last sync: 2024-Jun-13 18:14:14 UTC

Microsoft Managed Control 1170 - Penetration Testing | Regulatory Compliance - Security Assessment and Authorization

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1170 - Penetration Testing
Id 8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Security Assessment and Authorization control
Additional metadata Name/Id: ACF1170 / Microsoft Managed Control 1170
Category: Security Assessment and Authorization
Title: Penetration Testing
Ownership: Customer, Microsoft
Description: The organization conducts penetration testing at least annually on all information systems.
Requirements: An independent penetration testing team within Microsoft’s security organization conducts annual unannounced penetration testing (tests may be coordinated with Azure management personnel in order to mitigate risk to the availability of Azure; Azure management personnel do not notify operational/technical personnel in these cases). As part of the rules of engagement, the Third Party Assessment Organization (3PAO) conducts a vulnerability analysis of the information system and penetration testing based on those results, as identified in the Security Assessment Report (SAR). The analysis steps are as follows: * The Third Party Assessment Organization (3PAO)reviews the Azure system security plan to determine if the required elements as identified in NIST SP 800-18 Revision 1 were properly documented. * The Third Party Assessment Organization (3PAO)reviews the Azure system security plan and related component documentation in order to determine if the security controls meet minimum security level recommendations as provided in NIST SP 800-53 Revision 4. * The Third Party Assessment Organization (3PAO) reaches a consensus to perform the level and detail of testing for the system using assessment test cases and conducting an analysis to determine risk factors and impact. * The security assessment tests are designed to evaluate the efficacy of the security controls in place as documented in the system security plan to ensure that the levels of confidentiality, integrity, and availability are in fact supported by the existing in-place or proposed security measures or efforts. * The Third Party Assessment Organization (3PAO) develops and approves the Security Assessment Plan, and employs technical and non-technical measures to include, but not limited to, on-site interviews, observations, system testing, and evaluation. * The results of the assessment activities performed by the Third Party Assessment Organization (3PAO) include a formal report, which includes work papers that support the conclusions of the security assessment report. * Microsoft provides an exit brief of results, prior to report finalization.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC