last sync: 2024-Oct-03 17:51:34 UTC

Establish a configuration control board | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish a configuration control board
Id 7380631c-5bf5-0e3a-4509-0873becd8a63
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0254 - Establish a configuration control board
Additional metadata Name/Id: CMA_0254 / CMA_0254
Category: Operational
Title: Establish a configuration control board
Ownership: Customer
Description: Microsoft recommends to define security guardrails for infrastructure and DevOps teams by making it easy to securely configure the Azure services they use. Start your security configuration of Azure services with the service baselines in the Azure Security Benchmark and customize as needed for your organization. Use Azure Security Center to configure Azure Policy to audit and enforce configurations of your Azure resources. You can use Azure Blueprints to automate deployment and configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition. Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 28 compliance controls are associated with this Policy definition 'Establish a configuration control board' (7380631c-5bf5-0e3a-4509-0873becd8a63)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.3.0 2.12 CIS_Azure_1.3.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Security Center Ensure any of the ASC Default policy setting is not set to "Disabled" Shared The customer is responsible for implementing this recommendation. None of the settings offered by ASC Default policy should be set to effect "Disabled". link 6
CIS_Azure_1.4.0 2.12 CIS_Azure_1.4.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Microsoft Defender for Cloud Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' Shared The customer is responsible for implementing this recommendation. None of the settings offered by ASC Default policy should be set to effect "Disabled". link 6
CIS_Azure_2.0.0 2.1.14 CIS_Azure_2.0.0_2.1.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.1.14 2.1 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' Shared n/a None of the settings offered by ASC Default policy should be set to effect `Disabled`. A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations. link 6
FedRAMP_High_R4 CM-2 FedRAMP_High_R4_CM-2 FedRAMP High CM-2 Configuration Management Baseline Configuration Shared n/a The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. References: NIST Special Publication 800-128. link 6
FedRAMP_High_R4 CM-2(2) FedRAMP_High_R4_CM-2(2) FedRAMP High CM-2 (2) Configuration Management Automation Support For Accuracy / Currency Shared n/a The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. link 6
FedRAMP_Moderate_R4 CM-2 FedRAMP_Moderate_R4_CM-2 FedRAMP Moderate CM-2 Configuration Management Baseline Configuration Shared n/a The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. References: NIST Special Publication 800-128. link 6
FedRAMP_Moderate_R4 CM-2(2) FedRAMP_Moderate_R4_CM-2(2) FedRAMP Moderate CM-2 (2) Configuration Management Automation Support For Accuracy / Currency Shared n/a The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. link 6
hipaa 0627.10h1System.45-10.h hipaa-0627.10h1System.45-10.h 0627.10h1System.45-10.h 06 Configuration Management 0627.10h1System.45-10.h 10.04 Security of System Files Shared n/a The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. 11
hipaa 0639.10k2Organizational.78-10.k hipaa-0639.10k2Organizational.78-10.k 0639.10k2Organizational.78-10.k 06 Configuration Management 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes Shared n/a Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices, and appliances, and ensure the configuration meets minimum standards. 8
hipaa 0642.10k3Organizational.12-10.k hipaa-0642.10k3Organizational.12-10.k 0642.10k3Organizational.12-10.k 06 Configuration Management 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes Shared n/a The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. 7
hipaa 0643.10k3Organizational.3-10.k hipaa-0643.10k3Organizational.3-10.k 0643.10k3Organizational.3-10.k 06 Configuration Management 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes Shared n/a The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and, (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. 17
hipaa 0669.10hCSPSystem.1-10.h hipaa-0669.10hCSPSystem.1-10.h 0669.10hCSPSystem.1-10.h 06 Configuration Management 0669.10hCSPSystem.1-10.h 10.04 Security of System Files Shared n/a Open and published APIs are used by cloud service providers to ensure support for interoperability between components and to facilitate migrating applications. 16
hipaa 0710.10m2Organizational.1-10.m hipaa-0710.10m2Organizational.1-10.m 0710.10m2Organizational.1-10.m 07 Vulnerability Management 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management Shared n/a A hardened configuration standard exists for all system and network components. 9
hipaa 0821.09m2Organizational.2-09.m hipaa-0821.09m2Organizational.2-09.m 0821.09m2Organizational.2-09.m 08 Network Protection 0821.09m2Organizational.2-09.m 09.06 Network Security Management Shared n/a The organization tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. 18
hipaa 0863.09m2Organizational.910-09.m hipaa-0863.09m2Organizational.910-09.m 0863.09m2Organizational.910-09.m 08 Network Protection 0863.09m2Organizational.910-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. 25
hipaa 0869.09m3Organizational.19-09.m hipaa-0869.09m3Organizational.19-09.m 0869.09m3Organizational.19-09.m 08 Network Protection 0869.09m3Organizational.19-09.m 09.06 Network Security Management Shared n/a The router configuration files are secured and synchronized. 11
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
NIST_SP_800-171_R2_3 .4.1 NIST_SP_800-171_R2_3.4.1 NIST SP 800-171 R2 3.4.1 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. link 31
NIST_SP_800-53_R4 CM-2 NIST_SP_800-53_R4_CM-2 NIST SP 800-53 Rev. 4 CM-2 Configuration Management Baseline Configuration Shared n/a The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. References: NIST Special Publication 800-128. link 6
NIST_SP_800-53_R4 CM-2(2) NIST_SP_800-53_R4_CM-2(2) NIST SP 800-53 Rev. 4 CM-2 (2) Configuration Management Automation Support For Accuracy / Currency Shared n/a The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. link 6
NIST_SP_800-53_R5 CM-2 NIST_SP_800-53_R5_CM-2 NIST SP 800-53 Rev. 5 CM-2 Configuration Management Baseline Configuration Shared n/a a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded. link 6
NIST_SP_800-53_R5 CM-2(2) NIST_SP_800-53_R5_CM-2(2) NIST SP 800-53 Rev. 5 CM-2 (2) Configuration Management Automation Support for Accuracy and Currency Shared n/a Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. link 6
PCI_DSS_v4.0 1.2.1 PCI_DSS_v4.0_1.2.1 PCI DSS v4.0 1.2.1 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a Configuration standards for NSC rulesets are: • Defined. • Implemented. • Maintained. link 6
PCI_DSS_v4.0 2.2.1 PCI_DSS_v4.0_2.2.1 PCI DSS v4.0 2.2.1 Requirement 02: Apply Secure Configurations to All System Components System components are configured and managed securely Shared n/a Configuration standards are developed, implemented, and maintained to: • Cover all system components. • Address all known security vulnerabilities. • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. link 6
SOC_2 CC7.1 SOC_2_CC7.1 SOC 2 Type 2 CC7.1 System Operations Detection and monitoring of new vulnerabilities Shared The customer is responsible for implementing this recommendation. • Uses Defined Configuration Standards — Management has defined configuration standards. • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives. • Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. • Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components. • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis 15
SOC_2 CC8.1 SOC_2_CC8.1 SOC 2 Type 2 CC8.1 Change Management Changes to infrastructure, data, and software Shared The customer is responsible for implementing this recommendation. Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. • Authorizes Changes — A process is in place to authorize system changes prior to development. • Designs and Develops Changes — A process is in place to design and develop system changes. • Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. • Tracks System Changes — A process is in place to track system changes prior to implementation. • Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. • Tests System Changes — A process is in place to test system changes prior to implementation. • Approves System Changes — A process is in place to approve system changes prior to implementation. • Deploys System Changes — A process is in place to implement system changes. • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. • Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. 52
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 2.3 SWIFT_CSCF_v2022_2.3 SWIFT CSCF v2022 2.3 2. Reduce Attack Surface and Vulnerabilities Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Shared n/a Security hardening is conducted and maintained on all in-scope components. link 25
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 7380631c-5bf5-0e3a-4509-0873becd8a63
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC