last sync: 2024-May-27 19:38:21 UTC

Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management | Regulatory Compliance - Configuration Management

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management
Id a9a08d1c-09b1-48f1-90ea-029bbdf7111e
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Configuration Management control
Additional metadata Name/Id: ACF1199 / Microsoft Managed Control 1199
Category: Configuration Management
Title: Configuration Change Control | Cryptography Management
Ownership: Customer, Microsoft
Description: The organization ensures that cryptographic mechanisms used to provide all security safeguards that rely on cryptography are under configuration management.
Requirements: Azure Security manages cryptographic secrets on behalf of service teams using an approved secret management store, either Azure Key Vault or dSMS. Microsoft uses the stores to implement cryptographic mechanisms, including to administer and store both group and shared account credentials, as well as to obtain and renew certificates. Cryptography changes follow the standard security review process. Cryptographic changes not expressly allowed by established baselines - e.g. when an Azure team requests a non-standard change to configuration settings - are not allowed to be made to the Azure current configuration without a completed review. The security review process is run by security representatives in C+AI Security. Changes made to cryptography are not implemented unless approved via the security review process including approval by Crypto Board. Azure Security controls the configuration of the stores using the Cryptographic Controls SOP, with which the stores are required to comply. For instance, when Microsoft deprecates formerly-approved cryptographic algorithms or key lengths through the change management process, the secret management stores are able to check the inventory of all existing secrets to identify any that rely on the newly-deprecated mechanism.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC