last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Monitor missing Endpoint Protection in Azure Security Center

Name Monitor missing Endpoint Protection in Azure Security Center
Azure Portal
Id af6cd1bd-1635-48cb-bde7-5b15693900b9
Version 3.0.0
details on versioning
Category Security Center
Microsoft docs
Description Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC
Role(s)
none
Rule
Aliases
THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule
ResourceTypes
IF (1)
Microsoft.ClassicCompute/virtualMachines
Compliance The following 62 compliance controls are associated with this Policy definition 'Monitor missing Endpoint Protection in Azure Security Center' (af6cd1bd-1635-48cb-bde7-5b15693900b9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1288 AU_ISM_1288 AU ISM 1288 Guidelines for Gateways - Content filtering Antivirus scanning - 1288 n/a Antivirus scanning, using multiple different scanning engines, is performed on all content. link 3
AU_ISM 1417 AU_ISM_1417 AU ISM 1417 Guidelines for System Hardening - Operating system hardening Antivirus software - 1417 n/a Antivirus software is implemented on workstations and servers and configured with: • signature-based detection enabled and set to a high level • heuristic-based detection enabled and set to a high level • detection signatures checked for currency and updated on at least a daily basis • automatic and regular scanning configured for all fixed disks and removable media. link 3
Azure_Security_Benchmark_v1.0 2.8 Azure_Security_Benchmark_v1.0_2.8 Azure Security Benchmark 2.8 Logging and Monitoring Centralize anti-malware logging Customer Enable antimalware event collection for Azure Virtual Machines and Cloud Services. How to configure Microsoft Antimalware for Virtual Machines: https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azurevmmicrosoftantimalwareextension?view=azuresmps-4.0.0 How to configure Microsoft Antimalware for Cloud Services: https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azureserviceantimalwareextension?view=azuresmps-4.0.0 Understand Microsoft Antimalware: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link 3
Azure_Security_Benchmark_v1.0 8.1 Azure_Security_Benchmark_v1.0_8.1 Azure Security Benchmark 8.1 Malware Defense Use centrally managed anti-malware software Customer Use Microsoft Antimalware for Azure Cloud Services and Virtual Machines to continuously monitor and defend your resources. For Linux, use third party antimalware solution. How to configure Microsoft Antimalware for Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link 2
Azure_Security_Benchmark_v2.0 ES-2 Azure_Security_Benchmark_v2.0_ES-2 Azure Security Benchmark ES-2 Endpoint Security Use centrally managed modern anti-malware software Customer Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations. Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts. How to configure Microsoft Antimalware for Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware Supported endpoint protection solutions: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- n/a link 3
Azure_Security_Benchmark_v2.0 ES-3 Azure_Security_Benchmark_v2.0_ES-3 Azure Security Benchmark ES-3 Endpoint Security Ensure anti-malware software and signatures are updated Customer Ensure anti-malware signatures are updated rapidly and consistently. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use third-party antimalware solution. How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware Endpoint protection assessment and recommendations in Azure Security Center:https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection n/a link 2
Azure_Security_Benchmark_v3.0 ES-2 Azure_Security_Benchmark_v3.0_ES-2 Azure Security Benchmark ES-2 Endpoint Security Use modern anti-malware software Shared **Security Principle:** Use anti-malware solutions capable of real-time protection and periodic scanning. **Azure Guidance:** Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured, and report the endpoint protection running status and make recommendations. Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection), and Microsoft Defender for Cloud to discover and assess the health status. For Linux VMs, use Microsoft Defender for Endpoint on Linux. Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. **Implementation and additional context:** Supported endpoint protection solutions: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link 5
CCCS SI-3 CCCS_SI-3 CCCS SI-3 System and Information Integrity Malicious Code Protection n/a (A) The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. (B) The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. (C) The organization configures malicious code protection mechanisms to: (a) Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and (b) Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. (D) The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. link 2
CCCS SI-3(1) CCCS_SI-3(1) CCCS SI-3(1) System and Information Integrity Malicious Code Protection | Central Management n/a The organization centrally manages malicious code protection mechanisms. link 2
CIS_Azure_1.1.0 2.5 CIS_Azure_1.1.0_2.5 CIS Microsoft Azure Foundations Benchmark recommendation 2.5 2 Security Center Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Endpoint protection recommendations for virtual machines. link 8
CIS_Azure_1.1.0 7.6 CIS_Azure_1.1.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link 11
CIS_Azure_1.3.0 7.6 CIS_Azure_1.3.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link 11
CIS_Azure_1.4.0 7.6 CIS_Azure_1.4.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link 11
CMMC_2.0_L2 SI.L1-3.14.1 CMMC_2.0_L2_SI.L1-3.14.1 404 not found n/a n/a 26
CMMC_2.0_L2 SI.L1-3.14.2 CMMC_2.0_L2_SI.L1-3.14.2 404 not found n/a n/a 14
CMMC_2.0_L2 SI.L1-3.14.4 CMMC_2.0_L2_SI.L1-3.14.4 404 not found n/a n/a 5
CMMC_2.0_L2 SI.L1-3.14.5 CMMC_2.0_L2_SI.L1-3.14.5 404 not found n/a n/a 6
CMMC_2.0_L2 SI.L2-3.14.3 CMMC_2.0_L2_SI.L2-3.14.3 404 not found n/a n/a 13
CMMC_L3 CA.2.158 CMMC_L3_CA.2.158 CMMC L3 CA.2.158 Security Assessment Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. link 10
CMMC_L3 CA.3.161 CMMC_L3_CA.3.161 CMMC L3 CA.3.161 Security Assessment Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Shared Microsoft and the customer share responsibilities for implementing this requirement. Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. link 10
CMMC_L3 IR.2.093 CMMC_L3_IR.2.093 CMMC L3 IR.2.093 Incident Response Detect and report events. Shared Microsoft and the customer share responsibilities for implementing this requirement. The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine whether an event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects. link 19
CMMC_L3 SI.1.211 CMMC_L3_SI.1.211 CMMC L3 SI.1.211 System and Information Integrity Provide protection from malicious code at appropriate locations within organizational information systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. link 4
CMMC_L3 SI.1.213 CMMC_L3_SI.1.213 CMMC L3 SI.1.213 System and Information Integrity Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Shared Microsoft and the customer share responsibilities for implementing this requirement. Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. link 10
FedRAMP_High_R4 SC-3 FedRAMP_High_R4_SC-3 FedRAMP High SC-3 System And Communications Protection Security Function Isolation Shared n/a The information system isolates security functions from nonsecurity functions. Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC- 3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. References: None. link 4
FedRAMP_High_R4 SI-3 FedRAMP_High_R4_SI-3 FedRAMP High SI-3 System And Information Integrity Malicious Code Protection Shared n/a The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83. link 11
FedRAMP_High_R4 SI-3(1) FedRAMP_High_R4_SI-3(1) FedRAMP High SI-3 (1) System And Information Integrity Central Management Shared n/a The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. link 10
FedRAMP_Moderate_R4 SI-3 FedRAMP_Moderate_R4_SI-3 FedRAMP Moderate SI-3 System And Information Integrity Malicious Code Protection Shared n/a The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83. link 11
FedRAMP_Moderate_R4 SI-3(1) FedRAMP_Moderate_R4_SI-3(1) FedRAMP Moderate SI-3 (1) System And Information Integrity Central Management Shared n/a The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. link 10
hipaa 0201.09j1Organizational.124-09.j hipaa-0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 02 Endpoint Protection 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. 18
IRS_1075_9.3 .17.3 IRS_1075_9.3.17.3 IRS 1075 9.3.17.3 System and Information Integrity Malicious Code Protection (SI-3) n/a Malicious code protection includes antivirus software and antimalware and intrusion detection systems. The agency must: a. Employ malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code b. Update malicious code protection mechanisms whenever new releases are available in accordance with agency configuration management policy and procedures c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the information system weekly and real-time scans of files from external sources at endpoint and network entry/exit points as the files are downloaded, opened, or executed in accordance with agency security policy 2. Either block or quarantine malicious code and send an alert to the administrator in response to malicious code detection d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system e. Centrally manage malicious code protection mechanisms (CE1) The information system must automatically update malicious code protection mechanisms. (CE2) Information system entry and exit points include, for example, firewalls, electronic mail servers, Web servers, proxy servers, remote access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files or hidden in files using steganography. Malicious code can be transported by different means, including, for example, Web accesses, electronic mail, electronic mail attachments, and portable storage devices. link 2
ISO27001-2013 A.12.6.1 ISO27001-2013_A.12.6.1 ISO 27001:2013 A.12.6.1 Operations Security Management of technical vulnerabilities Shared n/a Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. link 13
NIST_SP_800-171_R2_3 .14.1 NIST_SP_800-171_R2_3.14.1 NIST SP 800-171 R2 3.14.1 System and Information Integrity Identify, report, and correct system flaws in a timely manner. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. [SP 800-40] provides guidance on patch management technologies. link 29
NIST_SP_800-171_R2_3 .14.2 NIST_SP_800-171_R2_3.14.2 NIST SP 800-171 R2 3.14.2 System and Information Integrity Provide protection from malicious code at designated locations within organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. link 21
NIST_SP_800-171_R2_3 .14.3 NIST_SP_800-171_R2_3.14.3 NIST SP 800-171 R2 3.14.3 System and Information Integrity Monitor system security alerts and advisories and take action in response. Shared Microsoft and the customer share responsibilities for implementing this requirement. There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. [SP 800-161] provides guidance on supply chain risk management. link 16
NIST_SP_800-171_R2_3 .14.4 NIST_SP_800-171_R2_3.14.4 NIST SP 800-171 R2 3.14.4 System and Information Integrity Update malicious code protection mechanisms when new releases are available. Shared Microsoft and the customer share responsibilities for implementing this requirement. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. link 11
NIST_SP_800-171_R2_3 .14.5 NIST_SP_800-171_R2_3.14.5 NIST SP 800-171 R2 3.14.5 System and Information Integrity Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Shared Microsoft and the customer share responsibilities for implementing this requirement. Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. link 6
NIST_SP_800-53_R4 SC-3 NIST_SP_800-53_R4_SC-3 NIST SP 800-53 Rev. 4 SC-3 System And Communications Protection Security Function Isolation Shared n/a The information system isolates security functions from nonsecurity functions. Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC- 3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. References: None. link 4
NIST_SP_800-53_R4 SI-3 NIST_SP_800-53_R4_SI-3 NIST SP 800-53 Rev. 4 SI-3 System And Information Integrity Malicious Code Protection Shared n/a The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83. link 11
NIST_SP_800-53_R4 SI-3(1) NIST_SP_800-53_R4_SI-3(1) NIST SP 800-53 Rev. 4 SI-3 (1) System And Information Integrity Central Management Shared n/a The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. link 10
NIST_SP_800-53_R5 SC-3 NIST_SP_800-53_R5_SC-3 NIST SP 800-53 Rev. 5 SC-3 System and Communications Protection Security Function Isolation Shared n/a Isolate security functions from nonsecurity functions. link 4
NIST_SP_800-53_R5 SI-3 NIST_SP_800-53_R5_SI-3 NIST SP 800-53 Rev. 5 SI-3 System and Information Integrity Malicious Code Protection Shared n/a a. Implement [Selection (OneOrMore): signature based;non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (OneOrMore): endpoint;network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (OneOrMore): block malicious code;quarantine malicious code;take [Assignment: organization-defined action] ] ; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. link 11
NZ_ISM_v3.5 SS-3 NZ_ISM_v3.5_SS-3 NZISM Security Benchmark SS-3 Software security 14.1.9 Maintaining hardened SOEs Customer n/a Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates. End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation. End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. link 17
NZISM_Security_Benchmark_v1.1 SS-3 NZISM_Security_Benchmark_v1.1_SS-3 NZISM Security Benchmark SS-3 Software security 14.1.9 Maintaining hardened SOEs Customer Agencies SHOULD ensure that for all servers and workstations: malware detection heuristics are set to a high level; malware pattern signatures are checked for updates on at least a daily basis; malware pattern signatures are updated as soon as possible after vendors make them available; all disks and systems are regularly scanned for malicious code; and the use of End Point Agents is considered. Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates. End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation. End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. link 13
PCI_DSS_V3.2.1 11.2.1 PCI_DSS_v3.2.1_11.2.1 PCI DSS v3.2.1 11.2.1 Requirement 11 PCI DSS requirement 11.2.1 shared n/a n/a link 5
PCI_DSS_V3.2.1 5.1 PCI_DSS_v3.2.1_5.1 PCI DSS v3.2.1 5.1 Requirement 5 PCI DSS requirement 5.1 shared n/a n/a link 5
PCI_DSS_V3.2.1 6.2 PCI_DSS_v3.2.1_6.2 PCI DSS v3.2.1 6.2 Requirement 6 PCI DSS requirement 6.2 shared n/a n/a link 5
PCI_DSS_V3.2.1 6.6 PCI_DSS_v3.2.1_6.6 PCI DSS v3.2.1 6.6 Requirement 6 PCI DSS requirement 6.6 shared n/a n/a link 5
PCI_DSS_v4.0 11.3.1 PCI_DSS_v4.0_11.3.1 PCI DSS v4.0 11.3.1 Requirement 11: Test Security of Systems and Networks Regularly External and internal vulnerabilities are regularly identified, prioritized, and addressed Shared n/a Internal vulnerability scans are performed as follows: • At least once every three months. • High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved. • Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been resolved. • Scan tool is kept up to date with latest vulnerability information. • Scans are performed by qualified personnel and organizational independence of the tester exists. link 7
PCI_DSS_v4.0 5.2.1 PCI_DSS_v4.0_5.2.1 PCI DSS v4.0 5.2.1 Requirement 05: Protect All Systems and Networks from Malicious Software Malicious software (malware) is prevented, or detected and addressed Shared n/a An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. link 12
PCI_DSS_v4.0 5.2.2 PCI_DSS_v4.0_5.2.2 PCI DSS v4.0 5.2.2 Requirement 05: Protect All Systems and Networks from Malicious Software Malicious software (malware) is prevented, or detected and addressed Shared n/a The deployed anti-malware solution(s): • Detects all known types of malware. • Removes, blocks, or contains all known types of malware. link 12
PCI_DSS_v4.0 5.2.3 PCI_DSS_v4.0_5.2.3 PCI DSS v4.0 5.2.3 Requirement 05: Protect All Systems and Networks from Malicious Software Malicious software (malware) is prevented, or detected and addressed Shared n/a Any system components that are not at risk for malware are evaluated periodically to include the following: • A documented list of all system components not at risk for malware. • Identification and evaluation of evolving malware threats for those system components. • Confirmation whether such system components continue to not require anti-malware protection. link 12
PCI_DSS_v4.0 6.3.3 PCI_DSS_v4.0_6.3.3 PCI DSS v4.0 6.3.3 Requirement 06: Develop and Maintain Secure Systems and Software Security vulnerabilities are identified and addressed Shared n/a All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: • Critical or high-security patches/updates are identified according to the risk ranking process at Requirement 6.3.1. • Critical or high-security patches/updates are installed within one month of release. • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release). link 5
PCI_DSS_v4.0 6.4.1 PCI_DSS_v4.0_6.4.1 PCI DSS v4.0 6.4.1 Requirement 06: Develop and Maintain Secure Systems and Software Public-facing web applications are protected against attacks Shared n/a For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: – At least once every 12 months and after significant changes. – By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.3.6. – All vulnerabilities are ranked in accordance with requirement 6.2.1. – All vulnerabilities are corrected. – The application is re-evaluated after the corrections OR • Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: – Installed in front of public-facing web applications to detect and prevent webbased attacks. – Actively running and up to date as applicable. – Generating audit logs. – Configured to either block web-based attacks or generate an alert that is immediately investigated. link 7
RBI_CSF_Banks_v2016 13.1 RBI_CSF_Banks_v2016_13.1 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 n/a Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. 27
RBI_CSF_Banks_v2016 13.2 RBI_CSF_Banks_v2016_13.2 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.2 n/a Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices ???(Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring. 22
RBI_CSF_Banks_v2016 15.1 RBI_CSF_Banks_v2016_15.1 Data Leak Prevention Strategy Data Leak Prevention Strategy-15.1 n/a Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential)business and customer data/information. 8
RBI_CSF_Banks_v2016 15.3 RBI_CSF_Banks_v2016_15.3 Data Leak Prevention Strategy Data Leak Prevention Strategy-15.3 n/a Similar arrangements need to be ensured at the vendor managed facilities as well. 5
RMiT_v1.0 Appendix_5.7 RMiT_v1.0_Appendix_5.7 RMiT Appendix 5.7 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.7 Customer n/a Ensure overall network security controls are implemented including the following: (a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path; (b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic; (c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls; (d) endpoint protection solution to detect and remove security threats including viruses and malicious software; (e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and (f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. link 27
SOC_2 CC6.8 SOC_2_CC6.8 SOC 2 Type 2 CC6.8 Logical and Physical Access Controls Prevent or detect against unauthorized or malicious software Shared The customer is responsible for implementing this recommendation. Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. • Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware. • Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. 54
SWIFT_CSCF_v2021 6.1 SWIFT_CSCF_v2021_6.1 SWIFT CSCF v2021 6.1 Detect Anomalous Activity to Systems or Transaction Records Malware Protection n/a Ensure that local SWIFT infrastructure is protected against malware. link 4
SWIFT_CSCF_v2022 6.1 SWIFT_CSCF_v2022_6.1 SWIFT CSCF v2022 6.1 6. Detect Anomalous Activity to Systems or Transaction Records Ensure that local SWIFT infrastructure is protected against malware and act upon results. Shared n/a Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. link 31
UK_NCSC_CSP 5.2 UK_NCSC_CSP_5.2 UK NCSC CSP 5.2 Operational security Vulnerability management Shared n/a Service providers should have a management processes in place to identify, triage and mitigate vulnerabilities. Services which don’t, will quickly become vulnerable to attack using publicly known methods and tools. link 11
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-01-05 16:06:49 change Major (2.0.0 > 3.0.0)
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Azure Security Benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
JSON
changes

JSON