Az Policy Advertizer

Azure_Security_Benchmark_v1.0

1.5

Azure_Security_Benchmark_v1.0_1.5

Azure Security Benchmark 1.5

Network Security

Record network packets and flow logs

Customer

Record NSG flow logs into a storage account to generate flow records. If required for investigating anomalous activity, enable Network Watcher packet capture. How to Enable NSG Flow Logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal How to enable Network Watcher: https://docs.microsoft.com/azure/network-watcher/network-watcher-create

n/a

Azure_Security_Benchmark_v2.0

LT-3

Azure_Security_Benchmark_v2.0_LT-3

Azure Security Benchmark LT-3

Logging and Threat Detection

Enable logging for Azure network activities

Customer

Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. Ensure you are collecting DNS query logs to assist in correlating other network data. How to enable network security group flow logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal Azure Firewall logs and metrics: https://docs.microsoft.com/azure/firewall/logs-and-metrics How to enable and use Traffic Analytics: https://docs.microsoft.com/azure/network-watcher/traffic-analytics Monitoring with Network Watcher: https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview Azure networking monitoring solutions in Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics Gather insights about your DNS infrastructure with the DNS Analytics solution: https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics

n/a

Azure_Security_Benchmark_v3.0

IR-4

Azure_Security_Benchmark_v3.0_IR-4

Microsoft cloud security benchmark IR-4

Incident Response

Detection and analysis - investigate an incident

Shared

**Security Principle:** Ensure security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. **Azure Guidance:** The data sources for investigation are the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include: - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Snapshots of running systems: a) Azure virtual machine's snapshot capability, to create a snapshot of the running system's disk. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. c) The snapshot feature of the Azure services or your software's own capability, to create snapshots of the running systems. Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. **Implementation and additional context:** Snapshot a Windows machine's disk: https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk Snapshot a Linux machine's disk: https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk Microsoft Azure Support diagnostic information and memory dump collection: https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/ Investigate incidents with Azure Sentinel: https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases

n/a

CIS_Azure_1.1.0

6.5

CIS_Azure_1.1.0_6.5

CIS Microsoft Azure Foundations Benchmark recommendation 6.5

6 Networking

Ensure that Network Watcher is 'Enabled'

Shared

The customer is responsible for implementing this recommendation.

Enable Network Watcher for Azure subscriptions.

CIS_Azure_1.3.0

6.5

CIS_Azure_1.3.0_6.5

CIS Microsoft Azure Foundations Benchmark recommendation 6.5

6 Networking

Ensure that Network Watcher is 'Enabled'

Shared

The customer is responsible for implementing this recommendation.

Enable Network Watcher for Azure subscriptions.

CIS_Azure_1.4.0

6.5

CIS_Azure_1.4.0_6.5

CIS Microsoft Azure Foundations Benchmark recommendation 6.5

6 Networking

Ensure that Network Watcher is 'Enabled'

Shared

The customer is responsible for implementing this recommendation.

Enable Network Watcher for Azure subscriptions.

CIS_Azure_2.0.0

6.6

CIS_Azure_2.0.0_6.6

CIS Microsoft Azure Foundations Benchmark recommendation 6.6

Ensure that Network Watcher is 'Enabled'

Shared

There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly.

Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

CIS_Azure_Foundations_v3.0.0

7.6

CIS_Azure_Foundations_v3.0.0_7.6

CIS Azure Foundations v3.0.0 7.6

Ensure that Network Watcher is 'Enabled' for Azure Regions that are In Use

Shared

n/a

Verify that Network Watcher is enabled for all Azure regions in use. This control is crucial for monitoring and diagnosing network issues, providing insights into network performance and security.

AU.L2-3.3.1

CMMC_2.0_L2_AU.L2-3.3.1

404 not found

n/a

AU.L2-3.3.2

CMMC_2.0_L2_AU.L2-3.3.2

404 not found

n/a

SI.L2-3.14.6

CMMC_2.0_L2_SI.L2-3.14.6

404 not found

n/a

SI.L2-3.14.7

CMMC_2.0_L2_SI.L2-3.14.7

404 not found

n/a

AC.2.013

CMMC_L3_AC.2.013

CMMC L3 AC.2.013

Access Control

Monitor and control remote access sessions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

SC.1.175

CMMC_L3_SC.1.175

CMMC L3 SC.1.175

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

SC.3.183

CMMC_L3_SC.3.183

CMMC L3 SC.3.183

System and Communications Protection

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

SI.2.216

CMMC_L3_SI.2.216

CMMC L3 SI.2.216

System and Information Integrity

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.

SI.2.217

CMMC_L3_SI.2.217

CMMC L3 SI.2.217

System and Information Integrity

Identify unauthorized use of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.

EU_GDPR_2016_679_Art._24

EU General Data Protection Regulation (GDPR) 2016/679 Art. 24

Chapter 4 - Controller and processor

Responsibility of the controller

Shared

n/a

306

EU_GDPR_2016_679_Art._25

EU General Data Protection Regulation (GDPR) 2016/679 Art. 25

Chapter 4 - Controller and processor

Data protection by design and by default

Shared

n/a

306

EU_GDPR_2016_679_Art._28

EU General Data Protection Regulation (GDPR) 2016/679 Art. 28

Chapter 4 - Controller and processor

Processor

Shared

n/a

306

EU_GDPR_2016_679_Art._32

EU General Data Protection Regulation (GDPR) 2016/679 Art. 32

Chapter 4 - Controller and processor

Security of processing

Shared

n/a

306

AU-12

FedRAMP_High_R4_AU-12

FedRAMP High AU-12

Audit And Accountability

Audit Generation

Shared

n/a

The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. References: None.

AU-12(1)

FedRAMP_High_R4_AU-12(1)

FedRAMP High AU-12 (1)

Audit And Accountability

System-Wide / Time-Correlated Audit Trail

Shared

n/a

The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Supplemental Guidance: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12.

AU-6

FedRAMP_High_R4_AU-6

FedRAMP High AU-6

Audit And Accountability

Audit Review, Analysis, And Reporting

Shared

n/a

The organization: a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and b. Reports findings to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. References: None.

AU-6(4)

FedRAMP_High_R4_AU-6(4)

FedRAMP High AU-6 (4)

Audit And Accountability

Central Review And Analysis

Shared

n/a

The information system provides the capability to centrally review and analyze audit records from multiple components within the system. Supplemental Guidance: Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12.

AU-6(5)

FedRAMP_High_R4_AU-6(5)

FedRAMP High AU-6 (5)

Audit And Accountability

Integration / Scanning And Monitoring Capabilities

Shared

n/a

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5.

SI-4

FedRAMP_High_R4_SI-4

FedRAMP High SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: or ganization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. Supplemental Guidance: Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. References: NIST Special Publications 800-61, 800-83, 800-92, 800-94, 800-137.

FedRAMP_Moderate_R4_AU-12

FedRAMP_Moderate_R4

AU-12

FedRAMP Moderate AU-12

Audit And Accountability

Audit Generation

Shared

n/a

FedRAMP_Moderate_R4

AU-6

FedRAMP_Moderate_R4_AU-6

FedRAMP Moderate AU-6

Audit And Accountability

Audit Review, Analysis, And Reporting

Shared

n/a

FedRAMP_Moderate_R4

SI-4

FedRAMP_Moderate_R4_SI-4

FedRAMP Moderate SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

hipaa-0837.09.n2Organizational.2-09.n

hipaa

0837.09.n2Organizational.2-09.n

0837.09.n2Organizational.2-09.n

08 Network Protection

0837.09.n2Organizational.2-09.n 09.06 Network Security Management

Shared

n/a

Formal agreements with external information system providers include specific obligations for security and privacy.

hipaa

0886.09n2Organizational.4-09.n

hipaa-0886.09n2Organizational.4-09.n

0886.09n2Organizational.4-09.n

08 Network Protection

0886.09n2Organizational.4-09.n 09.06 Network Security Management

Shared

n/a

The organization employs and documents in a formal agreement or other document—either i) allow-all, deny-by-exception, or ii) deny-all, permit-by-exception (preferred)—policy for allowing specific information systems to connect to external information systems.

hipaa

0888.09n2Organizational.6-09.n

hipaa-0888.09n2Organizational.6-09.n

0888.09n2Organizational.6-09.n

08 Network Protection

0888.09n2Organizational.6-09.n 09.06 Network Security Management

Shared

n/a

The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared.

2.10.1

K_ISMS_P_2018_2.10.1

K ISMS P 2018 2.10.1

2.10

Establish Procedures for Managing the Security of System Operations

Shared

n/a

Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.

455

2.11.1

K_ISMS_P_2018_2.11.1

K ISMS P 2018 2.11.1

2.11

Establish Procedures for Managing Internal and External Intrusion Attempts

Shared

n/a

Establish procedures for detecting, analyzing, sharing, and effectively responding to internal and external intrusion attempts to prevent personal information leakage. Additionally, implement a framework for collaboration with relevant external agencies and experts.

2.11.3

K_ISMS_P_2018_2.11.3

K ISMS P 2018 2.11.3

2.11

Collect, Monitor, and Analyze Data and Network Traffic

Shared

n/a

Collect, monitor, and analyze data and network traffic to respond to internal or external infringement attempts in a timely manner.

2.11.5

K_ISMS_P_2018_2.11.5

K ISMS P 2018 2.11.5

2.11

Establish Procedures to Respond and Recover from Incidents

Shared

n/a

Establish procedures to respond and recover from incidents in a timely manner, including legal obligations for disclosing information. Additional procedures must be established and implemented to prevent recurrence.

2.9.2a

K_ISMS_P_2018_2.9.2a

K ISMS P 2018 2.9.2a

2.9.2a

Establish Procedures for Information System Failures

Shared

n/a

Establish procedures to detect, record, analyze, report, and respond to information system failures.

2.9.2b

K_ISMS_P_2018_2.9.2b

K ISMS P 2018 2.9.2b

2.9.2b

Monitor Information System Performance and Capacity

Shared

n/a

Monitor the performance and capacity requirements of the information system on a continuous basis to ensure availability.

2.9.4

K_ISMS_P_2018_2.9.4

K ISMS P 2018 2.9.4

2.9

Maintain Logs and Establish Log Management Procedures

Shared

n/a

Maintain log records for servers, applications, security systems, and networks. Define log types, access permissions, retention periods, and storage methods to ensure secure retention and prevent forgery, alteration, theft, and loss.

NIST_SP_800-171_R2_3.14.6

.14.6

NIST SP 800-171 R2 3.14.6

System and Information Integrity

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-171_R2_3.14.7

.14.7

NIST SP 800-171 R2 3.14.7

System and Information Integrity

Identify unauthorized use of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

.3.1

NIST_SP_800-171_R2_3.3.1

NIST SP 800-171 R2 3.3.1

Audit and Accountability

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management.

.3.2

NIST_SP_800-171_R2_3.3.2

NIST SP 800-171 R2 3.3.2

Audit and Accountability

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).

AU-12

NIST_SP_800-53_R4_AU-12

NIST SP 800-53 Rev. 4 AU-12

Audit And Accountability

Audit Generation

Shared

n/a

NIST_SP_800-53_R4_AU-12(1)

AU-12(1)

NIST SP 800-53 Rev. 4 AU-12 (1)

Audit And Accountability

System-Wide / Time-Correlated Audit Trail

Shared

n/a

AU-6

NIST_SP_800-53_R4_AU-6

NIST SP 800-53 Rev. 4 AU-6

Audit And Accountability

Audit Review, Analysis, And Reporting

Shared

n/a

NIST_SP_800-53_R4_AU-6(4)

AU-6(4)

NIST SP 800-53 Rev. 4 AU-6 (4)

Audit And Accountability

Central Review And Analysis

Shared

n/a

NIST_SP_800-53_R4_AU-6(5)

AU-6(5)

NIST SP 800-53 Rev. 4 AU-6 (5)

Audit And Accountability

Integration / Scanning And Monitoring Capabilities

Shared

n/a

SI-4

NIST_SP_800-53_R4_SI-4

NIST SP 800-53 Rev. 4 SI-4

System And Information Integrity

Information System Monitoring

Shared

n/a

AU-12

NIST_SP_800-53_R5_AU-12

NIST SP 800-53 Rev. 5 AU-12

Audit and Accountability

Audit Record Generation

Shared

n/a

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

NIST_SP_800-53_R5_AU-12(1)

AU-12(1)

NIST SP 800-53 Rev. 5 AU-12 (1)

Audit and Accountability

System-wide and Time-correlated Audit Trail

Shared

n/a

Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].

AU-6

NIST_SP_800-53_R5_AU-6

NIST SP 800-53 Rev. 5 AU-6

Audit and Accountability

Audit Record Review, Analysis, and Reporting

Shared

n/a

a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

NIST_SP_800-53_R5_AU-6(4)

AU-6(4)

NIST SP 800-53 Rev. 5 AU-6 (4)

Audit and Accountability

Central Review and Analysis

Shared

n/a

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

NIST_SP_800-53_R5_AU-6(5)

AU-6(5)

NIST SP 800-53 Rev. 5 AU-6 (5)

Audit and Accountability

Integrated Analysis of Audit Records

Shared

n/a

Integrate analysis of audit records with analysis of [Selection (OneOrMore): vulnerability scanning information;performance data;system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity.

SI-4

NIST_SP_800-53_R5_SI-4

NIST SP 800-53 Rev. 5 SI-4

System and Information Integrity

System Monitoring

Shared

n/a

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (OneOrMore): as needed; [Assignment: organization-defined frequency] ] .

RBI_CSF_Banks_v2016

4.9

RBI_CSF_Banks_v2016_4.9

Network Management And Security

Security Operation Centre-4.9

n/a

Security Operation Centre to monitor the logs of various network activities and should have the capability to escalate any abnormal / undesirable activities.

RMiT_v1.0

10.35

RMiT_v1.0_10.35

RMiT 10.35

Network Resilience

Network Resilience - 10.35

Shared

n/a

A financial institution must establish real-time network bandwidth monitoring processes and corresponding network service resilience metrics to flag any over utilisation of bandwidth and system disruptions due to bandwidth congestion and network faults. This includes traffic analysis to detect trends and anomalies.

SOC_2

CC7.4

SOC_2_CC7.4

SOC 2 Type 2 CC7.4

System Operations

Security incidents response

Shared

The customer is responsible for implementing this recommendation.

Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. • Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. • Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents. • Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. • Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. • Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives. • Obtains Understanding of Nature of Incident and Determines Containment Strategy — An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. • Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. • Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident-response program. • Evaluates the Effectiveness of Incident Response — The design of incident-response activities is evaluated for effectiveness on a periodic basis. • Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. • Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements

SOC_2

CC7.5

SOC_2_CC7.5

SOC 2 Type 2 CC7.5

System Operations

Recovery from identified security incidents

Shared

The customer is responsible for implementing this recommendation.

• Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). • Determines Root Cause of the Event — The root cause of the event is determined. • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results

SWIFT_CSCF_v2021

1.1

SWIFT_CSCF_v2021_1.1

SWIFT CSCF v2021 1.1

SWIFT Environment Protection

n/a

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

SWIFT_CSCF_v2021

6.5A

SWIFT_CSCF_v2021_6.5A

SWIFT CSCF v2021 6.5A

Detect Anomalous Activity to Systems or Transaction Records

Intrusion Detection

n/a

Detect and prevent anomalous network activity into and within the local or remote SWIFT environment.

SWIFT_CSCF_v2022

1.1

SWIFT_CSCF_v2022_1.1

SWIFT CSCF v2022 1.1

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

Shared

n/a

A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments.

SWIFT_CSCF_v2022

1.5A

SWIFT_CSCF_v2022_1.5A

SWIFT CSCF v2022 1.5A

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

Shared

n/a

A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment.

SWIFT_CSCF_v2022

6.5A

SWIFT_CSCF_v2022_6.5A

SWIFT CSCF v2022 6.5A

6. Detect Anomalous Activity to Systems or Transaction Records

Detect and contain anomalous network activity into and within the local or remote SWIFT environment.

Shared

n/a

Intrusion detection is implemented to detect unauthorised network access and anomalous activity.