last sync: 2023-Jun-09 17:46:13 UTC

Azure Policy definition

Protect special information

Name Protect special information
Azure Portal
Id a315c657-4a00-8eba-15ac-44692ad24423
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0409 - Protect special information
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 46 compliance controls are associated with this Policy definition 'Protect special information' (a315c657-4a00-8eba-15ac-44692ad24423)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 2.11 CIS_Azure_1.1.0_2.11 CIS Microsoft Azure Foundations Benchmark recommendation 2.11 2 Security Center Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable storage encryption recommendations. link 4
CIS_Azure_1.1.0 2.15 CIS_Azure_1.1.0_2.15 CIS Microsoft Azure Foundations Benchmark recommendation 2.15 2 Security Center Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable SQL encryption recommendations. link 5
CIS_Azure_1.1.0 2.6 CIS_Azure_1.1.0_2.6 CIS Microsoft Azure Foundations Benchmark recommendation 2.6 2 Security Center Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Disk encryption recommendations for virtual machines. link 5
CIS_Azure_1.1.0 4.10 CIS_Azure_1.1.0_4.10 CIS Microsoft Azure Foundations Benchmark recommendation 4.10 4 Database Services Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Shared The customer is responsible for implementing this recommendation. TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). link 6
CIS_Azure_1.1.0 4.9 CIS_Azure_1.1.0_4.9 CIS Microsoft Azure Foundations Benchmark recommendation 4.9 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.1.0 7.1 CIS_Azure_1.1.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure that 'OS disk' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) are encrypted, where possible. link 5
CIS_Azure_1.1.0 7.2 CIS_Azure_1.1.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'Data disks' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that data disks (non-boot volumes) are encrypted, where possible. link 5
CIS_Azure_1.1.0 7.3 CIS_Azure_1.1.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted. link 4
CIS_Azure_1.3.0 3.9 CIS_Azure_1.3.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Storage Accounts Ensure storage for critical data are encrypted with Customer Managed Key Shared The customer is responsible for implementing this recommendation. Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys link 5
CIS_Azure_1.3.0 4.1.2 CIS_Azure_1.3.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.3.0 4.5 CIS_Azure_1.3.0_4.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.5 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link 6
CIS_Azure_1.3.0 7.2 CIS_Azure_1.3.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'OS and Data' disks are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. link 5
CIS_Azure_1.3.0 7.3 CIS_Azure_1.3.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). link 4
CIS_Azure_1.3.0 7.7 CIS_Azure_1.3.0_7.7 CIS Microsoft Azure Foundations Benchmark recommendation 7.7 7 Virtual Machines Ensure that VHD's are encrypted Shared The customer is responsible for implementing this recommendation. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. link 4
CIS_Azure_1.4.0 3.9 CIS_Azure_1.4.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Storage Accounts Ensure Storage for Critical Data are Encrypted with Customer Managed Keys Shared The customer is responsible for implementing this recommendation. Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys link 5
CIS_Azure_1.4.0 4.1.2 CIS_Azure_1.4.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.4.0 4.3.8 CIS_Azure_1.4.0_4.3.8 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 4 Database Services Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable encryption at rest for PostgreSQL Databases. link 4
CIS_Azure_1.4.0 4.6 CIS_Azure_1.4.0_4.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.6 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link 6
CIS_Azure_1.4.0 7.2 CIS_Azure_1.4.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE) link 5
CIS_Azure_1.4.0 7.3 CIS_Azure_1.4.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). link 4
CIS_Azure_1.4.0 7.7 CIS_Azure_1.4.0_7.7 CIS Microsoft Azure Foundations Benchmark recommendation 7.7 7 Virtual Machines Ensure that VHD's are Encrypted Shared The customer is responsible for implementing this recommendation. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. link 4
FedRAMP_High_R4 PS-3(3) FedRAMP_High_R4_PS-3(3) FedRAMP High PS-3 (3) Personnel Security Information With Special Protection Measures Shared n/a The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. Supplemental Guidance: Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. link 1
FedRAMP_High_R4 SC-28 FedRAMP_High_R4_SC-28 FedRAMP High SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 17
FedRAMP_Moderate_R4 PS-3(3) FedRAMP_Moderate_R4_PS-3(3) FedRAMP Moderate PS-3 (3) Personnel Security Information With Special Protection Measures Shared n/a The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. Supplemental Guidance: Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. link 1
FedRAMP_Moderate_R4 SC-28 FedRAMP_Moderate_R4_SC-28 FedRAMP Moderate SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 17
hipaa 0105.02a2Organizational.1-02.a hipaa-0105.02a2Organizational.1-02.a 0105.02a2Organizational.1-02.a 01 Information Protection Program 0105.02a2Organizational.1-02.a 02.01 Prior to Employment Shared n/a Risk designations are assigned for all positions within the organization as appropriate, with commensurate screening criteria, and reviewed/revised every 365 days. 6
hipaa 0106.02a2Organizational.23-02.a hipaa-0106.02a2Organizational.23-02.a 0106.02a2Organizational.23-02.a 01 Information Protection Program 0106.02a2Organizational.23-02.a 02.01 Prior to Employment Shared n/a The pre-employment process is reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates. 4
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
hipaa 0947.09y2Organizational.2-09.y hipaa-0947.09y2Organizational.2-09.y 0947.09y2Organizational.2-09.y 09 Transmission Protection 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services Shared n/a The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. 11
hipaa 1008.01d2System.3-01.d hipaa-1008.01d2System.3-01.d 1008.01d2System.3-01.d 10 Password Management 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems Shared n/a Users sign a statement acknowledging their responsibility to keep passwords confidential. 15
hipaa 1132.01v2System.3-01.v hipaa-1132.01v2System.3-01.v 1132.01v2System.3-01.v 11 Access Control 1132.01v2System.3-01.v 01.06 Application and Information Access Control Shared n/a Covered information is encrypted when stored in non-secure areas and, if not encrypted at rest, the organization documents its rationale. 2
hipaa 1134.01v3System.1-01.v hipaa-1134.01v3System.1-01.v 1134.01v3System.1-01.v 11 Access Control 1134.01v3System.1-01.v 01.06 Application and Information Access Control Shared n/a Copy, move, print, and storage of sensitive data are prohibited when accessed remotely without a defined business need. 3
hipaa 1903.06d1Organizational.3456711-06.d hipaa-1903.06d1Organizational.3456711-06.d 1903.06d1Organizational.3456711-06.d 19 Data Protection & Privacy 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements Shared n/a The confidentiality and integrity of covered information at rest is protected using an encryption method appropriate to the medium where it is stored; where the organization chooses not to encrypt covered information, a documented rationale for not doing so is maintained or alternative compensating controls are used if the method is approved and reviewed annually by the CISO. 5
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
NIST_SP_800-171_R2_3 .13.16 NIST_SP_800-171_R2_3.13.16 NIST SP 800-171 R2 3.13.16 System and Communications Protection Protect the confidentiality of CUI at rest. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. link 19
NIST_SP_800-53_R4 PS-3(3) NIST_SP_800-53_R4_PS-3(3) NIST SP 800-53 Rev. 4 PS-3 (3) Personnel Security Information With Special Protection Measures Shared n/a The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. Supplemental Guidance: Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. link 1
NIST_SP_800-53_R4 SC-28 NIST_SP_800-53_R4_SC-28 NIST SP 800-53 Rev. 4 SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 17
NIST_SP_800-53_R5 PS-3(3) NIST_SP_800-53_R5_PS-3(3) NIST SP 800-53 Rev. 5 PS-3 (3) Personnel Security Information Requiring Special Protective Measures Shared n/a Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. link 1
NIST_SP_800-53_R5 SC-28 NIST_SP_800-53_R5_SC-28 NIST SP 800-53 Rev. 5 SC-28 System and Communications Protection Protection of Information at Rest Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of the following information at rest: [Assignment: organization-defined information at rest]. link 17
PCI_DSS_v4.0 3.5.1 PCI_DSS_v4.0_3.5.1 PCI DSS v4.0 3.5.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a PAN is rendered unreadable anywhere it is stored by using any of the following approaches: • One-way hashes based on strong cryptography of the entire PAN. • Truncation (hashing cannot be used to replace the truncated segment of PAN). – If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. • Index tokens. • Strong cryptography with associated keymanagement processes and procedures. link 12
PCI_DSS_v4.0 3.5.1.1 PCI_DSS_v4.0_3.5.1.1 PCI DSS v4.0 3.5.1.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7. link 4
PCI_DSS_v4.0 3.5.1.2 PCI_DSS_v4.0_3.5.1.2 PCI DSS v4.0 3.5.1.2 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: • On removable electronic media, OR • If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1. link 4
PCI_DSS_v4.0 3.5.1.3 PCI_DSS_v4.0_3.5.1.3 PCI DSS v4.0 3.5.1.3 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows: • Logical access is managed separately and independently of native operating system authentication and access control mechanisms. • Decryption keys are not associated with user accounts. link 4
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 80
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 5.3A SWIFT_CSCF_v2022_5.3A SWIFT CSCF v2022 5.3A 5. Manage Identities and Segregate Privileges To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. Shared n/a Staff operating the local SWIFT infrastructure are screened prior to initial appointment in that role and periodically thereafter. link 5
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add a315c657-4a00-8eba-15ac-44692ad24423
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON