last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Perform information input validation

Name Perform information input validation
Azure Portal
Id 8b1f29eb-1b22-4217-5337-9207cb55231e
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_C1723 - Perform information input validation
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 10 compliance controls are associated with this Policy definition 'Perform information input validation' (8b1f29eb-1b22-4217-5337-9207cb55231e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SI-10 FedRAMP_High_R4_SI-10 FedRAMP High SI-10 System And Information Integrity Information Input Validation Shared n/a The information system checks the validity of [Assignment: organization-defined information inputs]. Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. References: None. link 1
FedRAMP_Moderate_R4 SI-10 FedRAMP_Moderate_R4_SI-10 FedRAMP Moderate SI-10 System And Information Integrity Information Input Validation Shared n/a The information system checks the validity of [Assignment: organization-defined information inputs]. Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. References: None. link 1
hipaa 0706.10b1System.12-10.b hipaa-0706.10b1System.12-10.b 0706.10b1System.12-10.b 07 Vulnerability Management 0706.10b1System.12-10.b 10.02 Correct Processing in Applications Shared n/a Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. 4
hipaa 0733.10b2System.4-10.b hipaa-0733.10b2System.4-10.b 0733.10b2System.4-10.b 07 Vulnerability Management 0733.10b2System.4-10.b 10.02 Correct Processing in Applications Shared n/a The information system checks the validity of organization-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible. For in-house developed software, the organization ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. 2
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
ISO27001-2013 A.14.2.5 ISO27001-2013_A.14.2.5 ISO 27001:2013 A.14.2.5 System Acquisition, Development And Maintenance Secure system engineering principles Shared n/a Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. link 5
NIST_SP_800-53_R4 SI-10 NIST_SP_800-53_R4_SI-10 NIST SP 800-53 Rev. 4 SI-10 System And Information Integrity Information Input Validation Shared n/a The information system checks the validity of [Assignment: organization-defined information inputs]. Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. References: None. link 1
NIST_SP_800-53_R5 SI-10 NIST_SP_800-53_R5_SI-10 NIST SP 800-53 Rev. 5 SI-10 System and Information Integrity Information Input Validation Shared n/a Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]. link 1
SOC_2 PI1.2 SOC_2_PI1.2 SOC 2 Type 2 PI1.2 Additional Criteria For Processing Integrity System inputs over completeness and accuracy Shared The customer is responsible for implementing this recommendation. • Defines Characteristics of Processing Inputs — The characteristics of processing inputs that are necessary to meet requirements are defined. • Evaluates Processing Inputs — Processing inputs are evaluated for compliance with defined input requirements. • Creates and Maintains Records of System Inputs — Records of system input activities are created and maintained completely and accurately in a timely manner. 1
SOC_2 PI1.3 SOC_2_PI1.3 SOC 2 Type 2 PI1.3 Additional Criteria For Processing Integrity System processing Shared The customer is responsible for implementing this recommendation. • Defines Processing Specifications — The processing specifications that are necessary to meet product or service requirements are defined. • Defines Processing Activities — Processing activities are defined to result in products or services that meet specifications. • Detects and Corrects Production Errors — Errors in the production process are detected and corrected in a timely manner. • Records System Processing Activities — System processing activities are recorded completely and accurately in a timely manner. • Processes Inputs — Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities 5
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 8b1f29eb-1b22-4217-5337-9207cb55231e
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
JSON
changes

JSON