last sync: 2024-Dec-06 18:53:17 UTC

Adopt biometric authentication mechanisms | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Adopt biometric authentication mechanisms
Id 7d7a8356-5c34-9a95-3118-1424cfaf192a
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0005 - Adopt biometric authentication mechanisms
Additional metadata Name/Id: CMA_0005 / CMA_0005
Category: Operational
Title: Adopt biometric authentication mechanisms
Ownership: Customer
Description: Microsoft recommends that your organization adopt the use of biometrics as multi-factor authentication and understand the implications of collecting, processing, disclosing, and storing this type of data. Biometric authentication is a form of security that measures and matches biometric features of a user (fingerprint, iris, facial characteristics, 'something you are') to verify that a person trying to access a device is authorized to do so. Your organization may make biometric authentication more secure by implementing criteria such as: - Verify the biometric system operates with an FMR (False Match Rate) of 1 in 1000 or better - Define the permitted number of failed access attempts (e.g., 5 consecutive failed attempts) - Impose a certain delay before next attempt or rate-limiting (e.g., 30 secs and increasing exponentially with each successive attempt) - Ensure sensor and endpoint performance, integrity, and authenticity - Use a tamper-resistant biometric device - Implement use of an authenticated secure channel - Employ presentation attack detection mechanisms for biometric-based authentication - Disable the biometric user authentication and offer another factor if available It is recommended that biometric comparison is performed locally on the claimant's device as using a central verifier can lead to an increased risk of attacks on a larger scale. If central verifiers are used, we recommend that: - Authentication by use of a biometric is limited to one or more specific devices that are identified using cryptography, and a separate key is used for identifying the device since the biometric has not yet unlocked the main authentication key - Biometric revocation (biometric template protection) is implemented It is recommended that your organization protect all biometric data from unauthorized access and unlawful use. It is recommended that your organization determine the permitted time period for storing biometric data. Many regulations require the immediate deletion of biometric data the purpose is achieved. We recommend developing a written policy that can be made available to the public regarding your organization's retention schedule and processes for permanently destroying the biometric data. It is recommended that your organization only collect biometric related details with user consent. We recommend not selling, leasing, trading or otherwise profiting from a person's biometric data, and this may be prohibited under applicable regulations.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 85 compliance controls are associated with this Policy definition 'Adopt biometric authentication mechanisms' (7d7a8356-5c34-9a95-3118-1424cfaf192a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 1.1 CIS_Azure_1.1.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like - Service Co-Administrators - Subscription Owners - Contributors link 3
CIS_Azure_1.1.0 1.2 CIS_Azure_1.1.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all non-privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link 2
CIS_Azure_1.1.0 1.22 CIS_Azure_1.1.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.1.0 1.4 CIS_Azure_1.1.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_1.3.0 1.1 CIS_Azure_1.3.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like - Service Co-Administrators - Subscription Owners - Contributors link 3
CIS_Azure_1.3.0 1.2 CIS_Azure_1.3.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all non-privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link 2
CIS_Azure_1.3.0 1.20 CIS_Azure_1.3.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.3.0 1.4 CIS_Azure_1.3.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_1.4.0 1.1 CIS_Azure_1.4.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; - Service Co-Administrators - Subscription Owners - Contributors link 3
CIS_Azure_1.4.0 1.19 CIS_Azure_1.4.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining or registering devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.4.0 1.2 CIS_Azure_1.4.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link 2
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 1.4 CIS_Azure_1.4.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_2.0.0 1.1.1 CIS_Azure_2.0.0_1.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1.1 1.1 Ensure Security Defaults is enabled on Azure Active Directory Shared This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal. Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: - Requiring all users and admins to register for MFA. - Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. - Disabling authentication from legacy authentication clients, which can’t do MFA. link 9
CIS_Azure_2.0.0 1.1.2 CIS_Azure_2.0.0_1.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.1.2 1.1 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users Shared Users would require two forms of authentication before any access is granted. Additional administrative time will be required for managing dual forms of authentication when enabling multi-factor authentication. Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; - Service Co-Administrators - Subscription Owners - Contributors Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. link 3
CIS_Azure_2.0.0 1.1.3 CIS_Azure_2.0.0_1.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 1.1.3 1.1 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users Shared Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication. Enable multi-factor authentication for all non-privileged users. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. link 2
CIS_Azure_2.0.0 1.1.4 CIS_Azure_2.0.0_1.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.1.4 1.1 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled Shared For every login attempt, the user will be required to perform multi-factor authentication. Do not allow users to remember multi-factor authentication on devices. Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA. link 3
CIS_Azure_2.0.0 1.22 CIS_Azure_2.0.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared A slight impact of additional overhead, as Administrators will now have to approve every access to the domain. Joining or registering devices to the active directory should require Multi-factor authentication. Multi-factor authentication is recommended when adding devices to Azure AD. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. _Note:_ Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain. link 8
FedRAMP_High_R4 IA-2(1) FedRAMP_High_R4_IA-2(1) FedRAMP High IA-2 (1) Identification And Authentication Network Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 3
FedRAMP_High_R4 IA-2(11) FedRAMP_High_R4_IA-2(11) FedRAMP High IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
FedRAMP_High_R4 IA-2(2) FedRAMP_High_R4_IA-2(2) FedRAMP High IA-2 (2) Identification And Authentication Network Access To Non-Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to non- privileged accounts. link 2
FedRAMP_High_R4 IA-2(3) FedRAMP_High_R4_IA-2(3) FedRAMP High IA-2 (3) Identification And Authentication Local Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 1
FedRAMP_Moderate_R4 IA-2(1) FedRAMP_Moderate_R4_IA-2(1) FedRAMP Moderate IA-2 (1) Identification And Authentication Network Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 3
FedRAMP_Moderate_R4 IA-2(11) FedRAMP_Moderate_R4_IA-2(11) FedRAMP Moderate IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
FedRAMP_Moderate_R4 IA-2(2) FedRAMP_Moderate_R4_IA-2(2) FedRAMP Moderate IA-2 (2) Identification And Authentication Network Access To Non-Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to non- privileged accounts. link 2
FedRAMP_Moderate_R4 IA-2(3) FedRAMP_Moderate_R4_IA-2(3) FedRAMP Moderate IA-2 (3) Identification And Authentication Local Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 1
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
hipaa 0817.01w2System.123-01.w hipaa-0817.01w2System.123-01.w 0817.01w2System.123-01.w 08 Network Protection 0817.01w2System.123-01.w 01.06 Application and Information Access Control Shared n/a Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. 13
hipaa 0830.09m3Organizational.1012-09.m hipaa-0830.09m3Organizational.1012-09.m 0830.09m3Organizational.1012-09.m 08 Network Protection 0830.09m3Organizational.1012-09.m 09.06 Network Security Management Shared n/a A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. 8
hipaa 0916.09s2Organizational.4-09.s hipaa-0916.09s2Organizational.4-09.s 0916.09s2Organizational.4-09.s 09 Transmission Protection 0916.09s2Organizational.4-09.s 09.08 Exchange of Information Shared n/a The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. 7
hipaa 0927.09v1Organizational.3-09.v hipaa-0927.09v1Organizational.3-09.v 0927.09v1Organizational.3-09.v 09 Transmission Protection 0927.09v1Organizational.3-09.v 09.08 Exchange of Information Shared n/a Stronger levels of authentication are implemented to control access from publicly accessible networks. 4
hipaa 1022.01d1System.15-01.d hipaa-1022.01d1System.15-01.d 1022.01d1System.15-01.d 10 Password Management 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems Shared n/a Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. 8
hipaa 11109.01q1Organizational.57-01.q hipaa-11109.01q1Organizational.57-01.q 11109.01q1Organizational.57-01.q 11 Access Control 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control Shared n/a The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. 7
hipaa 11112.01q2Organizational.67-01.q hipaa-11112.01q2Organizational.67-01.q 11112.01q2Organizational.67-01.q 11 Access Control 11112.01q2Organizational.67-01.q 01.05 Operating System Access Control Shared n/a The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts. 3
hipaa 11190.01t1Organizational.3-01.t hipaa-11190.01t1Organizational.3-01.t 11190.01t1Organizational.3-01.t 11 Access Control 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control Shared n/a Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. 5
hipaa 1121.01j3Organizational.2-01.j hipaa-1121.01j3Organizational.2-01.j 1121.01j3Organizational.2-01.j 11 Access Control 1121.01j3Organizational.2-01.j 01.04 Network Access Control Shared n/a Remote administration sessions are authorized, encrypted, and employ increased security measures. 11
hipaa 1122.01q1System.1-01.q hipaa-1122.01q1System.1-01.q 1122.01q1System.1-01.q 11 Access Control 1122.01q1System.1-01.q 01.05 Operating System Access Control Shared n/a Unique IDs that can be used to trace activities to the responsible individual are required for all types of organizational and non-organizational users. 7
hipaa 1125.01q2System.1-01.q hipaa-1125.01q2System.1-01.q 1125.01q2System.1-01.q 11 Access Control 1125.01q2System.1-01.q 01.05 Operating System Access Control Shared n/a Multi-factor authentication methods are used in accordance with organizational policy (e.g., for remote network access). 4
hipaa 1175.01j1Organizational.8-01.j hipaa-1175.01j1Organizational.8-01.j 1175.01j1Organizational.8-01.j 11 Access Control 1175.01j1Organizational.8-01.j 01.04 Network Access Control Shared n/a Remote access to business information across public networks only takes place after successful identification and authentication. 5
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
ISO27001-2013 A.11.1.3 ISO27001-2013_A.11.1.3 ISO 27001:2013 A.11.1.3 Physical And Environmental Security Securing offices, rooms and facilities Shared n/a Physical security for offices, rooms and facilities shall be designed and applied. link 5
ISO27001-2013 A.11.1.6 ISO27001-2013_A.11.1.6 ISO 27001:2013 A.11.1.6 Physical And Environmental Security Delivering and loading areas Shared n/a Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. link 5
ISO27001-2013 A.11.2.3 ISO27001-2013_A.11.2.3 ISO 27001:2013 A.11.2.3 Physical And Environmental Security Cabling security Shared n/a Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. link 4
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.2 ISO27001-2013_A.13.1.2 ISO 27001:2013 A.13.1.2 Communications Security Security of network services Shared n/a Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. link 16
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
ISO27001-2013 A.6.2.2 ISO27001-2013_A.6.2.2 ISO 27001:2013 A.6.2.2 Organization of Information Security Teleworking Shared n/a A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. link 16
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
ISO27001-2013 A.9.4.2 ISO27001-2013_A.9.4.2 ISO 27001:2013 A.9.4.2 Access Control Secure log-on procedures Shared n/a Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. link 17
mp.com.1 Secure perimeter mp.com.1 Secure perimeter 404 not found n/a n/a 49
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.eq.1 Clear desk mp.eq.1 Clear desk 404 not found n/a n/a 19
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.5 Fire protection mp.if.5 Fire protection 404 not found n/a n/a 16
mp.if.6 Flood protection mp.if.6 Flood protection 404 not found n/a n/a 16
mp.if.7 Recording of entries and exits of equipment mp.if.7 Recording of entries and exits of equipment 404 not found n/a n/a 12
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
NIST_SP_800-171_R2_3 .5.3 NIST_SP_800-171_R2_3.5.3 NIST SP 800-171 R2 3.5.3 Identification and Authentication Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Shared Microsoft and the customer share responsibilities for implementing this requirement. Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. [SP 800-63-3] provides guidance on digital identities. Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). link 5
NIST_SP_800-53_R4 IA-2(1) NIST_SP_800-53_R4_IA-2(1) NIST SP 800-53 Rev. 4 IA-2 (1) Identification And Authentication Network Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 3
NIST_SP_800-53_R4 IA-2(11) NIST_SP_800-53_R4_IA-2(11) NIST SP 800-53 Rev. 4 IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
NIST_SP_800-53_R4 IA-2(2) NIST_SP_800-53_R4_IA-2(2) NIST SP 800-53 Rev. 4 IA-2 (2) Identification And Authentication Network Access To Non-Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to non- privileged accounts. link 2
NIST_SP_800-53_R4 IA-2(3) NIST_SP_800-53_R4_IA-2(3) NIST SP 800-53 Rev. 4 IA-2 (3) Identification And Authentication Local Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 1
NIST_SP_800-53_R5 IA-2(1) NIST_SP_800-53_R5_IA-2(1) NIST SP 800-53 Rev. 5 IA-2 (1) Identification and Authentication Multi-factor Authentication to Privileged Accounts Shared n/a Implement multi-factor authentication for access to privileged accounts. link 3
NIST_SP_800-53_R5 IA-2(2) NIST_SP_800-53_R5_IA-2(2) NIST SP 800-53 Rev. 5 IA-2 (2) Identification and Authentication Multi-factor Authentication to Non-privileged Accounts Shared n/a Implement multi-factor authentication for access to non-privileged accounts. link 2
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
PCI_DSS_v4.0 8.2.3 PCI_DSS_v4.0_8.2.3 PCI DSS v4.0 8.2.3 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a Service providers with remote access to customer premises use unique authentication factors for each customer premises. link 3
PCI_DSS_v4.0 8.3.1 PCI_DSS_v4.0_8.3.1 PCI DSS v4.0 8.3.1 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: • Something you know, such as a password or passphrase. • Something you have, such as a token device or smart card. • Something you are, such as a biometric element. link 4
PCI_DSS_v4.0 8.3.11 PCI_DSS_v4.0_8.3.11 PCI DSS v4.0 8.3.11 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used: • Factors are assigned to an individual user and not shared among multiple users. • Physical and/or logical controls ensure only the intended user can use that factor to gain access. link 6
PCI_DSS_v4.0 8.4.1 PCI_DSS_v4.0_8.4.1 PCI DSS v4.0 8.4.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all non-console access into the CDE for personnel with administrative access. link 8
PCI_DSS_v4.0 8.4.2 PCI_DSS_v4.0_8.4.2 PCI DSS v4.0 8.4.2 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all access into the CDE. link 8
PCI_DSS_v4.0 8.4.3 PCI_DSS_v4.0_8.4.3 PCI DSS v4.0 8.4.3 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows: • All remote access by all personnel, both users and administrators, originating from outside the entity’s network. • All remote access by third parties and vendors. link 8
PCI_DSS_v4.0 8.5.1 PCI_DSS_v4.0_8.5.1 PCI DSS v4.0 8.5.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) systems are configured to prevent misuse Shared n/a MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted. link 8
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 40
SWIFT_CSCF_v2022 4.2 SWIFT_CSCF_v2022_4.2 SWIFT CSCF v2022 4.2 4. Prevent Compromise of Credentials Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. Shared n/a Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-08-26 16:33:38 add 7d7a8356-5c34-9a95-3118-1424cfaf192a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC