last sync: 2024-Oct-04 17:51:30 UTC

Define cryptographic use | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Define cryptographic use
Id c4ccd607-702b-8ae6-8eeb-fc3339cd4b42
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0120 - Define cryptographic use
Additional metadata Name/Id: CMA_0120 / CMA_0120
Category: Documentation
Title: Define cryptographic use
Ownership: Customer
Description: Microsoft recommends that your organization define cryptographic uses and implement the appropriate type of cryptography required for each use in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards. Your organization should consider creating and maintaining System and Communications Protection policies and standard operating procedures that define the uses for cryptography and the type of cryptography required for each use.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 75 compliance controls are associated with this Policy definition 'Define cryptographic use' (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 3.2 CIS_Azure_1.1.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure that storage account access keys are periodically regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link 7
CIS_Azure_1.1.0 8.1 CIS_Azure_1.1.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the expiration date is set on all keys Shared The customer is responsible for implementing this recommendation. Ensure that all keys in Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.1.0 8.2 CIS_Azure_1.1.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the expiration date is set on all Secrets Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in the Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.3.0 3.2 CIS_Azure_1.3.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure that storage account access keys are periodically regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link 7
CIS_Azure_1.3.0 8.1 CIS_Azure_1.3.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the expiration date is set on all keys Shared The customer is responsible for implementing this recommendation. Ensure that all keys in Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.3.0 8.2 CIS_Azure_1.3.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the expiration date is set on all Secrets Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in the Azure Key Vault have an expiration time set. link 8
CIS_Azure_1.3.0 9.11 CIS_Azure_1.3.0_9.11 CIS Microsoft Azure Foundations Benchmark recommendation 9.11 9 AppService Ensure Azure Keyvaults are used to store secrets Shared The customer is responsible for implementing this recommendation. Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. link 9
CIS_Azure_1.4.0 3.2 CIS_Azure_1.4.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure That Storage Account Access Keys are Periodically Regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link 7
CIS_Azure_1.4.0 8.1 CIS_Azure_1.4.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 8.2 CIS_Azure_1.4.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. Shared The customer is responsible for implementing this recommendation. Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 8.3 CIS_Azure_1.4.0_8.3 CIS Microsoft Azure Foundations Benchmark recommendation 8.3 8 Other Security Considerations Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 8.4 CIS_Azure_1.4.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link 8
CIS_Azure_1.4.0 9.11 CIS_Azure_1.4.0_9.11 CIS Microsoft Azure Foundations Benchmark recommendation 9.11 9 AppService Ensure Azure Keyvaults are Used to Store Secrets Shared The customer is responsible for implementing this recommendation. Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. link 9
CIS_Azure_2.0.0 3.4 CIS_Azure_2.0.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Ensure that Storage Account Access Keys are Periodically Regenerated Shared Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients who use the access key to access the storage account must be updated to use the new key. For increased security, regenerate storage account access keys periodically. When a storage account is created, Azure generates two 512-bit storage access keys which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result from the compromise of these keys. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting. link 7
CIS_Azure_2.0.0 8.1 CIS_Azure_2.0.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults Shared Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used. Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes. link 8
CIS_Azure_2.0.0 8.2 CIS_Azure_2.0.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. Shared Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used. Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes. link 8
CIS_Azure_2.0.0 8.3 CIS_Azure_2.0.0_8.3 CIS Microsoft Azure Foundations Benchmark recommendation 8.3 8 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults Shared Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used. Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes. link 8
CIS_Azure_2.0.0 8.4 CIS_Azure_2.0.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults Shared Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used. Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes. link 8
CIS_Azure_2.0.0 9.11 CIS_Azure_2.0.0_9.11 CIS Microsoft Azure Foundations Benchmark recommendation 9.11 9 Ensure Azure Key Vaults are Used to Store Secrets Shared Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault. Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions. The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application. link 9
FedRAMP_High_R4 SC-12 FedRAMP_High_R4_SC-12 FedRAMP High SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
FedRAMP_High_R4 SC-13 FedRAMP_High_R4_SC-13 FedRAMP High SC-13 System And Communications Protection Cryptographic Protection Shared n/a The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Supplemental Guidance: Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7. References: FIPS Publication 140; Web: http://csrc.nist.gov/cryptval, http://www.cnss.gov. link 1
FedRAMP_Moderate_R4 SC-12 FedRAMP_Moderate_R4_SC-12 FedRAMP Moderate SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
FedRAMP_Moderate_R4 SC-13 FedRAMP_Moderate_R4_SC-13 FedRAMP Moderate SC-13 System And Communications Protection Cryptographic Protection Shared n/a The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Supplemental Guidance: Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7. References: FIPS Publication 140; Web: http://csrc.nist.gov/cryptval, http://www.cnss.gov. link 1
hipaa 0314.09q3Organizational.2-09.q hipaa-0314.09q3Organizational.2-09.q 0314.09q3Organizational.2-09.q 03 Portable Media Security 0314.09q3Organizational.2-09.q 09.07 Media Handling Shared n/a The organization implements cryptographic mechanisms to protect the confidentiality and integrity of sensitive (non-public) information stored on digital media during transport outside of controlled areas. 9
hipaa 0810.01n2Organizational.5-01.n hipaa-0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 08 Network Protection 0810.01n2Organizational.5-01.n 01.04 Network Access Control Shared n/a Transmitted information is secured and, at a minimum, encrypted over open, public networks. 16
hipaa 0903.10f1Organizational.1-10.f hipaa-0903.10f1Organizational.1-10.f 0903.10f1Organizational.1-10.f 09 Transmission Protection 0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Encryption is used to protect covered information on mobile/removable media and across communication lines based on pre-determined criteria. 3
hipaa 0904.10f2Organizational.1-10.f hipaa-0904.10f2Organizational.1-10.f 0904.10f2Organizational.1-10.f 09 Transmission Protection 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues. 10
hipaa 0913.09s1Organizational.5-09.s hipaa-0913.09s1Organizational.5-09.s 0913.09s1Organizational.5-09.s 09 Transmission Protection 0913.09s1Organizational.5-09.s 09.08 Exchange of Information Shared n/a Strong cryptography protocols are used to safeguard covered information during transmission over less trusted/open public networks. 5
hipaa 0928.09v1Organizational.45-09.v hipaa-0928.09v1Organizational.45-09.v 0928.09v1Organizational.45-09.v 09 Transmission Protection 0928.09v1Organizational.45-09.v 09.08 Exchange of Information Shared n/a Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. 9
hipaa 0945.09y1Organizational.3-09.y hipaa-0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09 Transmission Protection 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). 6
hipaa 099.09m2Organizational.11-09.m hipaa-099.09m2Organizational.11-09.m 099.09m2Organizational.11-09.m 09 Transmission Protection 099.09m2Organizational.11-09.m 09.06 Network Security Management Shared n/a The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. 3
hipaa 1005.01d1System.1011-01.d hipaa-1005.01d1System.1011-01.d 1005.01d1System.1011-01.d 10 Password Management 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. 6
hipaa 1007.01d2System.2-01.d hipaa-1007.01d2System.2-01.d 1007.01d2System.2-01.d 10 Password Management 1007.01d2System.2-01.d 01.02 Authorized Access to Information Systems Shared n/a Passwords are encrypted during transmission and storage on all system components. 1
hipaa 1903.06d1Organizational.3456711-06.d hipaa-1903.06d1Organizational.3456711-06.d 1903.06d1Organizational.3456711-06.d 19 Data Protection & Privacy 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements Shared n/a The confidentiality and integrity of covered information at rest is protected using an encryption method appropriate to the medium where it is stored; where the organization chooses not to encrypt covered information, a documented rationale for not doing so is maintained or alternative compensating controls are used if the method is approved and reviewed annually by the CISO. 5
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
ISO27001-2013 A.10.1.2 ISO27001-2013_A.10.1.2 ISO 27001:2013 A.10.1.2 Cryptography Key Management Shared n/a A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. link 15
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.18.1.5 ISO27001-2013_A.18.1.5 ISO 27001:2013 A.18.1.5 Compliance Regulation of cryptographic controls Shared n/a Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. link 2
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
NIST_SP_800-171_R2_3 .13.10 NIST_SP_800-171_R2_3.13.10 NIST SP 800-171 R2 3.13.10 System and Communications Protection Establish and manage cryptographic keys for cryptography employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. [SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key establishment. link 40
NIST_SP_800-171_R2_3 .13.11 NIST_SP_800-171_R2_3.13.11 NIST SP 800-171 R2 3.13.11 System and Communications Protection Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP]. link 1
NIST_SP_800-53_R4 SC-12 NIST_SP_800-53_R4_SC-12 NIST SP 800-53 Rev. 4 SC-12 System And Communications Protection Cryptographic Key Establishment And Management Shared n/a The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. References: NIST Special Publications 800-56, 800-57. link 40
NIST_SP_800-53_R4 SC-13 NIST_SP_800-53_R4_SC-13 NIST SP 800-53 Rev. 4 SC-13 System And Communications Protection Cryptographic Protection Shared n/a The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Supplemental Guidance: Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7. References: FIPS Publication 140; Web: http://csrc.nist.gov/cryptval, http://www.cnss.gov. link 1
NIST_SP_800-53_R5 SC-12 NIST_SP_800-53_R5_SC-12 NIST SP 800-53 Rev. 5 SC-12 System and Communications Protection Cryptographic Key Establishment and Management Shared n/a Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. link 40
NIST_SP_800-53_R5 SC-13 NIST_SP_800-53_R5_SC-13 NIST SP 800-53 Rev. 5 SC-13 System and Communications Protection Cryptographic Protection Shared n/a a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. link 1
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 53
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
PCI_DSS_v4.0 3.6.1 PCI_DSS_v4.0_3.6.1 PCI DSS v4.0 3.6.1 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Procedures are defined and implemented to protect cryptographic keys used to Protect Stored Account Data against disclosure and misuse that include: • Access to keys is restricted to the fewest number of custodians necessary. • Key-encrypting keys are at least as strong as the data-encrypting keys they protect. • Key-encrypting keys are stored separately from data-encrypting keys. • Keys are stored securely in the fewest possible locations and forms. link 7
PCI_DSS_v4.0 3.6.1.1 PCI_DSS_v4.0_3.6.1.1 PCI DSS v4.0 3.6.1.1 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a A documented description of the cryptographic architecture is maintained that includes: • Details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. • Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Description of the key usage for each key. • Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4. link 7
PCI_DSS_v4.0 3.6.1.2 PCI_DSS_v4.0_3.6.1.2 PCI DSS v4.0 3.6.1.2 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times: • Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the dataencrypting key. • Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device. • As at least two full-length key components or key shares, in accordance with an industry-accepted method. link 8
PCI_DSS_v4.0 3.6.1.3 PCI_DSS_v4.0_3.6.1.3 PCI DSS v4.0 3.6.1.3 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary. link 7
PCI_DSS_v4.0 3.6.1.4 PCI_DSS_v4.0_3.6.1.4 PCI DSS v4.0 3.6.1.4 Requirement 03: Protect Stored Account Data Cryptographic keys used to protect stored account data are secured Shared n/a Cryptographic keys are stored in the fewest possible locations. link 7
PCI_DSS_v4.0 3.7.1 PCI_DSS_v4.0_3.7.1 PCI DSS v4.0 3.7.1 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to Protect Stored Account Data. link 7
PCI_DSS_v4.0 3.7.2 PCI_DSS_v4.0_3.7.2 PCI DSS v4.0 3.7.2 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to Protect Stored Account Data. link 8
PCI_DSS_v4.0 3.7.3 PCI_DSS_v4.0_3.7.3 PCI DSS v4.0 3.7.3 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to Protect Stored Account Data. link 9
PCI_DSS_v4.0 3.7.4 PCI_DSS_v4.0_3.7.4 PCI DSS v4.0 3.7.4 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following: • A defined cryptoperiod for each key type in use. • A process for key changes at the end of the defined cryptoperiod. link 7
PCI_DSS_v4.0 3.7.5 PCI_DSS_v4.0_3.7.5 PCI DSS v4.0 3.7.5 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to Protect Stored Account Data, as deemed necessary when: • The key has reached the end of its defined cryptoperiod. • The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. • When keys are suspected of or known to be compromised. • Retired or replaced keys are not used for encryption operations. link 7
PCI_DSS_v4.0 3.7.6 PCI_DSS_v4.0_3.7.6 PCI DSS v4.0 3.7.6 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Where manual cleartext cryptographic keymanagement operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. link 7
PCI_DSS_v4.0 3.7.7 PCI_DSS_v4.0_3.7.7 PCI DSS v4.0 3.7.7 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. link 7
PCI_DSS_v4.0 3.7.8 PCI_DSS_v4.0_3.7.8 PCI DSS v4.0 3.7.8 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. link 7
PCI_DSS_v4.0 3.7.9 PCI_DSS_v4.0_3.7.9 PCI DSS v4.0 3.7.9 Requirement 03: Protect Stored Account Data Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented Shared n/a Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service providers' customers. link 7
PCI_DSS_v4.0 4.2.1 PCI_DSS_v4.0_4.2.1 PCI DSS v4.0 4.2.1 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: • Only trusted keys and certificates are accepted. • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details. • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. • The encryption strength is appropriate for the encryption methodology in use. link 12
PCI_DSS_v4.0 4.2.1.1 PCI_DSS_v4.0_4.2.1.1 PCI DSS v4.0 4.2.1.1 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained. link 8
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SWIFT_CSCF_v2022 1.4 SWIFT_CSCF_v2022_1.4 SWIFT CSCF v2022 1.4 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Control/Protect Internet access from operator PCs and systems within the secure zone. Shared n/a All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business. link 11
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add c4ccd607-702b-8ae6-8eeb-fc3339cd4b42
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC