last sync: 2025-Mar-26 20:41:27 UTC

Audit diagnostic setting for selected resource types

Azure BuiltIn Policy definition

Source Azure Portal
Display name Audit diagnostic setting for selected resource types
Id 7f89b1eb-583c-429a-8828-af049802c1d9
Version 2.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.1
Built-in Versioning [Preview]
Category Monitoring
Microsoft Learn
Description Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Fixed
AuditIfNotExists
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Insights/diagnosticSettings/logs.enabled microsoft.insights diagnosticSettings properties.logs[*].enabled True False
Microsoft.Insights/diagnosticSettings/metrics.enabled microsoft.insights diagnosticSettings properties.metrics[*].enabled True False
Rule resource types IF (25)
microsoft.apimanagement/service/apis/operations
microsoft.apimanagement/service/apis/operations/policies
microsoft.apimanagement/service/apis/operations/tags
microsoft.authorization/roleassignments
microsoft.authorization/roledefinitions
microsoft.authorization/rolemanagementpolicies
microsoft.compute/disks
microsoft.compute/snapshots
microsoft.compute/virtualmachines/extensions
microsoft.datafactory/factories/datasets
microsoft.datafactory/factories/pipelines
microsoft.insights/components/proactivedetectionconfigs
microsoft.machinelearningservices/workspaces/environments/versions
microsoft.machinelearningservices/workspaces/jobs
microsoft.network/networksecuritygroups/securityrules
microsoft.network/routetables/routes
microsoft.network/virtualnetworks/subnets
microsoft.operationalinsights/workspaces/tables
microsoft.resources/subscriptions/resourcegroups
microsoft.security/assessmentmetadata
microsoft.security/policies
Microsoft.security/pricings
microsoft.sql/servers/databases/advisors
microsoft.storage/storageaccounts/queueservices/queues
microsoft.storage/storageaccounts/tableservices/tables
Compliance
The following 82 compliance controls are associated with this Policy definition 'Audit diagnostic setting for selected resource types' (7f89b1eb-583c-429a-8828-af049802c1d9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1537 AU_ISM_1537 AU ISM 1537 Guidelines for System Monitoring - Event logging and auditing Events to be logged - 1537 n/a The following events are logged for databases: • access to particularly important data • addition of new users, especially privileged users • any query containing comments • any query containing multiple embedded queries • any query or database alerts or failures • attempts to elevate privileges • attempted access that is successful or unsuccessful • changes to the database structure • changes to user roles or database permissions • database administrator actions • database logons and logoffs • modifications to data • use of executable commands. link 3
AU_ISM 582 AU_ISM_582 AU ISM 582 Guidelines for System Monitoring - Event logging and auditing Events to be logged - 582 n/a The following events are logged for operating systems: • access to important data and processes • application crashes and any error messages • attempts to use special privileges • changes to accounts • changes to security policy • changes to system configurations • Domain Name System (DNS) and Hypertext Transfer Protocol requests • failed attempts to access data and system resources • service failures and restarts • system startup and shutdown • transfer of data to and from external media • user or group management • use of special privileges. link 2
Azure_Security_Benchmark_v1.0 2.3 Azure_Security_Benchmark_v1.0_2.3 Azure Security Benchmark 2.3 Logging and Monitoring Enable audit logging for Azure resources Customer Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview n/a link 15
Canada_Federal_PBMM_3-1-2020 AC_2(4) Canada_Federal_PBMM_3-1-2020_AC_2(4) Canada Federal PBMM 3-1-2020 AC 2(4) Account Management Account Management | Automated Audit Actions Shared 1. The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies responsible managers. 2. Related controls: AU-2, AU-12. To ensure accountability and transparency within the information system. 53
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 125
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 95
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 94
CCCS AU-12 CCCS_AU-12 CCCS AU-12 Audit and Accountability Audit Generation n/a (A) The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. (B) The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. (C) The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. link 7
CCCS AU-5 CCCS_AU-5 CCCS AU-5 Audit and Accountability Response to Audit Processing Failures n/a (A) The information system alerts organization-defined personnel or roles in the event of an audit processing failure; and (B) The information system overwrites the oldest audit records. link 4
CIS_Controls_v8.1 13.11 CIS_Controls_v8.1_13.11 CIS Controls v8.1 13.11 Network Monitoring and Defense Tune security event alerting thresholds Shared Tune security event alerting thresholds monthly, or more frequently. To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. 50
CIS_Controls_v8.1 3.14 CIS_Controls_v8.1_3.14 CIS Controls v8.1 3.14 Data Protection Log sensitive data access Shared Log sensitive data access, including modification and disposal. To enhance accountability, traceability, and security measures within the enterprise. 47
CIS_Controls_v8.1 8.1 CIS_Controls_v8.1_8.1 CIS Controls v8.1 8.1 Audit Log Management Establish and maintain an audit log management process Shared 1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. 2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. 3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure appropriate management of audit log systems. 31
CIS_Controls_v8.1 8.2 CIS_Controls_v8.1_8.2 CIS Controls v8.1 8.2 Audit Log Management Collect audit logs. Shared 1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. To assist in troubleshooting of system issues and ensure integrity of data systems. 32
CIS_Controls_v8.1 8.5 CIS_Controls_v8.1_8.5 CIS Controls v8.1 8.5 Audit Log Management Collect detailed audit logs. Shared 1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. 34
CIS_Controls_v8.1 8.7 CIS_Controls_v8.1_8.7 CIS Controls v8.1 8.7 Audit Log Management Collect URL request audit logs Shared Collect URL request audit logs on enterprise assets, where appropriate and supported. To maintain an audit trail of all URL requests made. 31
CIS_Controls_v8.1 8.8 CIS_Controls_v8.1_8.8 CIS Controls v8.1 8.8 Audit Log Management Collect command-line audit logs Shared Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. To ensure recording of the commands and arguments used by a process. 31
CIS_Controls_v8.1 8.9 CIS_Controls_v8.1_8.9 CIS Controls v8.1 8.9 Audit Log Management Centralize audit logs Shared Centralize, to the extent possible, audit log collection and retention across enterprise assets. To optimize and simply the process of audit log management. 31
CMMC_L2_v1.9.0 AU.L2_3.3.3 CMMC_L2_v1.9.0_AU.L2_3.3.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 Audit and Accountability Event Review Shared Review and update logged events. To enhance the effectiveness of security measures. 35
CMMC_L2_v1.9.0 AU.L2_3.3.5 CMMC_L2_v1.9.0_AU.L2_3.3.5 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.5 Audit and Accountability Audit Correlation Shared Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. To enhance the organization's ability to detect and mitigate security threats effectively. 8
CMMC_L3 AU.2.041 CMMC_L3_AU.2.041 CMMC L3 AU.2.041 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 15
CMMC_L3 AU.2.042 CMMC_L3_AU.2.042 CMMC L3 AU.2.042 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. link 15
CMMC_L3 AU.3.046 CMMC_L3_AU.3.046 CMMC L3 AU.3.046 Audit and Accountability Alert in the event of an audit logging process failure. Shared Microsoft and the customer share responsibilities for implementing this requirement. Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. link 7
CMMC_L3 AU.3.048 CMMC_L3_AU.3.048 CMMC L3 AU.3.048 Audit and Accountability Collect audit information (e.g., logs) into one or more central repositories. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations must aggregate and store audit logs in a central location to enable analysis activities and protect audit information. The repository should have the necessary infrastructure, capacity, and protection mechanisms to meet the organization’s audit requirements. link 8
CMMC_L3 AU.3.049 CMMC_L3_AU.3.049 CMMC L3 AU.3.049 Audit and Accountability Protect audit information and audit logging tools from unauthorized access, modification, and deletion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. link 2
CSA_v4.0.12 LOG_07 CSA_v4.0.12_LOG_07 CSA Cloud Controls Matrix v4.0.12 LOG 07 Logging and Monitoring Logging Scope Shared n/a Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment. 35
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .4 FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 404 not found n/a n/a 42
hipaa 1210.09aa3System.3-09.aa hipaa-1210.09aa3System.3-09.aa 1210.09aa3System.3-09.aa 12 Audit Logging & Monitoring 1210.09aa3System.3-09.aa 09.10 Monitoring Shared n/a All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. 11
HITRUST_CSF_v11.3 09.aa HITRUST_CSF_v11.3_09.aa HITRUST CSF v11.3 09.aa Monitoring To ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. Shared 1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. 39
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring To establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 114
IRS_1075_9.3 .3.11 IRS_1075_9.3.3.11 IRS 1075 9.3.3.11 Awareness and Training Audit Generation (AU-12) n/a The information system must: a. Provide audit record generation capability for the auditable events defined in Section 9.3.3.2, Audit Events (AU-2) b. Allow designated agency officials to select which auditable events are to be audited by specific components of the information system c. Generate audit records for the events with the content defined in Section 9.3.3.4, Content of Audit Records (AU-3). link 7
IRS_1075_9.3 .3.5 IRS_1075_9.3.3.5 IRS 1075 9.3.3.5 Awareness and Training Response to Audit Processing Failures (AU-5) n/a The information system must: a. Alert designated agency officials in the event of an audit processing failure b. Monitor system operational status using operating system or system audit logs and verify functions and performance of the system. Logs shall be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system administrator c. Provide a warning when allocated audit record storage volume reaches a maximum audit record storage capacity (CE1) link 4
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
ISO27001-2013 A.12.4.3 ISO27001-2013_A.12.4.3 ISO 27001:2013 A.12.4.3 Operations Security Administrator and operator logs Shared n/a System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. link 29
ISO27001-2013 A.12.4.4 ISO27001-2013_A.12.4.4 ISO 27001:2013 A.12.4.4 Operations Security Clock Synchronization Shared n/a The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source. link 8
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
NIST_SP_800-171_R3_3 .3.1 NIST_SP_800-171_R3_3.3.1 404 not found n/a n/a 35
NIST_SP_800-171_R3_3 .3.5 NIST_SP_800-171_R3_3.3.5 404 not found n/a n/a 17
NIST_SP_800-53_R5.1.1 AU.12 NIST_SP_800-53_R5.1.1_AU.12 NIST SP 800-53 R5.1.1 AU.12 Audit and Accountability Control Audit Record Generation Shared a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. 21
NIST_SP_800-53_R5.1.1 AU.12.1 NIST_SP_800-53_R5.1.1_AU.12.1 NIST SP 800-53 R5.1.1 AU.12.1 Audit and Accountability Control Audit Record Generation | System-wide and Time-correlated Audit Trail Shared Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. 8
NL_BIO_Cloud_Theme U.15.1(2) NL_BIO_Cloud_Theme_U.15.1(2) NL_BIO_Cloud_Theme_U.15.1(2) U.15 Logging and monitoring Events Logged n/a The malware protection is carried out on various environments, such as on mail servers, (desktop) computers and when accessing the organization's network. The scan for malware includes: all files received over networks or through any form of storage medium, even before use; all attachments and downloads even before use; virtual machines; network traffic. 46
NL_BIO_Cloud_Theme U.15.3(2) NL_BIO_Cloud_Theme_U.15.3(2) NL_BIO_Cloud_Theme_U.15.3(2) U.15 Logging and monitoring Events Logged n/a The CSP maintains a list of all assets that are critical in terms of logging and monitoring and regularly reviews this list for correctness. 6
NZISM_v3.7 14.1.13.C.01. NZISM_v3.7_14.1.13.C.01. NZISM v3.7 14.1.13.C.01. Standard Operating Environments 14.1.13.C.01. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. Shared n/a Agencies SHOULD review all software applications to determine whether they attempt to establish any unauthorised or unplanned external connections. 9
NZISM_v3.7 14.1.13.C.02. NZISM_v3.7_14.1.13.C.02. NZISM v3.7 14.1.13.C.02. Standard Operating Environments 14.1.13.C.02. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. Shared n/a If automated outbound connection functionality is included, agencies SHOULD make a business decision to determine whether to permit or deny these connections, including an assessment of the security risks involved in doing so. 9
NZISM_v3.7 14.1.13.C.03. NZISM_v3.7_14.1.13.C.03. NZISM v3.7 14.1.13.C.03. Standard Operating Environments 14.1.13.C.03. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. Shared n/a If automated outbound connection functionality is included, agencies SHOULD consider the implementation of Data Loss Prevention (DLP) technologies. 9
NZISM_v3.7 14.1.14.C.01. NZISM_v3.7_14.1.14.C.01. NZISM v3.7 14.1.14.C.01. Standard Operating Environments 14.1.14.C.01. - To maintain the confidentiality and integrity of critical system information, thereby enhancing overall cybersecurity posture. Shared n/a Agencies SHOULD limit information that could be disclosed outside the agency about what software, and software versions are installed on their systems. 9
NZISM_v3.7 14.1.9.C.02. NZISM_v3.7_14.1.9.C.02. NZISM v3.7 14.1.9.C.02. Standard Operating Environments 14.1.9.C.02. - To maintaining the integrity and reliability of servers and workstations within the agency's environment Shared n/a Agencies SHOULD ensure that for all servers and workstations: 1. malware detection heuristics are set to a high level; 2. malware pattern signatures are checked for updates on at least a daily basis; 3. malware pattern signatures are updated as soon as possible after vendors make them available; 4. all disks and systems are regularly scanned for malicious code; and 5. the use of End Point Agents is considered. 9
NZISM_v3.7 14.2.4.C.01. NZISM_v3.7_14.2.4.C.01. NZISM v3.7 14.2.4.C.01. Application Allow listing 14.2.4.C.01. - To mitigate security risks, and ensure compliance with security policies and standards. Shared n/a Agencies SHOULD implement application allow listing as part of the SOE for workstations, servers and any other network device. 25
NZISM_v3.7 14.2.7.C.04. NZISM_v3.7_14.2.7.C.04. NZISM v3.7 14.2.7.C.04. Application Allow listing 14.2.7.C.04. - To minimise the risk of unauthorized or malicious executables running on their systems. Shared n/a Agencies SHOULD restrict the decision whether to run an executable based on the following, in the order of preference shown: 1. validates cryptographic hash; 2. executable absolute path; 3. digital signature; and 4. parent folder. 9
NZISM_v3.7 14.2.7.C.05. NZISM_v3.7_14.2.7.C.05. NZISM v3.7 14.2.7.C.05. Application Allow listing 14.2.7.C.05. - To enhance the security posture. Shared n/a Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application allow listing controls. 9
NZISM_v3.7 14.2.7.C.06. NZISM_v3.7_14.2.7.C.06. NZISM v3.7 14.2.7.C.06. Application Allow listing 14.2.7.C.06. - To enhance the security posture. Shared n/a Agencies SHOULD validate executable behaviour, in particular process creation, permission changes and access control modifications through examination, testing, monitoring and restriction of the permissions. 8
NZISM_v3.7 16.6.10.C.01. NZISM_v3.7_16.6.10.C.01. NZISM v3.7 16.6.10.C.01. Event Logging and Auditing 16.6.10.C.01. - To enhance system security and accountability. Shared n/a Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users. 33
NZISM_v3.7 16.6.10.C.02. NZISM_v3.7_16.6.10.C.02. NZISM v3.7 16.6.10.C.02. Event Logging and Auditing 16.6.10.C.02. - To enhance system security and accountability. Shared n/a Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency. 50
NZISM_v3.7 16.6.11.C.01. NZISM_v3.7_16.6.11.C.01. NZISM v3.7 16.6.11.C.01. Event Logging and Auditing 16.6.11.C.01. - To enhance system security and accountability. Shared n/a For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification. 50
NZISM_v3.7 16.6.12.C.01. NZISM_v3.7_16.6.12.C.01. NZISM v3.7 16.6.12.C.01. Event Logging and Auditing 16.6.12.C.01. - To maintain integrity of the data. Shared n/a Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period. 50
NZISM_v3.7 16.6.6.C.01. NZISM_v3.7_16.6.6.C.01. NZISM v3.7 16.6.6.C.01. Event Logging and Auditing 16.6.6.C.01. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST maintain system management logs for the life of a system. 50
NZISM_v3.7 16.6.7.C.01. NZISM_v3.7_16.6.7.C.01. NZISM v3.7 16.6.7.C.01. Event Logging and Auditing 16.6.7.C.01. - To facilitate effective monitoring, troubleshooting, and auditability of system operations. Shared n/a A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities. 50
NZISM_v3.7 16.6.9.C.01. NZISM_v3.7_16.6.9.C.01. NZISM v3.7 16.6.9.C.01. Event Logging and Auditing 16.6.9.C.01. - To enhance system security and accountability. Shared n/a Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency. 48
op.exp.8 Recording of the activity op.exp.8 Recording of the activity 404 not found n/a n/a 67
PCI_DSS_V3.2.1 10.3 PCI_DSS_V3.2.1_10.3 404 not found n/a n/a 4
PCI_DSS_V3.2.1 10.5.4 PCI_DSS_v3.2.1_10.5.4 PCI DSS v3.2.1 10.5.4 Requirement 10 PCI DSS requirement 10.5.4 shared n/a n/a link 4
PCI_DSS_v4.0.1 10.2.1.2 PCI_DSS_v4.0.1_10.2.1.2 PCI DSS v4.0.1 10.2.1.2 Log and Monitor All Access to System Components and Cardholder Data Administrative Actions Logging Shared n/a Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. 25
PCI_DSS_v4.0 10.2.2 PCI_DSS_v4.0_10.2.2 PCI DSS v4.0 10.2.2 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events Shared n/a Audit logs record the following details for each auditable event: • User identification. • Type of event. • Date and time. • Success and failure indication. • Origination of event. • Identity or name of affected data, system component, resource, or service (for example, name and protocol). link 5
PCI_DSS_v4.0 10.3.3 PCI_DSS_v4.0_10.3.3 PCI DSS v4.0 10.3.3 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Audit logs are protected from destruction and unauthorized modifications Shared n/a Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. link 5
RMiT_v1.0 10.66 RMiT_v1.0_10.66 RMiT 10.66 Security of Digital Services Security of Digital Services - 10.66 Shared n/a A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures link 31
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability To effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 111
SOC_2023 CC.5.3 SOC_2023_CC.5.3 404 not found n/a n/a 37
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC4.1 SOC_2023_CC4.1 SOC 2023 CC4.1 Monitoring Activities To enhance the ability to manage risks and achieve objectives. Shared n/a The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 38
SOC_2023 CC4.2 SOC_2023_CC4.2 SOC 2023 CC4.2 Monitoring Activities To facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. Shared n/a The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. 37
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations To maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SWIFT_CSCF_2024 6.4 SWIFT_CSCF_2024_6.4 SWIFT Customer Security Controls Framework 2024 6.4 Access Control Logging and Monitoring Shared 1. Developing a logging and monitoring plan is the basis for effectively detecting abnormal behaviour and potential attacks and support further investigations. 2. As the operational environment becomes more complex, so will the logging and monitoring capability needed to perform adequate detection. Simplifying the operational environment will enable simpler logging and monitoring. To record security events, detect and respond to anomalous actions and operations within the user’s Swift environment. 42
U.15.1 - Events logged U.15.1 - Events logged 404 not found n/a n/a 40
U.15.3 - Events logged U.15.3 - Events logged 404 not found n/a n/a 6
UK_NCSC_CSP 13 UK_NCSC_CSP_13 UK NCSC CSP 13 Audit information for users Audit information for users Shared n/a You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn true
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn true
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn true
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-12-21 17:43:51 change Patch (2.0.0 > 2.0.1)
2022-10-05 16:36:28 change Major (1.1.0 > 2.0.0)
2022-01-07 18:14:35 change Minor (1.0.0 > 1.1.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC