| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1170 - Penetration Testing | ||
| Id | 8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12 | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Security Assessment and Authorization control | ||
| Additional metadata |
Name/Id: ACF1170 / Microsoft Managed Control 1170 Category: Security Assessment and Authorization Title: Penetration Testing Ownership: Customer, Microsoft Description: The organization conducts penetration testing at least annually on all information systems. Requirements: An independent penetration testing team within Microsoft’s security organization conducts annual unannounced penetration testing (tests may be coordinated with Azure management personnel in order to mitigate risk to the availability of Azure; Azure management personnel do not notify operational/technical personnel in these cases). As part of the rules of engagement, the Third Party Assessment Organization (3PAO) conducts a vulnerability analysis of the information system and penetration testing based on those results, as identified in the Security Assessment Report (SAR). The analysis steps are as follows: * The Third Party Assessment Organization (3PAO)reviews the Azure system security plan to determine if the required elements as identified in NIST SP 800-18 Revision 1 were properly documented. * The Third Party Assessment Organization (3PAO)reviews the Azure system security plan and related component documentation in order to determine if the security controls meet minimum security level recommendations as provided in NIST SP 800-53 Revision 4. * The Third Party Assessment Organization (3PAO) reaches a consensus to perform the level and detail of testing for the system using assessment test cases and conducting an analysis to determine risk factors and impact. * The security assessment tests are designed to evaluate the efficacy of the security controls in place as documented in the system security plan to ensure that the levels of confidentiality, integrity, and availability are in fact supported by the existing in-place or proposed security measures or efforts. * The Third Party Assessment Organization (3PAO) develops and approves the Security Assessment Plan, and employs technical and non-technical measures to include, but not limited to, on-site interviews, observations, system testing, and evaluation. * The results of the assessment activities performed by the Third Party Assessment Organization (3PAO) include a formal report, which includes work papers that support the conclusions of the security assessment report. * Microsoft provides an exit brief of results, prior to report finalization. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|