AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

Protect wireless access | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Protect wireless access
Id d42a8f69-a193-6cbc-48b9-04a9e29961f1
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0411 - Protect wireless access
Additional metadata Name/Id: CMA_0411 / CMA_0411
Category: Operational
Title: Protect wireless access
Ownership: Customer
Description: Microsoft recommends that your organization use encrypted connections for all access to Azure, in addition to user and/or device authentication. Although not required for access to Azure, Microsoft recommends that your organization deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated IEEE 802.11 wireless access using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is typically easier and less expensive to deploy than EAP-TLS or PEAP-TLS. For the purposes of consistency and ease of deployment and access point (AP) management, we also recommend that you deploy wireless APs of the same brand and model. It is also recommended that your organization establish rules and guidance for wireless access through hotspots, such as changing the hotspot's default SSID, enabling the hotspot's port filtering/blocking features, and only allowing hotspot connections from organization controlled devices. It is recommended that your organization select and install radio antennas and calibrate transmission power level to limit unauthorized use of wireless communications outside of organization-controlled boundaries.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 39 compliance controls are associated with this Policy definition 'Protect wireless access' (d42a8f69-a193-6cbc-48b9-04a9e29961f1)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-18 FedRAMP_High_R4_AC-18 FedRAMP High AC-18 Access Control Wireless Access Shared n/a The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections. Supplemental Guidance: Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. References: NIST Special Publications 800-48, 800-94, 800-97. link 2
FedRAMP_High_R4 AC-18(1) FedRAMP_High_R4_AC-18(1) FedRAMP High AC-18 (1) Access Control Authentication And Encryption Shared n/a The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. link 3
FedRAMP_Moderate_R4 AC-18 FedRAMP_Moderate_R4_AC-18 FedRAMP Moderate AC-18 Access Control Wireless Access Shared n/a The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections. Supplemental Guidance: Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. References: NIST Special Publications 800-48, 800-94, 800-97. link 2
FedRAMP_Moderate_R4 AC-18(1) FedRAMP_Moderate_R4_AC-18(1) FedRAMP Moderate AC-18 (1) Access Control Authentication And Encryption Shared n/a The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. link 3
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
hipaa 0504.09m2Organizational.5-09.m hipaa-0504.09m2Organizational.5-09.m 0504.09m2Organizational.5-09.m 05 Wireless Security 0504.09m2Organizational.5-09.m 09.06 Network Security Management Shared n/a Firewalls are configured to deny or control any traffic from a wireless environment into the covered data environment. 4
hipaa 0858.09m1Organizational.4-09.m hipaa-0858.09m1Organizational.4-09.m 0858.09m1Organizational.4-09.m 08 Network Protection 0858.09m1Organizational.4-09.m 09.06 Network Security Management Shared n/a The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. 7
hipaa 0861.09m2Organizational.67-09.m hipaa-0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 08 Network Protection 0861.09m2Organizational.67-09.m 09.06 Network Security Management Shared n/a To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution, or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. 7
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
NIST_SP_800-171_R2_3 .1.16 NIST_SP_800-171_R2_3.1.16 NIST SP 800-171 R2 3.1.16 Access Control Authorize wireless access prior to allowing such connections Shared Microsoft is responsible for implementing this requirement. Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols which provide credential protection and mutual authentication. [SP 800-97] provides guidance on secure wireless networks. link 2
NIST_SP_800-171_R2_3 .1.17 NIST_SP_800-171_R2_3.1.17 NIST SP 800-171 R2 3.1.17 Access Control Protect wireless access using authentication and encryption Shared Microsoft is responsible for implementing this requirement. Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. See [NIST CRYPTO]. link 3
NIST_SP_800-53_R4 AC-18 NIST_SP_800-53_R4_AC-18 NIST SP 800-53 Rev. 4 AC-18 Access Control Wireless Access Shared n/a The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections. Supplemental Guidance: Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. References: NIST Special Publications 800-48, 800-94, 800-97. link 2
NIST_SP_800-53_R4 AC-18(1) NIST_SP_800-53_R4_AC-18(1) NIST SP 800-53 Rev. 4 AC-18 (1) Access Control Authentication And Encryption Shared n/a The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. link 3
NIST_SP_800-53_R5 AC-18 NIST_SP_800-53_R5_AC-18 NIST SP 800-53 Rev. 5 AC-18 Access Control Wireless Access Shared n/a a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections. link 2
NIST_SP_800-53_R5 AC-18(1) NIST_SP_800-53_R5_AC-18(1) NIST SP 800-53 Rev. 5 AC-18 (1) Access Control Authentication and Encryption Shared n/a Protect wireless access to the system using authentication of [Selection (OneOrMore): users;devices] and encryption. link 3
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
PCI_DSS_v4.0 1.3.3 PCI_DSS_v4.0_1.3.3 PCI DSS v4.0 1.3.3 Requirement 01: Install and Maintain Network Security Controls Network access to and from the cardholder data environment is restricted Shared n/a NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that: • All wireless traffic from wireless networks into the CDE is denied by default. • Only wireless traffic with an authorized business purpose is allowed into the CDE. link 2
PCI_DSS_v4.0 11.2.2 PCI_DSS_v4.0_11.2.2 PCI DSS v4.0 11.2.2 Requirement 11: Test Security of Systems and Networks Regularly Wireless access points are identified and monitored, and unauthorized wireless access points are addressed Shared n/a An inventory of authorized wireless access points is maintained, including a documented business justification. link 2
PCI_DSS_v4.0 2.3.1 PCI_DSS_v4.0_2.3.1 PCI DSS v4.0 2.3.1 Requirement 02: Apply Secure Configurations to All System Components Wireless environments are configured and managed securely Shared n/a For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: • Default wireless encryption keys. • Passwords or wireless access points. • SNMP defaults. • Any other security-related wireless vendor defaults. link 3
PCI_DSS_v4.0 2.3.2 PCI_DSS_v4.0_2.3.2 PCI DSS v4.0 2.3.2 Requirement 02: Apply Secure Configurations to All System Components Wireless environments are configured and managed securely Shared n/a For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed as follows: • Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary. • Whenever a key is suspected of or known to be compromised. link 3
PCI_DSS_v4.0 4.2.1.2 PCI_DSS_v4.0_4.2.1.2 PCI DSS v4.0 4.2.1.2 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. link 3
SWIFT_CSCF_v2022 1.4 SWIFT_CSCF_v2022_1.4 SWIFT CSCF v2022 1.4 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Control/Protect Internet access from operator PCs and systems within the secure zone. Shared n/a All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business. link 11
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add d42a8f69-a193-6cbc-48b9-04a9e29961f1
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC