last sync: 2024-Dec-05 18:53:22 UTC

Protect passwords with encryption | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Protect passwords with encryption
Id b2d3e5a2-97ab-5497-565a-71172a729d93
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0408 - Protect passwords with encryption
Additional metadata Name/Id: CMA_0408 / CMA_0408
Category: Operational
Title: Protect passwords with encryption
Ownership: Customer
Description: Microsoft recommends that your organization use strong authentication mechanism. Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods. - Multi-factor authentication: Enable Azure AD MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. - Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards. For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users. If legacy password-based authentication is still used for Azure AD authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Azure AD provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (such as branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts. Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted Introduction to passwordless authentication options for Azure Active Directory: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Azure AD default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad Learn more: https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 91 compliance controls are associated with this Policy definition 'Protect passwords with encryption' (b2d3e5a2-97ab-5497-565a-71172a729d93)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 3.1 CIS_Azure_1.1.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.1.0 3.5 CIS_Azure_1.1.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that shared access signature tokens are allowed only over https Shared The customer is responsible for implementing this recommendation. Shared access signature tokens should be allowed only over HTTPS protocol. link 3
CIS_Azure_1.1.0 4.11 CIS_Azure_1.1.0_4.11 CIS Microsoft Azure Foundations Benchmark recommendation 4.11 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link 4
CIS_Azure_1.1.0 4.13 CIS_Azure_1.1.0_4.13 CIS Microsoft Azure Foundations Benchmark recommendation 4.13 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link 4
CIS_Azure_1.1.0 9.2 CIS_Azure_1.1.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.1.0 9.3 CIS_Azure_1.1.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_1.3.0 3.1 CIS_Azure_1.3.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.3.0 4.3.1 CIS_Azure_1.3.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link 4
CIS_Azure_1.3.0 4.3.2 CIS_Azure_1.3.0_4.3.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link 4
CIS_Azure_1.3.0 9.10 CIS_Azure_1.3.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 AppService Ensure FTP deployments are disabled Shared The customer is responsible for implementing this recommendation. By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. link 5
CIS_Azure_1.3.0 9.2 CIS_Azure_1.3.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.3.0 9.3 CIS_Azure_1.3.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_1.4.0 3.1 CIS_Azure_1.4.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.4.0 3.12 CIS_Azure_1.4.0_3.12 CIS Microsoft Azure Foundations Benchmark recommendation 3.12 3 Storage Accounts Ensure the "Minimum TLS version" is set to "Version 1.2" Shared The customer is responsible for implementing this recommendation. Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. link 3
CIS_Azure_1.4.0 4.3.1 CIS_Azure_1.4.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link 4
CIS_Azure_1.4.0 4.4.1 CIS_Azure_1.4.0_4.4.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link 3
CIS_Azure_1.4.0 4.4.2 CIS_Azure_1.4.0_4.4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 4 Database Services Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server Shared The customer is responsible for implementing this recommendation. Ensure 'TLS version' on 'MySQL flexible' servers is set to the default value. link 3
CIS_Azure_1.4.0 9.10 CIS_Azure_1.4.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 AppService Ensure FTP deployments are Disabled Shared The customer is responsible for implementing this recommendation. By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. link 5
CIS_Azure_1.4.0 9.2 CIS_Azure_1.4.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.4.0 9.3 CIS_Azure_1.4.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure Web App is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_2.0.0 3.1 CIS_Azure_2.0.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Ensure that 'Secure transfer required' is set to 'Enabled' Shared n/a Enable data encryption in transit. The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name. link 4
CIS_Azure_2.0.0 3.15 CIS_Azure_2.0.0_3.15 CIS Microsoft Azure Foundations Benchmark recommendation 3.15 3 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" Shared When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail. In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit. link 4
CIS_Azure_2.0.0 4.3.1 CIS_Azure_2.0.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4.3 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared n/a Enable `SSL connection` on `PostgreSQL` Servers. `SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. link 4
CIS_Azure_2.0.0 4.4.1 CIS_Azure_2.0.0_4.4.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 4.4 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server Shared n/a Enable `SSL connection` on `MYSQL` Servers. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. link 4
CIS_Azure_2.0.0 4.4.2 CIS_Azure_2.0.0_4.4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 4.4 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server Shared n/a Ensure `TLS version` on `MySQL flexible` servers is set to the default value. TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. link 3
CIS_Azure_2.0.0 9.10 CIS_Azure_2.0.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 Ensure FTP deployments are Disabled Shared Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected. By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App. link 5
CIS_Azure_2.0.0 9.2 CIS_Azure_2.0.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service Shared When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits. link 4
CIS_Azure_2.0.0 9.3 CIS_Azure_2.0.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 Ensure Web App is using the latest version of TLS encryption Shared n/a The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections. link 5
FedRAMP_High_R4 IA-5(1) FedRAMP_High_R4_IA-5(1) FedRAMP High IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_High_R4 SC-8 FedRAMP_High_R4_SC-8 FedRAMP High SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_Moderate_R4 IA-5(1) FedRAMP_Moderate_R4_IA-5(1) FedRAMP Moderate IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_Moderate_R4 SC-8 FedRAMP_Moderate_R4_SC-8 FedRAMP Moderate SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
hipaa 0810.01n2Organizational.5-01.n hipaa-0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 08 Network Protection 0810.01n2Organizational.5-01.n 01.04 Network Access Control Shared n/a Transmitted information is secured and, at a minimum, encrypted over open, public networks. 16
hipaa 08101.09m2Organizational.14-09.m hipaa-08101.09m2Organizational.14-09.m 08101.09m2Organizational.14-09.m 08 Network Protection 08101.09m2Organizational.14-09.m 09.06 Network Security Management Shared n/a The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. 8
hipaa 0859.09m1Organizational.78-09.m hipaa-0859.09m1Organizational.78-09.m 0859.09m1Organizational.78-09.m 08 Network Protection 0859.09m1Organizational.78-09.m 09.06 Network Security Management Shared n/a The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. 13
hipaa 0862.09m2Organizational.8-09.m hipaa-0862.09m2Organizational.8-09.m 0862.09m2Organizational.8-09.m 08 Network Protection 0862.09m2Organizational.8-09.m 09.06 Network Security Management Shared n/a The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. 4
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
hipaa 0903.10f1Organizational.1-10.f hipaa-0903.10f1Organizational.1-10.f 0903.10f1Organizational.1-10.f 09 Transmission Protection 0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Encryption is used to protect covered information on mobile/removable media and across communication lines based on pre-determined criteria. 3
hipaa 0904.10f2Organizational.1-10.f hipaa-0904.10f2Organizational.1-10.f 0904.10f2Organizational.1-10.f 09 Transmission Protection 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. 10
hipaa 0913.09s1Organizational.5-09.s hipaa-0913.09s1Organizational.5-09.s 0913.09s1Organizational.5-09.s 09 Transmission Protection 0913.09s1Organizational.5-09.s 09.08 Exchange of Information Shared n/a Strong cryptography protocols are used to safeguard covered information during transmission over less trusted/open public networks. 5
hipaa 0926.09v1Organizational.2-09.v hipaa-0926.09v1Organizational.2-09.v 0926.09v1Organizational.2-09.v 09 Transmission Protection 0926.09v1Organizational.2-09.v 09.08 Exchange of Information Shared n/a Approvals are obtained prior to using external public services, including instant messaging or file sharing. 5
hipaa 0928.09v1Organizational.45-09.v hipaa-0928.09v1Organizational.45-09.v 0928.09v1Organizational.45-09.v 09 Transmission Protection 0928.09v1Organizational.45-09.v 09.08 Exchange of Information Shared n/a Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. 9
hipaa 0929.09v1Organizational.6-09.v hipaa-0929.09v1Organizational.6-09.v 0929.09v1Organizational.6-09.v 09 Transmission Protection 0929.09v1Organizational.6-09.v 09.08 Exchange of Information Shared n/a The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). 9
hipaa 0943.09y1Organizational.1-09.y hipaa-0943.09y1Organizational.1-09.y 0943.09y1Organizational.1-09.y 09 Transmission Protection 0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services Shared n/a Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. 4
hipaa 0945.09y1Organizational.3-09.y hipaa-0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09 Transmission Protection 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). 6
hipaa 099.09m2Organizational.11-09.m hipaa-099.09m2Organizational.11-09.m 099.09m2Organizational.11-09.m 09 Transmission Protection 099.09m2Organizational.11-09.m 09.06 Network Security Management Shared n/a The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. 3
hipaa 1002.01d1System.1-01.d hipaa-1002.01d1System.1-01.d 1002.01d1System.1-01.d 10 Password Management 1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems Shared n/a Passwords are not displayed when entered. 2
hipaa 1004.01d1System.8913-01.d hipaa-1004.01d1System.8913-01.d 1004.01d1System.8913-01.d 10 Password Management 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords. 8
ISO27001-2013 A.10.1.2 ISO27001-2013_A.10.1.2 ISO 27001:2013 A.10.1.2 Cryptography Key Management Shared n/a A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. link 15
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.13.2.3 ISO27001-2013_A.13.2.3 ISO 27001:2013 A.13.2.3 Communications Security Electronic messaging Shared n/a Information involved in electronic messaging shall be appropriately protected. link 10
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
ISO27001-2013 A.9.2.4 ISO27001-2013_A.9.2.4 ISO 27001:2013 A.9.2.4 Access Control Management of secret authentication information of users Shared n/a The allocation of secret authentication information shall be controlled through a formal management process. link 21
ISO27001-2013 A.9.3.1 ISO27001-2013_A.9.3.1 ISO 27001:2013 A.9.3.1 Access Control Use of secret authentication information Shared n/a Users shall be required to follow the organization's practices in the use of secret authentication information. link 15
ISO27001-2013 A.9.4.3 ISO27001-2013_A.9.4.3 ISO 27001:2013 A.9.4.3 Access Control Password management system Shared n/a Password management systems shall be interactive and shall ensure quality password. link 22
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
NIST_SP_800-171_R2_3 .13.8 NIST_SP_800-171_R2_3.13.8 NIST SP 800-171 R2 3.13.8 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. link 16
NIST_SP_800-171_R2_3 .5.10 NIST_SP_800-171_R2_3.5.10 NIST SP 800-171 R2 3.5.10 Identification and Authentication Store and transmit only cryptographically-protected passwords. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]. link 9
NIST_SP_800-53_R4 IA-5(1) NIST_SP_800-53_R4_IA-5(1) NIST SP 800-53 Rev. 4 IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
NIST_SP_800-53_R4 SC-8 NIST_SP_800-53_R4_SC-8 NIST SP 800-53 Rev. 4 SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
NIST_SP_800-53_R5 IA-5(1) NIST_SP_800-53_R5_IA-5(1) NIST SP 800-53 Rev. 5 IA-5 (1) Identification and Authentication Password-based Authentication Shared n/a For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. link 15
NIST_SP_800-53_R5 SC-8 NIST_SP_800-53_R5_SC-8 NIST SP 800-53 Rev. 5 SC-8 System and Communications Protection Transmission Confidentiality and Integrity Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. link 15
op.acc.1 Identification op.acc.1 Identification 404 not found n/a n/a 66
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 53
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
PCI_DSS_v4.0 4.2.1 PCI_DSS_v4.0_4.2.1 PCI DSS v4.0 4.2.1 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: • Only trusted keys and certificates are accepted. • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details. • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. • The encryption strength is appropriate for the encryption methodology in use. link 12
PCI_DSS_v4.0 4.2.2 PCI_DSS_v4.0_4.2.2 PCI DSS v4.0 4.2.2 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. link 3
PCI_DSS_v4.0 8.3.2 PCI_DSS_v4.0_8.3.2 PCI DSS v4.0 8.3.2 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. link 2
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 29
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 2.4 SWIFT_CSCF_v2022_2.4 SWIFT CSCF v2022 2.4 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. Shared n/a Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. link 7
SWIFT_CSCF_v2022 2.5 SWIFT_CSCF_v2022_2.5 SWIFT CSCF v2022 2.5 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. Shared n/a Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. link 7
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
SWIFT_CSCF_v2022 4.1 SWIFT_CSCF_v2022_4.1 SWIFT CSCF v2022 4.1 4. Prevent Compromise of Credentials Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Shared n/a All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. link 17
SWIFT_CSCF_v2022 5.4 SWIFT_CSCF_v2022_5.4 SWIFT CSCF v2022 5.4 5. Manage Identities and Segregate Privileges Protect physically and logically the repository of recorded passwords. Shared n/a Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. link 6
SWIFT_CSCF_v2022 6.2 SWIFT_CSCF_v2022_6.2 SWIFT CSCF v2022 6.2 6. Detect Anomalous Activity to Systems or Transaction Records Ensure the software integrity of the SWIFT-related components and act upon results. Shared n/a A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add b2d3e5a2-97ab-5497-565a-71172a729d93
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC