compliance controls are associated with this Policy definition 'Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys' (7d7be79c-23ba-4033-84dd-45e2a5ccdd67)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CMMC_2.0_L2 |
SC.L2-3.13.10 |
CMMC_2.0_L2_SC.L2-3.13.10 |
404 not found |
|
|
|
n/a |
n/a |
|
37 |
| CMMC_L3 |
SC.3.177 |
CMMC_L3_SC.3.177 |
CMMC L3 SC.3.177 |
System and Communications Protection |
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. |
link |
25 |
| DORA_2022_2554 |
9.3c |
DORA_2022_2554_9.3c |
DORA 2022 2554 9.3c |
9 |
Prevent Data Availability and Integrity Issues in ICT Systems |
Shared |
n/a |
Implement measures in information and communication technology (ICT) to prevent issues related to data availability, authenticity, integrity, confidentiality breaches, and data loss. |
|
58 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FedRAMP_High_R4 |
SC-12 |
FedRAMP_High_R4_SC-12 |
FedRAMP High SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| FedRAMP_Moderate_R4 |
SC-12 |
FedRAMP_Moderate_R4_SC-12 |
FedRAMP Moderate SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
408 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
385 |
| K_ISMS_P_2018 |
2.10.4 |
K_ISMS_P_2018_2.10.4 |
K ISMS P 2018 2.10.4 |
2.10 |
Establish Protective Measures when Working with Electronic Transactions or Fintech Services |
Shared |
n/a |
Establish and implement protective measures such as authentication and encryption to prevent information leakage, data alteration, or fraud when working with electronic transactions and Fintech services. In the event connections to external systems are required, safety must be checked. |
|
43 |
| K_ISMS_P_2018 |
2.7.1b |
K_ISMS_P_2018_2.7.1b |
K ISMS P 2018 2.7.1b |
2.7 |
Ensure Data is Encrypted at Rest and In-Transit |
Shared |
n/a |
Ensure data is encrypted when storing and transmitting personal and important information. |
|
68 |
| K_ISMS_P_2018 |
2.7.2 |
K_ISMS_P_2018_2.7.2 |
K ISMS P 2018 2.7.2 |
2.7 |
Establish Encryption Key Management Procedures |
Shared |
n/a |
Establish and implement procedures for securely creating, using, storing, distributing, and destroying encryption keys. Additionally, establish and implement procedures for recovering encryption keys, if necessary. |
|
48 |
| NIST_SP_800-171_R2_3 |
.13.10 |
NIST_SP_800-171_R2_3.13.10 |
NIST SP 800-171 R2 3.13.10 |
System and Communications Protection |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment. |
link |
40 |
| NIST_SP_800-53_R4 |
SC-12 |
NIST_SP_800-53_R4_SC-12 |
NIST SP 800-53 Rev. 4 SC-12 |
System And Communications Protection |
Cryptographic Key Establishment And Management |
Shared |
n/a |
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.
References: NIST Special Publications 800-56, 800-57. |
link |
40 |
| NIST_SP_800-53_R5 |
SC-12 |
NIST_SP_800-53_R5_SC-12 |
NIST SP 800-53 Rev. 5 SC-12 |
System and Communications Protection |
Cryptographic Key Establishment and Management |
Shared |
n/a |
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
link |
40 |
| RMiT_v1.0 |
10.19 |
RMiT_v1.0_10.19 |
RMiT 10.19 |
Cryptography |
Cryptography - 10.19 |
Shared |
n/a |
A financial institution must ensure cryptographic controls are based on the effective implementation of suitable cryptographic protocols. The protocols shall include secret and public cryptographic key protocols, both of which shall reflect a high degree of protection to the applicable secret or private cryptographic keys. The selection of such protocols must be based on recognised international standards and tested accordingly. Commensurate with the level of risk, secret cryptographic key and private-cryptographic key storage and encryption/decryption computation must be undertaken in a protected environment, supported by a hardware security module (HSM) or trusted execution environment (TEE). |
link |
6 |
| SO |
.3 - Customer-Managed Keys |
SO.3 - Customer-Managed Keys |
404 not found |
|
|
|
n/a |
n/a |
|
14 |
| SWIFT_CSCF_v2021 |
6.2 |
SWIFT_CSCF_v2021_6.2 |
SWIFT CSCF v2021 6.2 |
Detect Anomalous Activity to Systems or Transaction Records |
Software Integrity |
|
n/a |
Ensure the software integrity of the SWIFT-related applications. |
link |
3 |
| SWIFT_CSCF_v2021 |
6.5A |
SWIFT_CSCF_v2021_6.5A |
SWIFT CSCF v2021 6.5A |
Detect Anomalous Activity to Systems or Transaction Records |
Intrusion Detection |
|
n/a |
Detect and prevent anomalous network activity into and within the local or remote SWIFT environment. |
link |
15 |
|
U.05.2 - Cryptographic measures |
U.05.2 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
U.11.3 - Encrypted |
U.11.3 - Encrypted |
404 not found |
|
|
|
n/a |
n/a |
|
52 |