| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
2.11 |
CIS_Azure_1.1.0_2.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.11 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable storage encryption recommendations. |
link |
4 |
| CIS_Azure_1.1.0 |
2.15 |
CIS_Azure_1.1.0_2.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.15 |
2 Security Center |
Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable SQL encryption recommendations. |
link |
5 |
| CIS_Azure_1.1.0 |
2.6 |
CIS_Azure_1.1.0_2.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.6 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Disk encryption recommendations for virtual machines. |
link |
5 |
| CIS_Azure_1.1.0 |
3.1 |
CIS_Azure_1.1.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
| CIS_Azure_1.1.0 |
3.5 |
CIS_Azure_1.1.0_3.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.5 |
3 Storage Accounts |
Ensure that shared access signature tokens are allowed only over https |
Shared |
The customer is responsible for implementing this recommendation. |
Shared access signature tokens should be allowed only over HTTPS protocol. |
link |
3 |
| CIS_Azure_1.1.0 |
4.10 |
CIS_Azure_1.1.0_4.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.10 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). |
link |
6 |
| CIS_Azure_1.1.0 |
4.11 |
CIS_Azure_1.1.0_4.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.11 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
4 |
| CIS_Azure_1.1.0 |
4.13 |
CIS_Azure_1.1.0_4.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.13 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
| CIS_Azure_1.1.0 |
4.9 |
CIS_Azure_1.1.0_4.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.9 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
| CIS_Azure_1.1.0 |
7.1 |
CIS_Azure_1.1.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure that 'OS disk' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) are encrypted, where possible. |
link |
5 |
| CIS_Azure_1.1.0 |
7.2 |
CIS_Azure_1.1.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'Data disks' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that data disks (non-boot volumes) are encrypted, where possible. |
link |
5 |
| CIS_Azure_1.1.0 |
7.3 |
CIS_Azure_1.1.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted. |
link |
4 |
| CIS_Azure_1.1.0 |
9.2 |
CIS_Azure_1.1.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
| CIS_Azure_1.1.0 |
9.3 |
CIS_Azure_1.1.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
| CIS_Azure_1.3.0 |
3.1 |
CIS_Azure_1.3.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
| CIS_Azure_1.3.0 |
3.9 |
CIS_Azure_1.3.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 Storage Accounts |
Ensure storage for critical data are encrypted with Customer Managed Key |
Shared |
The customer is responsible for implementing this recommendation. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
link |
5 |
| CIS_Azure_1.3.0 |
4.1.2 |
CIS_Azure_1.3.0_4.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
| CIS_Azure_1.3.0 |
4.3.1 |
CIS_Azure_1.3.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
| CIS_Azure_1.3.0 |
4.3.2 |
CIS_Azure_1.3.0_4.3.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
4 |
| CIS_Azure_1.3.0 |
4.5 |
CIS_Azure_1.3.0_4.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.5 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). |
link |
6 |
| CIS_Azure_1.3.0 |
7.2 |
CIS_Azure_1.3.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'OS and Data' disks are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. |
link |
5 |
| CIS_Azure_1.3.0 |
7.3 |
CIS_Azure_1.3.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
link |
4 |
| CIS_Azure_1.3.0 |
7.7 |
CIS_Azure_1.3.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 Virtual Machines |
Ensure that VHD's are encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. |
link |
4 |
| CIS_Azure_1.3.0 |
9.10 |
CIS_Azure_1.3.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 AppService |
Ensure FTP deployments are disabled |
Shared |
The customer is responsible for implementing this recommendation. |
By default, Azure Functions, Web and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions. |
link |
5 |
| CIS_Azure_1.3.0 |
9.2 |
CIS_Azure_1.3.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
| CIS_Azure_1.3.0 |
9.3 |
CIS_Azure_1.3.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
| CIS_Azure_1.4.0 |
3.1 |
CIS_Azure_1.4.0_3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.1 |
3 Storage Accounts |
Ensure that 'Secure transfer required' is set to 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable data encryption in transit. |
link |
4 |
| CIS_Azure_1.4.0 |
3.12 |
CIS_Azure_1.4.0_3.12 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.12 |
3 Storage Accounts |
Ensure the "Minimum TLS version" is set to "Version 1.2" |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. |
link |
3 |
| CIS_Azure_1.4.0 |
3.9 |
CIS_Azure_1.4.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 Storage Accounts |
Ensure Storage for Critical Data are Encrypted with Customer Managed Keys |
Shared |
The customer is responsible for implementing this recommendation. |
Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys |
link |
5 |
| CIS_Azure_1.4.0 |
4.1.2 |
CIS_Azure_1.4.0_4.1.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 |
4 Database Services |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
Shared |
The customer is responsible for implementing this recommendation. |
Enable Transparent Data Encryption on every SQL server. |
link |
5 |
| CIS_Azure_1.4.0 |
4.3.1 |
CIS_Azure_1.4.0_4.3.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'PostgreSQL' Servers. |
link |
4 |
| CIS_Azure_1.4.0 |
4.3.8 |
CIS_Azure_1.4.0_4.3.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 |
4 Database Services |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable encryption at rest for PostgreSQL Databases. |
link |
4 |
| CIS_Azure_1.4.0 |
4.4.1 |
CIS_Azure_1.4.0_4.4.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 |
4 Database Services |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Enable 'SSL connection' on 'MYSQL' Servers. |
link |
3 |
| CIS_Azure_1.4.0 |
4.4.2 |
CIS_Azure_1.4.0_4.4.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 |
4 Database Services |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure 'TLS version' on 'MySQL flexible' servers is set to the default value. |
link |
3 |
| CIS_Azure_1.4.0 |
4.6 |
CIS_Azure_1.4.0_4.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.6 |
4 Database Services |
Ensure SQL server's TDE protector is encrypted with Customer-managed key |
Shared |
The customer is responsible for implementing this recommendation. |
TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security.
Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). |
link |
6 |
| CIS_Azure_1.4.0 |
7.2 |
CIS_Azure_1.4.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 Virtual Machines |
Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys).
Customer Managed keys can be either ADE or Server Side Encryption(SSE) |
link |
5 |
| CIS_Azure_1.4.0 |
7.3 |
CIS_Azure_1.4.0_7.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.3 |
7 Virtual Machines |
Ensure that 'Unattached disks' are encrypted with CMK |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
link |
4 |
| CIS_Azure_1.4.0 |
7.7 |
CIS_Azure_1.4.0_7.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.7 |
7 Virtual Machines |
Ensure that VHD's are Encrypted |
Shared |
The customer is responsible for implementing this recommendation. |
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. |
link |
4 |
| CIS_Azure_1.4.0 |
9.10 |
CIS_Azure_1.4.0_9.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.10 |
9 AppService |
Ensure FTP deployments are Disabled |
Shared |
The customer is responsible for implementing this recommendation. |
By default, Azure Functions, Web and API Services
can be deployed over FTP. If FTP is required for an
essential deployment workflow, FTPS should be required
for FTP login for all App Service Apps and Functions. |
link |
5 |
| CIS_Azure_1.4.0 |
9.2 |
CIS_Azure_1.4.0_9.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.2 |
9 AppService |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default.
Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
link |
4 |
| CIS_Azure_1.4.0 |
9.3 |
CIS_Azure_1.4.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure Web App is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
| FedRAMP_High_R4 |
AC-17(2) |
FedRAMP_High_R4_AC-17(2) |
FedRAMP High AC-17 (2) |
Access Control |
Protection Of Confidentiality / Integrity Using Encryption |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
link |
2 |
| FedRAMP_High_R4 |
AC-19(5) |
FedRAMP_High_R4_AC-19(5) |
FedRAMP High AC-19 (5) |
Access Control |
Full Device / Container-Based Encryption |
Shared |
n/a |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. |
link |
2 |
| FedRAMP_High_R4 |
SC-28(1) |
FedRAMP_High_R4_SC-28(1) |
FedRAMP High SC-28 (1) |
System And Communications Protection |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
link |
17 |
| FedRAMP_High_R4 |
SC-8 |
FedRAMP_High_R4_SC-8 |
FedRAMP High SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
| FedRAMP_Moderate_R4 |
AC-17(2) |
FedRAMP_Moderate_R4_AC-17(2) |
FedRAMP Moderate AC-17 (2) |
Access Control |
Protection Of Confidentiality / Integrity Using Encryption |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
link |
2 |
| FedRAMP_Moderate_R4 |
AC-19(5) |
FedRAMP_Moderate_R4_AC-19(5) |
FedRAMP Moderate AC-19 (5) |
Access Control |
Full Device / Container-Based Encryption |
Shared |
n/a |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. |
link |
2 |
| FedRAMP_Moderate_R4 |
SC-28(1) |
FedRAMP_Moderate_R4_SC-28(1) |
FedRAMP Moderate SC-28 (1) |
System And Communications Protection |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
link |
17 |
| FedRAMP_Moderate_R4 |
SC-8 |
FedRAMP_Moderate_R4_SC-8 |
FedRAMP Moderate SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
| hipaa |
0227.09k2Organizational.12-09.k |
hipaa-0227.09k2Organizational.12-09.k |
0227.09k2Organizational.12-09.k |
02 Endpoint Protection |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization takes specific actions to protect against mobile code performing unauthorized actions. |
|
18 |
| hipaa |
0301.09o1Organizational.123-09.o |
hipaa-0301.09o1Organizational.123-09.o |
0301.09o1Organizational.123-09.o |
03 Portable Media Security |
0301.09o1Organizational.123-09.o 09.07 Media Handling |
Shared |
n/a |
The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. |
|
14 |
| hipaa |
0401.01x1System.124579-01.x |
hipaa-0401.01x1System.124579-01.x |
0401.01x1System.124579-01.x |
04 Mobile Device Security |
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections. |
|
7 |
| hipaa |
0403.01x1System.8-01.x |
hipaa-0403.01x1System.8-01.x |
0403.01x1System.8-01.x |
04 Mobile Device Security |
0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization monitors for unauthorized connections of mobile devices. |
|
7 |
| hipaa |
0410.01x1System.12-01.xMobileComputingandCommunications |
hipaa-0410.01x1System.12-01.xMobileComputingandCommunications |
0410.01x1System.12-01.xMobileComputingandCommunications |
04 Mobile Device Security |
0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
If it is determined that encryption is not reasonable and appropriate, the organization documents its rationale and acceptance of risk. |
|
2 |
| hipaa |
0416.01y3Organizational.4-01.y |
hipaa-0416.01y3Organizational.4-01.y |
0416.01y3Organizational.4-01.y |
04 Mobile Device Security |
0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization instructs all personnel working from home to implement fundamental security controls and practices; including, but not limited to, passwords, virus protection, personal firewalls, laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate worksites. |
|
4 |
| hipaa |
0426.01x2System.1-01.x |
hipaa-0426.01x2System.1-01.x |
0426.01x2System.1-01.x |
04 Mobile Device Security |
0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. |
|
7 |
| hipaa |
0427.01x2System.2-01.x |
hipaa-0427.01x2System.2-01.x |
0427.01x2System.2-01.x |
04 Mobile Device Security |
0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote software version/patch validation. |
|
4 |
| hipaa |
0428.01x2System.3-01.x |
hipaa-0428.01x2System.3-01.x |
0428.01x2System.3-01.x |
04 Mobile Device Security |
0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote wipe. |
|
4 |
| hipaa |
0429.01x1System.14-01.x |
hipaa-0429.01x1System.14-01.x |
0429.01x1System.14-01.x |
04 Mobile Device Security |
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). |
|
7 |
| hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
17 |
| hipaa |
08101.09m2Organizational.14-09.m |
hipaa-08101.09m2Organizational.14-09.m |
08101.09m2Organizational.14-09.m |
08 Network Protection |
08101.09m2Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. |
|
8 |
| hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
14 |
| hipaa |
0862.09m2Organizational.8-09.m |
hipaa-0862.09m2Organizational.8-09.m |
0862.09m2Organizational.8-09.m |
08 Network Protection |
0862.09m2Organizational.8-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. |
|
4 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| hipaa |
0902.09s2Organizational.13-09.s |
hipaa-0902.09s2Organizational.13-09.s |
0902.09s2Organizational.13-09.s |
09 Transmission Protection |
0902.09s2Organizational.13-09.s 09.08 Exchange of Information |
Shared |
n/a |
Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. |
|
14 |
| ISO27001-2013 |
A.11.2.6 |
ISO27001-2013_A.11.2.6 |
ISO 27001:2013 A.11.2.6 |
Physical And Environmental Security |
Security of equipment and assets off-premises |
Shared |
n/a |
Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. |
link |
10 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.13.2.3 |
ISO27001-2013_A.13.2.3 |
ISO 27001:2013 A.13.2.3 |
Communications Security |
Electronic messaging |
Shared |
n/a |
Information involved in electronic messaging shall be appropriately protected. |
link |
10 |
| ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
A.6.2.1 |
ISO27001-2013_A.6.2.1 |
ISO 27001:2013 A.6.2.1 |
Organization of Information Security |
Mobile device policy |
Shared |
n/a |
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. |
link |
13 |
| ISO27001-2013 |
A.6.2.2 |
ISO27001-2013_A.6.2.2 |
ISO 27001:2013 A.6.2.2 |
Organization of Information Security |
Teleworking |
Shared |
n/a |
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. |
link |
16 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
| NIST_SP_800-171_R2_3 |
.1.13 |
NIST_SP_800-171_R2_3.1.13 |
NIST SP 800-171 R2 3.1.13 |
Access Control |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards. |
link |
31 |
| NIST_SP_800-171_R2_3 |
.1.19 |
NIST_SP_800-171_R2_3.1.19 |
NIST SP 800-171 R2 3.1.19 |
Access Control |
Encrypt CUI on mobile devices and mobile computing platforms |
Shared |
Microsoft is responsible for implementing this requirement. |
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO].
Mobile devices and computing platforms include, for example, smartphones and tablets. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.13.16 |
NIST_SP_800-171_R2_3.13.16 |
NIST SP 800-171 R2 3.13.16 |
System and Communications Protection |
Protect the confidentiality of CUI at rest. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. |
link |
19 |
| NIST_SP_800-171_R2_3 |
.13.8 |
NIST_SP_800-171_R2_3.13.8 |
NIST SP 800-171 R2 3.13.8 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. |
link |
16 |
| NIST_SP_800-53_R4 |
AC-17(2) |
NIST_SP_800-53_R4_AC-17(2) |
NIST SP 800-53 Rev. 4 AC-17 (2) |
Access Control |
Protection Of Confidentiality / Integrity Using Encryption |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
link |
2 |
| NIST_SP_800-53_R4 |
AC-19(5) |
NIST_SP_800-53_R4_AC-19(5) |
NIST SP 800-53 Rev. 4 AC-19 (5) |
Access Control |
Full Device / Container-Based Encryption |
Shared |
n/a |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28.
References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. |
link |
2 |
| NIST_SP_800-53_R4 |
SC-28(1) |
NIST_SP_800-53_R4_SC-28(1) |
NIST SP 800-53 Rev. 4 SC-28 (1) |
System And Communications Protection |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. |
link |
17 |
| NIST_SP_800-53_R4 |
SC-8 |
NIST_SP_800-53_R4_SC-8 |
NIST SP 800-53 Rev. 4 SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
| NIST_SP_800-53_R5 |
AC-17(2) |
NIST_SP_800-53_R5_AC-17(2) |
NIST SP 800-53 Rev. 5 AC-17 (2) |
Access Control |
Protection of Confidentiality and Integrity Using Encryption |
Shared |
n/a |
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
link |
2 |
| NIST_SP_800-53_R5 |
AC-19(5) |
NIST_SP_800-53_R5_AC-19(5) |
NIST SP 800-53 Rev. 5 AC-19 (5) |
Access Control |
Full Device or Container-based Encryption |
Shared |
n/a |
Employ [Selection: full-device encryption;container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
link |
2 |
| NIST_SP_800-53_R5 |
SC-28(1) |
NIST_SP_800-53_R5_SC-28(1) |
NIST SP 800-53 Rev. 5 SC-28 (1) |
System and Communications Protection |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. |
link |
17 |
| NIST_SP_800-53_R5 |
SC-8 |
NIST_SP_800-53_R5_SC-8 |
NIST SP 800-53 Rev. 5 SC-8 |
System and Communications Protection |
Transmission Confidentiality and Integrity |
Shared |
n/a |
Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. |
link |
15 |
| PCI_DSS_v4.0 |
3.5.1 |
PCI_DSS_v4.0_3.5.1 |
PCI DSS v4.0 3.5.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
PAN is rendered unreadable anywhere it is stored by using any of the following approaches:
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
– If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
• Index tokens.
• Strong cryptography with associated keymanagement processes and procedures. |
link |
12 |
| PCI_DSS_v4.0 |
3.5.1.1 |
PCI_DSS_v4.0_3.5.1.1 |
PCI DSS v4.0 3.5.1.1 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7. |
link |
4 |
| PCI_DSS_v4.0 |
3.5.1.2 |
PCI_DSS_v4.0_3.5.1.2 |
PCI DSS v4.0 3.5.1.2 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
• On removable electronic media, OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1. |
link |
4 |
| PCI_DSS_v4.0 |
3.5.1.3 |
PCI_DSS_v4.0_3.5.1.3 |
PCI DSS v4.0 3.5.1.3 |
Requirement 03: Protect Stored Account Data |
Primary account number (PAN) is secured wherever it is stored |
Shared |
n/a |
If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows:
• Logical access is managed separately and independently of native operating system authentication and access control mechanisms.
• Decryption keys are not associated with user accounts. |
link |
4 |
| PCI_DSS_v4.0 |
4.2.1 |
PCI_DSS_v4.0_4.2.1 |
PCI DSS v4.0 4.2.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
• Only trusted keys and certificates are accepted.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use. |
link |
12 |
| PCI_DSS_v4.0 |
4.2.2 |
PCI_DSS_v4.0_4.2.2 |
PCI DSS v4.0 4.2.2 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
PAN is protected with strong cryptography during transmission |
Shared |
n/a |
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. |
link |
3 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
80 |
| SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
41 |
| SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
30 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
| SWIFT_CSCF_v2022 |
2.4 |
SWIFT_CSCF_v2022_2.4 |
SWIFT CSCF v2022 2.4 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. |
link |
7 |
| SWIFT_CSCF_v2022 |
2.5 |
SWIFT_CSCF_v2022_2.5 |
SWIFT CSCF v2022 2.5 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
Shared |
n/a |
Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. |
link |
7 |
| SWIFT_CSCF_v2022 |
2.6 |
SWIFT_CSCF_v2022_2.6 |
SWIFT CSCF v2022 2.6 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications |
Shared |
n/a |
The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. |
link |
17 |
| SWIFT_CSCF_v2022 |
6.2 |
SWIFT_CSCF_v2022_6.2 |
SWIFT CSCF v2022 6.2 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure the software integrity of the SWIFT-related components and act upon results. |
Shared |
n/a |
A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. |
link |
6 |