compliance controls are associated with this Policy definition 'Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.' (ca88aadc-6e2b-416c-9de2-5a0f01d1693f)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
DP-4 |
Azure_Security_Benchmark_v3.0_DP-4 |
Microsoft cloud security benchmark DP-4 |
Data Protection |
Enable data at rest encryption by default |
Shared |
**Security Principle:**
To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
**Azure Guidance:**
Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key.
Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs for storage level, file level, or database level encryption.
**Implementation and additional context:**
Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services
Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models
Encryption model and key management table:
https://docs.microsoft.com/azure/security/fundamentals/encryption-models |
n/a |
link |
8 |
| CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
58 |
| CSA_v4.0.12 |
DSP_07 |
CSA_v4.0.12_DSP_07 |
CSA Cloud Controls Matrix v4.0.12 DSP 07 |
Data Security and Privacy Lifecycle Management |
Data Protection by Design and Default |
Shared |
n/a |
Develop systems, products, and business practices based upon a principle
of security by design and industry best practices. |
|
16 |
| CSA_v4.0.12 |
DSP_17 |
CSA_v4.0.12_DSP_17 |
CSA Cloud Controls Matrix v4.0.12 DSP 17 |
Data Security and Privacy Lifecycle Management |
Sensitive Data Protection |
Shared |
n/a |
Define and implement, processes, procedures and technical measures
to protect sensitive data throughout it's lifecycle. |
|
15 |
| CSA_v4.0.12 |
UEM_08 |
CSA_v4.0.12_UEM_08 |
CSA Cloud Controls Matrix v4.0.12 UEM 08 |
Universal Endpoint Management |
Storage Encryption |
Shared |
n/a |
Protect information from unauthorized disclosure on managed endpoint
devices with storage encryption. |
|
14 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| HITRUST_CSF_v11.3 |
06.c |
HITRUST_CSF_v11.3_06.c |
HITRUST CSF v11.3 06.c |
Compliance with Legal Requirements |
Prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. |
Shared |
1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information.
2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. |
Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
|
26 |
| ISO_IEC_27001_2022 |
7.5.3 |
ISO_IEC_27001_2022_7.5.3 |
ISO IEC 27001 2022 7.5.3 |
Support |
Control of documented information |
Shared |
1. Documented information required by the information security management system and by this document shall be controlled to ensure:
a. it is available and suitable for use, where and when it is needed; and
b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
2. For the control of documented information, the organization shall address the following activities, as applicable:
a. distribution, access, retrieval and use;
b. storage and preservation, including the preservation of legibility;
c. control of changes (e.g. version control); and
d. retention and disposition. |
Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled |
|
32 |
| ISO_IEC_27017_2015 |
18.1.3 |
ISO_IEC_27017_2015_18.1.3 |
ISO IEC 27017 2015 18.1.3 |
Compliance |
Protection of Records |
Shared |
For Cloud Service Customer:
The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service
customer.
For Cloud Service Provider:
The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. |
To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. |
|
17 |
| LGPD_2018_Art. |
16 |
LGPD_2018_Art._16 |
Brazilian General Data Protection Law (LGPD) 2018 Art. 16 |
Termination of Data Processing |
Art. 16. Personal data shall be deleted following the termination of their processing |
Shared |
n/a |
Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized. |
|
18 |
| NIST_SP_800-53_R5.1.1 |
SC.28 |
NIST_SP_800-53_R5.1.1_SC.28 |
NIST SP 800-53 R5.1.1 SC.28 |
System and Communications Protection |
Protection of Information at Rest |
Shared |
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. |
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage. |
|
17 |
| NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
| NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
|
U.11.3 - Encrypted |
U.11.3 - Encrypted |
404 not found |
|
|
|
n/a |
n/a |
|
52 |