last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Determine assertion requirements

Name Determine assertion requirements
Azure Portal
Id 7a0ecd94-3699-5273-76a5-edb8499f655a
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0136 - Determine assertion requirements
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 39 compliance controls are associated with this Policy definition 'Determine assertion requirements' (7a0ecd94-3699-5273-76a5-edb8499f655a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 3.2 CIS_Azure_1.1.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure that storage account access keys are periodically regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link 7
CIS_Azure_1.1.0 8.1 CIS_Azure_1.1.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the expiration date is set on all keys Shared The customer is responsible for implementing this recommendation. Ensure that all keys in Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.1.0 8.2 CIS_Azure_1.1.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the expiration date is set on all Secrets Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in the Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.3.0 3.2 CIS_Azure_1.3.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure that storage account access keys are periodically regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link 7
CIS_Azure_1.3.0 8.1 CIS_Azure_1.3.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the expiration date is set on all keys Shared The customer is responsible for implementing this recommendation. Ensure that all keys in Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.3.0 8.2 CIS_Azure_1.3.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the expiration date is set on all Secrets Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in the Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.3.0 9.11 CIS_Azure_1.3.0_9.11 CIS Microsoft Azure Foundations Benchmark recommendation 9.11 9 AppService Ensure Azure Keyvaults are used to store secrets Shared The customer is responsible for implementing this recommendation. Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. link 9
CIS_Azure_1.4.0 3.2 CIS_Azure_1.4.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure That Storage Account Access Keys are Periodically Regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link 7
CIS_Azure_1.4.0 8.1 CIS_Azure_1.4.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 8.2 CIS_Azure_1.4.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. Shared The customer is responsible for implementing this recommendation. Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 8.3 CIS_Azure_1.4.0_8.3 CIS Microsoft Azure Foundations Benchmark recommendation 8.3 8 Other Security Considerations Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 8.4 CIS_Azure_1.4.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 9.11 CIS_Azure_1.4.0_9.11 CIS Microsoft Azure Foundations Benchmark recommendation 9.11 9 AppService Ensure Azure Keyvaults are Used to Store Secrets Shared The customer is responsible for implementing this recommendation. Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. link 9
FedRAMP_High_R4 SC-12 FedRAMP_High_R4_SC-12 FedRAMP High SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
FedRAMP_Moderate_R4 SC-12 FedRAMP_Moderate_R4_SC-12 FedRAMP Moderate SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
hipaa 0314.09q3Organizational.2-09.q hipaa-0314.09q3Organizational.2-09.q 0314.09q3Organizational.2-09.q 03 Portable Media Security 0314.09q3Organizational.2-09.q 09.07 Media Handling Shared n/a The organization implements cryptographic mechanisms to protect the confidentiality and integrity of sensitive (non-public) information stored on digital media during transport outside of controlled areas. 9
hipaa 0904.10f2Organizational.1-10.f hipaa-0904.10f2Organizational.1-10.f 0904.10f2Organizational.1-10.f 09 Transmission Protection 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. 10
ISO27001-2013 A.10.1.2 ISO27001-2013_A.10.1.2 ISO 27001:2013 A.10.1.2 Cryptography Key Management Shared n/a A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. link 15
NIST_SP_800-171_R2_3 .13.10 NIST_SP_800-171_R2_3.13.10 NIST SP 800-171 R2 3.13.10 System and Communications Protection Establish and manage cryptographic keys for cryptography employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment. link 40
NIST_SP_800-53_R4 SC-12 NIST_SP_800-53_R4_SC-12 NIST SP 800-53 Rev. 4 SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
NIST_SP_800-53_R5 SC-12 NIST_SP_800-53_R5_SC-12 NIST SP 800-53 Rev. 5 SC-12 System and Communications Protection Cryptographic Key Establishment and Management Shared n/a Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. link 40
PCI_DSS_v4.0 3.6.1 PCI_DSS_v4.0_3.6.1 PCI DSS v4.0 3.6.1 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Procedures are defined and implemented to protect cryptographic keys used to Protect Stored Account Data against disclosure and misuse that include: • Access to keys is restricted to the fewest number of custodians necessary. • Key-encrypting keys are at least as strong as the data-encrypting keys they protect. • Key-encrypting keys are stored separately from data-encrypting keys. • Keys are stored securely in the fewest possible locations and forms. link 7
PCI_DSS_v4.0 3.6.1.1 PCI_DSS_v4.0_3.6.1.1 PCI DSS v4.0 3.6.1.1 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a A documented description of the cryptographic architecture is maintained that includes: • Details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. • Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Description of the key usage for each key. • Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4. link 7
PCI_DSS_v4.0 3.6.1.2 PCI_DSS_v4.0_3.6.1.2 PCI DSS v4.0 3.6.1.2 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times: • Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the dataencrypting key. • Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device. • As at least two full-length key components or key shares, in accordance with an industry-accepted method. link 8
PCI_DSS_v4.0 3.6.1.3 PCI_DSS_v4.0_3.6.1.3 PCI DSS v4.0 3.6.1.3 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary. link 7
PCI_DSS_v4.0 3.6.1.4 PCI_DSS_v4.0_3.6.1.4 PCI DSS v4.0 3.6.1.4 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Cryptographic keys are stored in the fewest possible locations. link 7
PCI_DSS_v4.0 3.7.1 PCI_DSS_v4.0_3.7.1 PCI DSS v4.0 3.7.1 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to Protect Stored Account Data. link 7
PCI_DSS_v4.0 3.7.2 PCI_DSS_v4.0_3.7.2 PCI DSS v4.0 3.7.2 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to Protect Stored Account Data. link 8
PCI_DSS_v4.0 3.7.3 PCI_DSS_v4.0_3.7.3 PCI DSS v4.0 3.7.3 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to Protect Stored Account Data. link 9
PCI_DSS_v4.0 3.7.4 PCI_DSS_v4.0_3.7.4 PCI DSS v4.0 3.7.4 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following: • A defined cryptoperiod for each key type in use. • A process for key changes at the end of the defined cryptoperiod. link 7
PCI_DSS_v4.0 3.7.5 PCI_DSS_v4.0_3.7.5 PCI DSS v4.0 3.7.5 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to Protect Stored Account Data, as deemed necessary when: • The key has reached the end of its defined cryptoperiod. • The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. • When keys are suspected of or known to be compromised. • Retired or replaced keys are not used for encryption operations. link 7
PCI_DSS_v4.0 3.7.6 PCI_DSS_v4.0_3.7.6 PCI DSS v4.0 3.7.6 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Where manual cleartext cryptographic keymanagement operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. link 7
PCI_DSS_v4.0 3.7.7 PCI_DSS_v4.0_3.7.7 PCI DSS v4.0 3.7.7 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. link 7
PCI_DSS_v4.0 3.7.8 PCI_DSS_v4.0_3.7.8 PCI DSS v4.0 3.7.8 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. link 7
PCI_DSS_v4.0 3.7.9 PCI_DSS_v4.0_3.7.9 PCI DSS v4.0 3.7.9 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service providers' customers. link 7
PCI_DSS_v4.0 4.2.1 PCI_DSS_v4.0_4.2.1 PCI DSS v4.0 4.2.1 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: • Only trusted keys and certificates are accepted. • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details. • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. • The encryption strength is appropriate for the encryption methodology in use. link 12
PCI_DSS_v4.0 4.2.1.1 PCI_DSS_v4.0_4.2.1.1 PCI DSS v4.0 4.2.1.1 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained. link 8
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 80
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 7a0ecd94-3699-5273-76a5-edb8499f655a
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON