compliance controls are associated with this Policy definition 'Virtual machines should be connected to an approved virtual network' (d416745a-506c-48b6-8ab1-83cb814bcaa3)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
1.1 |
Azure_Security_Benchmark_v1.0_1.1 |
Azure Security Benchmark 1.1 |
Network Security |
Protect resources using Network Security Groups or Azure Firewall on your Virtual Network |
Customer |
Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service.
Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall.
General Information on Private Link:
https://docs.microsoft.com/azure/private-link/private-link-overview
How to create a Virtual Network:
https://docs.microsoft.com/azure/virtual-network/quick-create-portal
How to create an NSG with a security configuration:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal |
n/a |
link |
20 |
| CMMC_L2_v1.9.0 |
AC.L2_3.1.3 |
CMMC_L2_v1.9.0_AC.L2_3.1.3 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L2 3.1.3 |
Access Control |
Control CUI Flow |
Shared |
Control the flow of CUI in accordance with approved authorizations. |
To regulate the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations |
|
46 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.1 |
CMMC_L2_v1.9.0_CM.L2_3.4.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.1 |
Configuration Management |
System Baselining |
Shared |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
To ensure consistency, security, and compliance with organizational standards and requirements. |
|
15 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.2 |
CMMC_L2_v1.9.0_CM.L2_3.4.2 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.2 |
Configuration Management |
Security Configuration Enforcement |
Shared |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
To mitigate vulnerabilities and enhance overall security posture. |
|
10 |
| CMMC_L2_v1.9.0 |
CM.L2_3.4.6 |
CMMC_L2_v1.9.0_CM.L2_3.4.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 CM.L2 3.4.6 |
Configuration Management |
Least Functionality |
Shared |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
To reduce the risk of unauthorized access or exploitation of system vulnerabilities. |
|
10 |
| CMMC_L2_v1.9.0 |
SC.L1_3.13.1 |
CMMC_L2_v1.9.0_SC.L1_3.13.1 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.1 |
System and Communications Protection |
Boundary Protection |
Shared |
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
To protect information assets from external attacks and insider threats. |
|
43 |
| CMMC_L2_v1.9.0 |
SC.L1_3.13.5 |
CMMC_L2_v1.9.0_SC.L1_3.13.5 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L1 3.13.5 |
System and Communications Protection |
Public Access System Separation |
Shared |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
To control access, monitor traffic, and mitigate the risk of unauthorized access or exploitation of internal resources. |
|
43 |
| hipaa |
0805.01m1Organizational.12-01.m |
hipaa-0805.01m1Organizational.12-01.m |
0805.01m1Organizational.12-01.m |
08 Network Protection |
0805.01m1Organizational.12-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. |
|
12 |
| hipaa |
0806.01m2Organizational.12356-01.m |
hipaa-0806.01m2Organizational.12356-01.m |
0806.01m2Organizational.12356-01.m |
08 Network Protection |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |
|
13 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
| hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
| hipaa |
0812.01n2Organizational.8-01.n |
hipaa-0812.01n2Organizational.8-01.n |
0812.01n2Organizational.8-01.n |
08 Network Protection |
0812.01n2Organizational.8-01.n 01.04 Network Access Control |
Shared |
n/a |
Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
|
12 |
| hipaa |
0814.01n1Organizational.12-01.n |
hipaa-0814.01n1Organizational.12-01.n |
0814.01n1Organizational.12-01.n |
08 Network Protection |
0814.01n1Organizational.12-01.n 01.04 Network Access Control |
Shared |
n/a |
The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. |
|
11 |
| hipaa |
0894.01m2Organizational.7-01.m |
hipaa-0894.01m2Organizational.7-01.m |
0894.01m2Organizational.7-01.m |
08 Network Protection |
0894.01m2Organizational.7-01.m 01.04 Network Access Control |
Shared |
n/a |
Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. |
|
19 |
| PCI_DSS_v4.0.1 |
1.2.5 |
PCI_DSS_v4.0.1_1.2.5 |
PCI DSS v4.0.1 1.2.5 |
Install and Maintain Network Security Controls |
All services, protocols, and ports allowed are identified, approved, and have a defined business need |
Shared |
n/a |
Examine documentation to verify that a list exists of all allowed services, protocols, and ports, including business justification and approval for each. Examine configuration settings for NSCs to verify that only approved services, protocols, and ports are in use |
|
19 |
| PCI_DSS_v4.0.1 |
1.4.4 |
PCI_DSS_v4.0.1_1.4.4 |
PCI DSS v4.0.1 1.4.4 |
Install and Maintain Network Security Controls |
System components that store cardholder data are not directly accessible from untrusted networks |
Shared |
n/a |
Examine the data-flow diagram and network diagram to verify that it is documented that system components storing cardholder data are not directly accessible from the untrusted networks. Examine configurations of NSCs to verify that controls are implemented such that system components storing cardholder data are not directly accessible from untrusted networks |
|
43 |
| PCI_DSS_v4.0.1 |
2.2.1 |
PCI_DSS_v4.0.1_2.2.1 |
PCI DSS v4.0.1 2.2.1 |
Apply Secure Configurations to All System Components |
Configuration standards are developed, implemented, and maintained to cover all system components, address all known security vulnerabilities, be consistent with industry-accepted system hardening standards or vendor hardening recommendations, be updated as new vulnerability issues are identified, and be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment |
Shared |
n/a |
Examine system configuration standards to verify they define processes that include all elements specified in this requirement. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment |
|
14 |
| PCI_DSS_v4.0.1 |
2.2.4 |
PCI_DSS_v4.0.1_2.2.4 |
PCI DSS v4.0.1 2.2.4 |
Apply Secure Configurations to All System Components |
Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled |
Shared |
n/a |
Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled |
|
25 |
| PCI_DSS_v4.0.1 |
9.5.1 |
PCI_DSS_v4.0.1_9.5.1 |
PCI DSS v4.0.1 9.5.1 |
Restrict Physical Access to Cardholder Data |
Protection Measures for POI Devices Against Tampering and Unauthorized Substitution |
Shared |
n/a |
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. |
|
8 |
| PCI_DSS_v4.0.1 |
9.5.1.1 |
PCI_DSS_v4.0.1_9.5.1.1 |
PCI DSS v4.0.1 9.5.1.1 |
Restrict Physical Access to Cardholder Data |
Maintenance of an Up-to-Date List of POI Devices |
Shared |
n/a |
An up-to-date list of POI devices is maintained, including:
• Make and model of the device.
• Location of device.
• Device serial number or other methods of unique identification. |
|
6 |
| RMiT_v1.0 |
10.33 |
RMiT_v1.0_10.33 |
RMiT 10.33 |
Network Resilience |
Network Resilience - 10.33 |
Shared |
n/a |
A financial institution must design a reliable, scalable and secure enterprise network that is able to support its business activities, including future growth plans. |
link |
27 |