last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Adopt biometric authentication mechanisms

Name Adopt biometric authentication mechanisms
Azure Portal
Id 7d7a8356-5c34-9a95-3118-1424cfaf192a
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0005 - Adopt biometric authentication mechanisms
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 64 compliance controls are associated with this Policy definition 'Adopt biometric authentication mechanisms' (7d7a8356-5c34-9a95-3118-1424cfaf192a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 1.1 CIS_Azure_1.1.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like - Service Co-Administrators - Subscription Owners - Contributors link 3
CIS_Azure_1.1.0 1.2 CIS_Azure_1.1.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all non-privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link 2
CIS_Azure_1.1.0 1.22 CIS_Azure_1.1.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.1.0 1.4 CIS_Azure_1.1.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_1.3.0 1.1 CIS_Azure_1.3.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like - Service Co-Administrators - Subscription Owners - Contributors link 3
CIS_Azure_1.3.0 1.2 CIS_Azure_1.3.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all non-privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link 2
CIS_Azure_1.3.0 1.20 CIS_Azure_1.3.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.3.0 1.4 CIS_Azure_1.3.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_1.4.0 1.1 CIS_Azure_1.4.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; - Service Co-Administrators - Subscription Owners - Contributors link 3
CIS_Azure_1.4.0 1.19 CIS_Azure_1.4.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining or registering devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.4.0 1.2 CIS_Azure_1.4.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link 2
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 1.4 CIS_Azure_1.4.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
FedRAMP_High_R4 IA-2(1) FedRAMP_High_R4_IA-2(1) FedRAMP High IA-2 (1) Identification And Authentication Network Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 3
FedRAMP_High_R4 IA-2(11) FedRAMP_High_R4_IA-2(11) FedRAMP High IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
FedRAMP_High_R4 IA-2(2) FedRAMP_High_R4_IA-2(2) FedRAMP High IA-2 (2) Identification And Authentication Network Access To Non-Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to non- privileged accounts. link 2
FedRAMP_High_R4 IA-2(3) FedRAMP_High_R4_IA-2(3) FedRAMP High IA-2 (3) Identification And Authentication Local Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 1
FedRAMP_Moderate_R4 IA-2(1) FedRAMP_Moderate_R4_IA-2(1) FedRAMP Moderate IA-2 (1) Identification And Authentication Network Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 3
FedRAMP_Moderate_R4 IA-2(11) FedRAMP_Moderate_R4_IA-2(11) FedRAMP Moderate IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
FedRAMP_Moderate_R4 IA-2(2) FedRAMP_Moderate_R4_IA-2(2) FedRAMP Moderate IA-2 (2) Identification And Authentication Network Access To Non-Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to non- privileged accounts. link 2
FedRAMP_Moderate_R4 IA-2(3) FedRAMP_Moderate_R4_IA-2(3) FedRAMP Moderate IA-2 (3) Identification And Authentication Local Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 1
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
hipaa 0817.01w2System.123-01.w hipaa-0817.01w2System.123-01.w 0817.01w2System.123-01.w 08 Network Protection 0817.01w2System.123-01.w 01.06 Application and Information Access Control Shared n/a Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. 13
hipaa 0830.09m3Organizational.1012-09.m hipaa-0830.09m3Organizational.1012-09.m 0830.09m3Organizational.1012-09.m 08 Network Protection 0830.09m3Organizational.1012-09.m 09.06 Network Security Management Shared n/a A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. 8
hipaa 0916.09s2Organizational.4-09.s hipaa-0916.09s2Organizational.4-09.s 0916.09s2Organizational.4-09.s 09 Transmission Protection 0916.09s2Organizational.4-09.s 09.08 Exchange of Information Shared n/a The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. 7
hipaa 0927.09v1Organizational.3-09.v hipaa-0927.09v1Organizational.3-09.v 0927.09v1Organizational.3-09.v 09 Transmission Protection 0927.09v1Organizational.3-09.v 09.08 Exchange of Information Shared n/a Stronger levels of authentication are implemented to control access from publicly accessible networks. 4
hipaa 1022.01d1System.15-01.d hipaa-1022.01d1System.15-01.d 1022.01d1System.15-01.d 10 Password Management 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems Shared n/a Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. 8
hipaa 11109.01q1Organizational.57-01.q hipaa-11109.01q1Organizational.57-01.q 11109.01q1Organizational.57-01.q 11 Access Control 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control Shared n/a The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. 7
hipaa 11112.01q2Organizational.67-01.q hipaa-11112.01q2Organizational.67-01.q 11112.01q2Organizational.67-01.q 11 Access Control 11112.01q2Organizational.67-01.q 01.05 Operating System Access Control Shared n/a The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts. 3
hipaa 11190.01t1Organizational.3-01.t hipaa-11190.01t1Organizational.3-01.t 11190.01t1Organizational.3-01.t 11 Access Control 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control Shared n/a Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. 5
hipaa 1121.01j3Organizational.2-01.j hipaa-1121.01j3Organizational.2-01.j 1121.01j3Organizational.2-01.j 11 Access Control 1121.01j3Organizational.2-01.j 01.04 Network Access Control Shared n/a Remote administration sessions are authorized, encrypted, and employ increased security measures. 11
hipaa 1122.01q1System.1-01.q hipaa-1122.01q1System.1-01.q 1122.01q1System.1-01.q 11 Access Control 1122.01q1System.1-01.q 01.05 Operating System Access Control Shared n/a Unique IDs that can be used to trace activities to the responsible individual are required for all types of organizational and non-organizational users. 7
hipaa 1125.01q2System.1-01.q hipaa-1125.01q2System.1-01.q 1125.01q2System.1-01.q 11 Access Control 1125.01q2System.1-01.q 01.05 Operating System Access Control Shared n/a Multi-factor authentication methods are used in accordance with organizational policy (e.g., for remote network access). 4
hipaa 1175.01j1Organizational.8-01.j hipaa-1175.01j1Organizational.8-01.j 1175.01j1Organizational.8-01.j 11 Access Control 1175.01j1Organizational.8-01.j 01.04 Network Access Control Shared n/a Remote access to business information across public networks only takes place after successful identification and authentication. 5
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
ISO27001-2013 A.11.1.3 ISO27001-2013_A.11.1.3 ISO 27001:2013 A.11.1.3 Physical And Environmental Security Securing offices, rooms and facilities Shared n/a Physical security for offices, rooms and facilities shall be designed and applied. link 5
ISO27001-2013 A.11.1.6 ISO27001-2013_A.11.1.6 ISO 27001:2013 A.11.1.6 Physical And Environmental Security Delivering and loading areas Shared n/a Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. link 5
ISO27001-2013 A.11.2.3 ISO27001-2013_A.11.2.3 ISO 27001:2013 A.11.2.3 Physical And Environmental Security Cabling security Shared n/a Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. link 4
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.2 ISO27001-2013_A.13.1.2 ISO 27001:2013 A.13.1.2 Communications Security Security of network services Shared n/a Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. link 16
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
ISO27001-2013 A.6.2.2 ISO27001-2013_A.6.2.2 ISO 27001:2013 A.6.2.2 Organization of Information Security Teleworking Shared n/a A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. link 16
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
ISO27001-2013 A.9.4.2 ISO27001-2013_A.9.4.2 ISO 27001:2013 A.9.4.2 Access Control Secure log-on procedures Shared n/a Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. link 17
NIST_SP_800-171_R2_3 .5.3 NIST_SP_800-171_R2_3.5.3 NIST SP 800-171 R2 3.5.3 Identification and Authentication Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Shared Microsoft and the customer share responsibilities for implementing this requirement. Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. [SP 800-63-3] provides guidance on digital identities. Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). link 5
NIST_SP_800-53_R4 IA-2(1) NIST_SP_800-53_R4_IA-2(1) NIST SP 800-53 Rev. 4 IA-2 (1) Identification And Authentication Network Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 3
NIST_SP_800-53_R4 IA-2(11) NIST_SP_800-53_R4_IA-2(11) NIST SP 800-53 Rev. 4 IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
NIST_SP_800-53_R4 IA-2(2) NIST_SP_800-53_R4_IA-2(2) NIST SP 800-53 Rev. 4 IA-2 (2) Identification And Authentication Network Access To Non-Privileged Accounts Shared n/a The information system implements multifactor authentication for network access to non- privileged accounts. link 2
NIST_SP_800-53_R4 IA-2(3) NIST_SP_800-53_R4_IA-2(3) NIST SP 800-53 Rev. 4 IA-2 (3) Identification And Authentication Local Access To Privileged Accounts Shared n/a The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. link 1
NIST_SP_800-53_R5 IA-2(1) NIST_SP_800-53_R5_IA-2(1) NIST SP 800-53 Rev. 5 IA-2 (1) Identification and Authentication Multi-factor Authentication to Privileged Accounts Shared n/a Implement multi-factor authentication for access to privileged accounts. link 3
NIST_SP_800-53_R5 IA-2(2) NIST_SP_800-53_R5_IA-2(2) NIST SP 800-53 Rev. 5 IA-2 (2) Identification and Authentication Multi-factor Authentication to Non-privileged Accounts Shared n/a Implement multi-factor authentication for access to non-privileged accounts. link 2
PCI_DSS_v4.0 8.2.3 PCI_DSS_v4.0_8.2.3 PCI DSS v4.0 8.2.3 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a Service providers with remote access to customer premises use unique authentication factors for each customer premises. link 3
PCI_DSS_v4.0 8.3.1 PCI_DSS_v4.0_8.3.1 PCI DSS v4.0 8.3.1 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: • Something you know, such as a password or passphrase. • Something you have, such as a token device or smart card. • Something you are, such as a biometric element. link 4
PCI_DSS_v4.0 8.3.11 PCI_DSS_v4.0_8.3.11 PCI DSS v4.0 8.3.11 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used: • Factors are assigned to an individual user and not shared among multiple users. • Physical and/or logical controls ensure only the intended user can use that factor to gain access. link 6
PCI_DSS_v4.0 8.4.1 PCI_DSS_v4.0_8.4.1 PCI DSS v4.0 8.4.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all non-console access into the CDE for personnel with administrative access. link 8
PCI_DSS_v4.0 8.4.2 PCI_DSS_v4.0_8.4.2 PCI DSS v4.0 8.4.2 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all access into the CDE. link 8
PCI_DSS_v4.0 8.4.3 PCI_DSS_v4.0_8.4.3 PCI DSS v4.0 8.4.3 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows: • All remote access by all personnel, both users and administrators, originating from outside the entity’s network. • All remote access by third parties and vendors. link 8
PCI_DSS_v4.0 8.5.1 PCI_DSS_v4.0_8.5.1 PCI DSS v4.0 8.5.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) systems are configured to prevent misuse Shared n/a MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted. link 8
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 80
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 41
SWIFT_CSCF_v2022 4.2 SWIFT_CSCF_v2022_4.2 SWIFT CSCF v2022 4.2 4. Prevent Compromise of Credentials Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. Shared n/a Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts. link 5
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-08-26 16:33:38 add 7d7a8356-5c34-9a95-3118-1424cfaf192a
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON