last sync: 2024-Oct-11 17:51:27 UTC

Run simulation attacks | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Run simulation attacks
Id a8f9c283-9a66-3eb3-9e10-bdba95b85884
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0486 - Run simulation attacks
Additional metadata Name/Id: CMA_0486 / CMA_0486
Category: Operational
Title: Run simulation attacks
Ownership: Customer
Description: Microsoft recommends that your organization simulate realistic attack scenarios to help identify vulnerabilities before a real attack impacts your bottom line. It is also recommended that your organization form a red team and perform attack simulations manually. Your organization should consider participating in cyber drills conducted by recognized expert computer emergency response/readiness team (CERT) or computer incident response team (CIRT) groups. **How to Use Microsoft Solutions to Implement** Your organization can use the Azure Security Center to plan for attack scenarios. For more information, go to: https://docs.microsoft.com/azure/security-center/security-center-introduction. **Learn More** Azure Threat Detection: https://docs.microsoft.com/azure/security/fundamentals/threat-detection
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 33 compliance controls are associated with this Policy definition 'Run simulation attacks' (a8f9c283-9a66-3eb3-9e10-bdba95b85884)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IR-3 FedRAMP_High_R4_IR-3 FedRAMP High IR-3 Incident Response Incident Response Testing Shared n/a The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. References: NIST Special Publications 800-84, 800-115. link 3
FedRAMP_High_R4 IR-3(2) FedRAMP_High_R4_IR-3(2) FedRAMP High IR-3 (2) Incident Response Coordination With Related Plans Shared n/a The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. link 3
FedRAMP_High_R4 PE-13(1) FedRAMP_High_R4_PE-13(1) FedRAMP High PE-13 (1) Physical And Environmental Protection Detection Devices / Systems Shared n/a The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 3
FedRAMP_Moderate_R4 IR-3 FedRAMP_Moderate_R4_IR-3 FedRAMP Moderate IR-3 Incident Response Incident Response Testing Shared n/a The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. References: NIST Special Publications 800-84, 800-115. link 3
FedRAMP_Moderate_R4 IR-3(2) FedRAMP_Moderate_R4_IR-3(2) FedRAMP Moderate IR-3 (2) Incident Response Coordination With Related Plans Shared n/a The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. link 3
hipaa 12102.09ab1Organizational.4-09.ab hipaa-12102.09ab1Organizational.4-09.ab 12102.09ab1Organizational.4-09.ab 12 Audit Logging & Monitoring 12102.09ab1Organizational.4-09.ab 09.10 Monitoring Shared n/a The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. 7
hipaa 1331.02e3Organizational.4-02.e hipaa-1331.02e3Organizational.4-02.e 1331.02e3Organizational.4-02.e 13 Education, Training and Awareness 1331.02e3Organizational.4-02.e 02.03 During Employment Shared n/a The organization trains workforce members on how to properly respond to perimeter security alarms. 6
hipaa 1505.11a1Organizational.13-11.a hipaa-1505.11a1Organizational.13-11.a 1505.11a1Organizational.13-11.a 15 Incident Management 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. 19
hipaa 1509.11a2Organizational.236-11.a hipaa-1509.11a2Organizational.236-11.a 1509.11a2Organizational.236-11.a 15 Incident Management 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. 17
hipaa 1510.11a2Organizational.47-11.a hipaa-1510.11a2Organizational.47-11.a 1510.11a2Organizational.47-11.a 15 Incident Management 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. 11
hipaa 1516.11c1Organizational.12-11.c hipaa-1516.11c1Organizational.12-11.c 1516.11c1Organizational.12-11.c 15 Incident Management 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The security incident response program accounts for and prepares the organization for a variety of incidents. 10
hipaa 1520.11c2Organizational.4-11.c hipaa-1520.11c2Organizational.4-11.c 1520.11c2Organizational.4-11.c 15 Incident Management 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The incident response plan is communicated to the appropriate individuals throughout the organization. 8
hipaa 1521.11c2Organizational.56-11.c hipaa-1521.11c2Organizational.56-11.c 1521.11c2Organizational.56-11.c 15 Incident Management 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a Testing exercises are planned, coordinated, executed, and documented periodically, at least annually, using reviews, analyses, and simulations to determine incident response effectiveness. Testing includes personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team. 16
hipaa 1560.11d1Organizational.1-11.d hipaa-1560.11d1Organizational.1-11.d 1560.11d1Organizational.1-11.d 15 Incident Management 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. 8
hipaa 1562.11d2Organizational.2-11.d hipaa-1562.11d2Organizational.2-11.d 1562.11d2Organizational.2-11.d 15 Incident Management 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization coordinates incident handling activities with contingency planning activities. 12
hipaa 1563.11d2Organizational.3-11.d hipaa-1563.11d2Organizational.3-11.d 1563.11d2Organizational.3-11.d 15 Incident Management 1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training and testing exercises, and implements the resulting changes accordingly. 4
hipaa 1589.11c1Organizational.5-11.c hipaa-1589.11c1Organizational.5-11.c 1589.11c1Organizational.5-11.c 15 Incident Management 1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization tests and/or exercises its incident response capability regularly. 4
hipaa 1814.08d1Organizational.12-08.d hipaa-1814.08d1Organizational.12-08.d 1814.08d1Organizational.12-08.d 18 Physical & Environmental Security 1814.08d1Organizational.12-08.d 08.01 Secure Areas Shared n/a Fire extinguishers and detectors are installed according to applicable laws and regulations. 3
hipaa 1815.08d2Organizational.123-08.d hipaa-1815.08d2Organizational.123-08.d 1815.08d2Organizational.123-08.d 18 Physical & Environmental Security 1815.08d2Organizational.123-08.d 08.01 Secure Areas Shared n/a Fire prevention and suppression mechanisms, including workforce training, are provided. 3
hipaa 1818.08d3Organizational.3-08.d hipaa-1818.08d3Organizational.3-08.d 1818.08d3Organizational.3-08.d 18 Physical & Environmental Security 1818.08d3Organizational.3-08.d 08.01 Secure Areas Shared n/a Fire suppression and detection systems are supported by an independent energy source. 3
hipaa 1862.08d1Organizational.3-08.d hipaa-1862.08d1Organizational.3-08.d 1862.08d1Organizational.3-08.d 18 Physical & Environmental Security 1862.08d1Organizational.3-08.d 08.01 Secure Areas Shared n/a Fire authorities are automatically notified when a fire alarm is activated. 2
NIST_SP_800-171_R2_3 .6.3 NIST_SP_800-171_R2_3.6.3 NIST SP 800-171 R2 3.6.3 Incident response Test the organizational incident response capability. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel and full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. [SP 800-84] provides guidance on testing programs for information technology capabilities. link 3
NIST_SP_800-53_R4 IR-3 NIST_SP_800-53_R4_IR-3 NIST SP 800-53 Rev. 4 IR-3 Incident Response Incident Response Testing Shared n/a The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. References: NIST Special Publications 800-84, 800-115. link 3
NIST_SP_800-53_R4 IR-3(2) NIST_SP_800-53_R4_IR-3(2) NIST SP 800-53 Rev. 4 IR-3 (2) Incident Response Coordination With Related Plans Shared n/a The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. link 3
NIST_SP_800-53_R4 PE-13(1) NIST_SP_800-53_R4_PE-13(1) NIST SP 800-53 Rev. 4 PE-13 (1) Physical And Environmental Protection Detection Devices / Systems Shared n/a The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 3
NIST_SP_800-53_R5 IR-3 NIST_SP_800-53_R5_IR-3 NIST SP 800-53 Rev. 5 IR-3 Incident Response Incident Response Testing Shared n/a Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. link 3
NIST_SP_800-53_R5 IR-3(2) NIST_SP_800-53_R5_IR-3(2) NIST SP 800-53 Rev. 5 IR-3 (2) Incident Response Coordination with Related Plans Shared n/a Coordinate incident response testing with organizational elements responsible for related plans. link 3
NIST_SP_800-53_R5 PE-13(1) NIST_SP_800-53_R5_PE-13(1) NIST SP 800-53 Rev. 5 PE-13 (1) Physical and Environmental Protection Detection Systems ??? Automatic Activation and Notification Shared n/a Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. link 3
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SOC_2 CC7.5 SOC_2_CC7.5 SOC 2 Type 2 CC7.5 System Operations Recovery from identified security incidents Shared The customer is responsible for implementing this recommendation. • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results 19
SWIFT_CSCF_v2022 11.2 SWIFT_CSCF_v2022_11.2 SWIFT CSCF v2022 11.2 11. Monitor in case of Major Disaster Ensure a consistent and effective approach for the management of incidents (Problem Management). Shared n/a Ensure a consistent and effective approach for the management of incidents (Problem Management). link 20
SWIFT_CSCF_v2022 9.1 SWIFT_CSCF_v2022_9.1 SWIFT CSCF v2022 9.1 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. Shared n/a Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. link 8
SWIFT_CSCF_v2022 9.3 SWIFT_CSCF_v2022_9.3 SWIFT CSCF v2022 9.3 9. Ensure Availability through Resilience Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. Shared n/a Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add a8f9c283-9a66-3eb3-9e10-bdba95b85884
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC