |
Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement |
|
39 |
| PCI_DSS_v4.0.1 |
7.2.6 |
PCI_DSS_v4.0.1_7.2.6 |
PCI DSS v4.0.1 7.2.6 |
Restrict Access to System Components and Cardholder Data by Business Need to Know |
All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD |
Shared |
n/a |
Examine policies and procedures and interview personnel to verify processes are defined for granting user access to query repositories of stored cardholder data, in accordance with all elements specified in this requirement. Examine configuration settings for querying repositories of stored cardholder data to verify they are in accordance with all elements specified in this requirement |
|
41 |