last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Implement controls to secure alternate work sites

Name Implement controls to secure alternate work sites
Azure Portal
Id cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0315 - Implement controls to secure alternate work sites
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 40 compliance controls are associated with this Policy definition 'Implement controls to secure alternate work sites' (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 1.22 CIS_Azure_1.1.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.20 CIS_Azure_1.3.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 1.19 CIS_Azure_1.4.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining or registering devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
FedRAMP_High_R4 AC-17 FedRAMP_High_R4_AC-17 FedRAMP High AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_High_R4 AC-17(4) FedRAMP_High_R4_AC-17(4) FedRAMP High AC-17 (4) Access Control Privileged Commands / Access Shared n/a The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. link 5
FedRAMP_High_R4 PE-17 FedRAMP_High_R4_PE-17 FedRAMP High PE-17 Physical And Environmental Protection Alternate Work Site Shared n/a The organization: a. Employs [Assignment: organization-defined security controls] at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. Control Enhancements: None. References: NIST Special Publication 800-46. link 1
FedRAMP_Moderate_R4 AC-17 FedRAMP_Moderate_R4_AC-17 FedRAMP Moderate AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_Moderate_R4 AC-17(4) FedRAMP_Moderate_R4_AC-17(4) FedRAMP Moderate AC-17 (4) Access Control Privileged Commands / Access Shared n/a The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. link 5
FedRAMP_Moderate_R4 PE-17 FedRAMP_Moderate_R4_PE-17 FedRAMP Moderate PE-17 Physical And Environmental Protection Alternate Work Site Shared n/a The organization: a. Employs [Assignment: organization-defined security controls] at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. Control Enhancements: None. References: NIST Special Publication 800-46. link 1
hipaa 0407.01y2Organizational.1-01.y hipaa-0407.01y2Organizational.1-01.y 0407.01y2Organizational.1-01.y 04 Mobile Device Security 0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking Shared n/a Prior to authorizing teleworking, the physical security of the teleworking site is evaluated and any threats/issues identified are addressed. 2
hipaa 0902.09s2Organizational.13-09.s hipaa-0902.09s2Organizational.13-09.s 0902.09s2Organizational.13-09.s 09 Transmission Protection 0902.09s2Organizational.13-09.s 09.08 Exchange of Information Shared n/a Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. 14
hipaa 0912.09s1Organizational.4-09.s hipaa-0912.09s1Organizational.4-09.s 0912.09s1Organizational.4-09.s 09 Transmission Protection 0912.09s1Organizational.4-09.s 09.08 Exchange of Information Shared n/a Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. 9
hipaa 1118.01j2Organizational.124-01.j hipaa-1118.01j2Organizational.124-01.j 1118.01j2Organizational.124-01.j 11 Access Control 1118.01j2Organizational.124-01.j 01.04 Network Access Control Shared n/a The organization has implemented encryption (e.g., VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors, or third-party. 9
hipaa 1121.01j3Organizational.2-01.j hipaa-1121.01j3Organizational.2-01.j 1121.01j3Organizational.2-01.j 11 Access Control 1121.01j3Organizational.2-01.j 01.04 Network Access Control Shared n/a Remote administration sessions are authorized, encrypted, and employ increased security measures. 11
hipaa 1179.01j3Organizational.1-01.j hipaa-1179.01j3Organizational.1-01.j 1179.01j3Organizational.1-01.j 11 Access Control 1179.01j3Organizational.1-01.j 01.04 Network Access Control Shared n/a The information system monitors and controls remote access methods. 7
hipaa 1816.08d2Organizational.4-08.d hipaa-1816.08d2Organizational.4-08.d 1816.08d2Organizational.4-08.d 18 Physical & Environmental Security 1816.08d2Organizational.4-08.d 08.01 Secure Areas Shared n/a Any security threats presented by neighboring premises are identified. 4
ISO27001-2013 A.11.2.6 ISO27001-2013_A.11.2.6 ISO 27001:2013 A.11.2.6 Physical And Environmental Security Security of equipment and assets off-premises Shared n/a Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. link 10
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
ISO27001-2013 A.6.2.2 ISO27001-2013_A.6.2.2 ISO 27001:2013 A.6.2.2 Organization of Information Security Teleworking Shared n/a A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. link 16
NIST_SP_800-171_R2_3 .1.15 NIST_SP_800-171_R2_3.1.15 NIST SP 800-171 R2 3.1.15 Access Control Authorize remote execution of privileged commands and remote access to security-relevant information. Shared Microsoft and the customer share responsibilities for implementing this requirement. A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Security-relevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. link 5
NIST_SP_800-171_R2_3 .10.6 NIST_SP_800-171_R2_3.10.6 NIST SP 800-171 R2 3.10.6 Physical Protection Enforce safeguarding measures for CUI at alternate work sites. Shared Microsoft is responsible for implementing this requirement. Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. [SP 800-46] and [SP 800-114] provide guidance on enterprise and user security when teleworking. link 1
NIST_SP_800-53_R4 AC-17 NIST_SP_800-53_R4_AC-17 NIST SP 800-53 Rev. 4 AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
NIST_SP_800-53_R4 AC-17(4) NIST_SP_800-53_R4_AC-17(4) NIST SP 800-53 Rev. 4 AC-17 (4) Access Control Privileged Commands / Access Shared n/a The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. link 5
NIST_SP_800-53_R4 PE-17 NIST_SP_800-53_R4_PE-17 NIST SP 800-53 Rev. 4 PE-17 Physical And Environmental Protection Alternate Work Site Shared n/a The organization: a. Employs [Assignment: organization-defined security controls] at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. Control Enhancements: None. References: NIST Special Publication 800-46. link 1
NIST_SP_800-53_R5 AC-17 NIST_SP_800-53_R5_AC-17 NIST SP 800-53 Rev. 5 AC-17 Access Control Remote Access Shared n/a a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. link 41
NIST_SP_800-53_R5 AC-17(4) NIST_SP_800-53_R5_AC-17(4) NIST SP 800-53 Rev. 5 AC-17 (4) Access Control Privileged Commands and Access Shared n/a (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. link 5
NIST_SP_800-53_R5 PE-17 NIST_SP_800-53_R5_PE-17 NIST SP 800-53 Rev. 5 PE-17 Physical and Environmental Protection Alternate Work Site Shared n/a a. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees; b. Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; c. Assess the effectiveness of controls at alternate work sites; and d. Provide a means for employees to communicate with information security and privacy personnel in case of incidents. link 1
PCI_DSS_v4.0 1.5.1 PCI_DSS_v4.0_1.5.1 PCI DSS v4.0 1.5.1 Requirement 01: Install and Maintain Network Security Controls Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated Shared n/a Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows: • Specific configuration settings are defined to prevent threats being introduced into the entity’s network. • Security controls are actively running. • Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period. link 5
PCI_DSS_v4.0 8.4.2 PCI_DSS_v4.0_8.4.2 PCI DSS v4.0 8.4.2 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all access into the CDE. link 8
PCI_DSS_v4.0 8.4.3 PCI_DSS_v4.0_8.4.3 PCI DSS v4.0 8.4.3 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows: • All remote access by all personnel, both users and administrators, originating from outside the entity’s network. • All remote access by third parties and vendors. link 8
PCI_DSS_v4.0 8.5.1 PCI_DSS_v4.0_8.5.1 PCI DSS v4.0 8.5.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) systems are configured to prevent misuse Shared n/a MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted. link 8
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 80
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 41
SWIFT_CSCF_v2022 1.4 SWIFT_CSCF_v2022_1.4 SWIFT CSCF v2022 1.4 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Control/Protect Internet access from operator PCs and systems within the secure zone. Shared n/a All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business. link 11
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON