last sync: 2024-Jun-13 18:14:14 UTC

Require approval for account creation | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Require approval for account creation
Id de770ba6-50dd-a316-2932-e0d972eaa734
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0431 - Require approval for account creation
Additional metadata Name/Id: CMA_0431 / CMA_0431
Category: Operational
Title: Require approval for account creation
Ownership: Customer
Description: Microsoft recommends that your organization require approvals by organizationally-defined personnel or roles for requests to create Azure accounts. Your organization should consider creating and maintaining Access Control policies and standard operating procedures include details on procedures for role assignment and verification of requirements of role assignment. Learn more: https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-process
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 88 compliance controls are associated with this Policy definition 'Require approval for account creation' (de770ba6-50dd-a316-2932-e0d972eaa734)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 1.12 CIS_Azure_1.1.0_1.12 CIS Microsoft Azure Foundations Benchmark recommendation 1.12 1 Identity and Access Management Ensure that 'Guest user permissions are limited' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Limit guest user permissions. link 8
CIS_Azure_1.1.0 1.13 CIS_Azure_1.1.0_1.13 CIS Microsoft Azure Foundations Benchmark recommendation 1.13 1 Identity and Access Management Ensure that 'Members can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict invitations to administrators only. link 8
CIS_Azure_1.1.0 1.14 CIS_Azure_1.1.0_1.14 CIS Microsoft Azure Foundations Benchmark recommendation 1.14 1 Identity and Access Management Ensure that 'Guests can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict guest invitations. link 8
CIS_Azure_1.1.0 1.15 CIS_Azure_1.1.0_1.15 CIS Microsoft Azure Foundations Benchmark recommendation 1.15 1 Identity and Access Management Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Restrict access to the Azure AD administration portal to administrators only. link 7
CIS_Azure_1.1.0 3.6 CIS_Azure_1.1.0_3.6 CIS Microsoft Azure Foundations Benchmark recommendation 3.6 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers. link 7
CIS_Azure_1.1.0 8.5 CIS_Azure_1.1.0_8.5 CIS Microsoft Azure Foundations Benchmark recommendation 8.5 8 Other Security Considerations Enable role-based access control (RBAC) within Azure Kubernetes Services Shared The customer is responsible for implementing this recommendation. Ensure that RBAC is enabled on all Azure Kubernetes Services Instances link 7
CIS_Azure_1.3.0 1.12 CIS_Azure_1.3.0_1.12 CIS Microsoft Azure Foundations Benchmark recommendation 1.12 1 Identity and Access Management Ensure that 'Guest user permissions are limited' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Limit guest user permissions. link 8
CIS_Azure_1.3.0 1.13 CIS_Azure_1.3.0_1.13 CIS Microsoft Azure Foundations Benchmark recommendation 1.13 1 Identity and Access Management Ensure that 'Members can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict invitations to administrators only. link 8
CIS_Azure_1.3.0 1.14 CIS_Azure_1.3.0_1.14 CIS Microsoft Azure Foundations Benchmark recommendation 1.14 1 Identity and Access Management Ensure that 'Guests can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict guest being able to invite other guests to collaborate with your organization. link 8
CIS_Azure_1.3.0 1.15 CIS_Azure_1.3.0_1.15 CIS Microsoft Azure Foundations Benchmark recommendation 1.15 1 Identity and Access Management Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Restrict access to the Azure AD administration portal to administrators only. link 6
CIS_Azure_1.3.0 3.5 CIS_Azure_1.3.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers and disallow blob public access on storage account. link 7
CIS_Azure_1.3.0 8.5 CIS_Azure_1.3.0_8.5 CIS Microsoft Azure Foundations Benchmark recommendation 8.5 8 Other Security Considerations Enable role-based access control (RBAC) within Azure Kubernetes Services Shared The customer is responsible for implementing this recommendation. Ensure that RBAC is enabled on all Azure Kubernetes Services Instances link 7
CIS_Azure_1.4.0 1.12 CIS_Azure_1.4.0_1.12 CIS Microsoft Azure Foundations Benchmark recommendation 1.12 1 Identity and Access Management Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' Shared The customer is responsible for implementing this recommendation. Limit guest user permissions. link 8
CIS_Azure_1.4.0 1.13 CIS_Azure_1.4.0_1.13 CIS Microsoft Azure Foundations Benchmark recommendation 1.13 1 Identity and Access Management Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" Shared The customer is responsible for implementing this recommendation. Restrict invitations to users with specific admin roles only. link 8
CIS_Azure_1.4.0 1.14 CIS_Azure_1.4.0_1.14 CIS Microsoft Azure Foundations Benchmark recommendation 1.14 1 Identity and Access Management Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" Shared The customer is responsible for implementing this recommendation. Restrict access to the Azure AD administration portal to administrators only. link 6
CIS_Azure_1.4.0 3.5 CIS_Azure_1.4.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers and disallow blob public access on storage account. link 7
CIS_Azure_1.4.0 8.7 CIS_Azure_1.4.0_8.7 CIS Microsoft Azure Foundations Benchmark recommendation 8.7 8 Other Security Considerations Enable role-based access control (RBAC) within Azure Kubernetes Services Shared The customer is responsible for implementing this recommendation. Ensure that RBAC is enabled on all Azure Kubernetes Services Instances link 7
CIS_Azure_2.0.0 1.15 CIS_Azure_2.0.0_1.15 CIS Microsoft Azure Foundations Benchmark recommendation 1.15 1 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' Shared This may create additional requests for permissions to access resources that administrators will need to approve. Limit guest user permissions. Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction. 1. Guest users have the same access as members (most inclusive), 2. Guest users have limited access to properties and memberships of directory objects (default value), 3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). The recommended option is the 3rd, most restrictive: "Guest user access is restricted to their own directory object". link 8
CIS_Azure_2.0.0 1.16 CIS_Azure_2.0.0_1.16 CIS Microsoft Azure Foundations Benchmark recommendation 1.16 1 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" Shared With the option of `Only users assigned to specific admin roles can invite guest users` selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users. Restrict invitations to users with specific administrative roles only. Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data. By default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk. link 8
CIS_Azure_2.0.0 1.17 CIS_Azure_2.0.0_1.17 CIS Microsoft Azure Foundations Benchmark recommendation 1.17 1 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' Shared All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources. Restrict access to the Azure AD administration portal to administrators only. **NOTE**: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD. The Azure AD administrative portal has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure. link 6
CIS_Azure_2.0.0 3.7 CIS_Azure_2.0.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Ensure that 'Public access level' is disabled for storage accounts with blob containers Shared Access will have to be managed using shared access signatures or via Azure AD RBAC. Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account. The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it’s recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future. link 7
FedRAMP_High_R4 AC-2 FedRAMP_High_R4_AC-2 FedRAMP High AC-2 Access Control Account Management Shared n/a The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. Supplemental Guidance: Information system account types include individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. References: None. link 25
FedRAMP_High_R4 AC-3 FedRAMP_High_R4_AC-3 FedRAMP High AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
FedRAMP_Moderate_R4 AC-2 FedRAMP_Moderate_R4_AC-2 FedRAMP Moderate AC-2 Access Control Account Management Shared n/a The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. Supplemental Guidance: Information system account types include individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. References: None. link 25
FedRAMP_Moderate_R4 AC-3 FedRAMP_Moderate_R4_AC-3 FedRAMP Moderate AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
hipaa 0227.09k2Organizational.12-09.k hipaa-0227.09k2Organizational.12-09.k 0227.09k2Organizational.12-09.k 02 Endpoint Protection 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization takes specific actions to protect against mobile code performing unauthorized actions. 18
hipaa 0644.10k3Organizational.4-10.k hipaa-0644.10k3Organizational.4-10.k 0644.10k3Organizational.4-10.k 06 Configuration Management 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes Shared n/a The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and, (iii) enforce access restrictions and auditing of the enforcement actions. 20
hipaa 0894.01m2Organizational.7-01.m hipaa-0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 08 Network Protection 0894.01m2Organizational.7-01.m 01.04 Network Access Control Shared n/a Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. 19
hipaa 1106.01b1System.1-01.b hipaa-1106.01b1System.1-01.b 1106.01b1System.1-01.b 11 Access Control 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems Shared n/a User identities are verified prior to establishing accounts. 10
hipaa 1109.01b1System.479-01.b hipaa-1109.01b1System.479-01.b 1109.01b1System.479-01.b 11 Access Control 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. 24
hipaa 11220.01b1System.10-01.b hipaa-11220.01b1System.10-01.b 11220.01b1System.10-01.b 11 Access Control 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and de-registration formally address establishing, activating, modifying, reviewing, disabling and removing accounts. 26
hipaa 1143.01c1System.123-01.c hipaa-1143.01c1System.123-01.c 1143.01c1System.123-01.c 11 Access Control 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems Shared n/a Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. 10
hipaa 1145.01c2System.1-01.c hipaa-1145.01c2System.1-01.c 1145.01c2System.1-01.c 11 Access Control 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems Shared n/a Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. 8
hipaa 1153.01c3System.35-01.c hipaa-1153.01c3System.35-01.c 1153.01c3System.35-01.c 11 Access Control 1153.01c3System.35-01.c 01.02 Authorized Access to Information Systems Shared n/a All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties. 2
hipaa 1230.09c2Organizational.1-09.c hipaa-1230.09c2Organizational.1-09.c 1230.09c2Organizational.1-09.c 12 Audit Logging & Monitoring 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures Shared n/a No single person is able to access, modify, or use information systems without authorization or detection. 13
hipaa 1232.09c3Organizational.12-09.c hipaa-1232.09c3Organizational.12-09.c 1232.09c3Organizational.12-09.c 12 Audit Logging & Monitoring 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures Shared n/a Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. 21
hipaa 1271.09ad1System.1-09.ad hipaa-1271.09ad1System.1-09.ad 1271.09ad1System.1-09.ad 12 Audit Logging & Monitoring 1271.09ad1System.1-09.ad 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 8
hipaa 1271.09ad2System.1 hipaa-1271.09ad2System.1 1271.09ad2System.1 12 Audit Logging & Monitoring 1271.09ad2System.1 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 7
hipaa 1276.09c2Organizational.2-09.c hipaa-1276.09c2Organizational.2-09.c 1276.09c2Organizational.2-09.c 12 Audit Logging & Monitoring 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures Shared n/a Security audit activities are independent. 18
hipaa 1504.06e1Organizational.34-06.e hipaa-1504.06e1Organizational.34-06.e 1504.06e1Organizational.34-06.e 15 Incident Management 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements Shared n/a Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. 16
hipaa 19141.06c1Organizational.7-06.c hipaa-19141.06c1Organizational.7-06.c 19141.06c1Organizational.7-06.c 19 Data Protection & Privacy 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements Shared n/a Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. 10
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.18.1.3 ISO27001-2013_A.18.1.3 ISO 27001:2013 A.18.1.3 Compliance Protection of records Shared n/a Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. link 15
ISO27001-2013 A.6.2.2 ISO27001-2013_A.6.2.2 ISO 27001:2013 A.6.2.2 Organization of Information Security Teleworking Shared n/a A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. link 16
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
ISO27001-2013 A.9.2.1 ISO27001-2013_A.9.2.1 ISO 27001:2013 A.9.2.1 Access Control User registration and de-registration Shared n/a A formal user registration and de-registration process shall be implemented to enable assignment of access rights. link 27
ISO27001-2013 A.9.2.2 ISO27001-2013_A.9.2.2 ISO 27001:2013 A.9.2.2 Access Control User access provisioning Shared n/a A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. link 19
ISO27001-2013 A.9.2.3 ISO27001-2013_A.9.2.3 ISO 27001:2013 A.9.2.3 Access Control Management of privileged access rights Shared n/a The allocation and use of privileged access rights shall be restricted and controlled. link 33
ISO27001-2013 A.9.2.5 ISO27001-2013_A.9.2.5 ISO 27001:2013 A.9.2.5 Access Control Review of user access rights Shared n/a Asset owners shall review users' access rights at regular intervals. link 17
ISO27001-2013 A.9.2.6 ISO27001-2013_A.9.2.6 ISO 27001:2013 A.9.2.6 Access Control Removal or adjustment of access rights Shared n/a The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. link 17
ISO27001-2013 A.9.4.1 ISO27001-2013_A.9.4.1 ISO 27001:2013 A.9.4.1 Access Control Information access restriction Shared n/a Access to information and application system functions shall be restricted in accordance with the access control policy. link 11
ISO27001-2013 A.9.4.4 ISO27001-2013_A.9.4.4 ISO 27001:2013 A.9.4.4 Access Control Use of privileged utility programs Shared n/a The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. link 9
ISO27001-2013 A.9.4.5 ISO27001-2013_A.9.4.5 ISO 27001:2013 A.9.4.5 Access Control Access control to program source code Shared n/a Access to program source code shall be restricted. link 10
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.sw.1 IT Aplications development mp.sw.1 IT Aplications development 404 not found n/a n/a 51
NIST_SP_800-171_R2_3 .1.2 NIST_SP_800-171_R2_3.1.2 NIST SP 800-171 R2 3.1.2 Access Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 31
NIST_SP_800-53_R4 AC-2 NIST_SP_800-53_R4_AC-2 NIST SP 800-53 Rev. 4 AC-2 Access Control Account Management Shared n/a The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. Supplemental Guidance: Information system account types include individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. References: None. link 25
NIST_SP_800-53_R4 AC-3 NIST_SP_800-53_R4_AC-3 NIST SP 800-53 Rev. 4 AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
NIST_SP_800-53_R5 AC-2 NIST_SP_800-53_R5_AC-2 NIST SP 800-53 Rev. 5 AC-2 Access Control Account Management Shared n/a a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. link 25
NIST_SP_800-53_R5 AC-3 NIST_SP_800-53_R5_AC-3 NIST SP 800-53 Rev. 5 AC-3 Access Control Access Enforcement Shared n/a Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. link 21
op.acc.1 Identification op.acc.1 Identification 404 not found n/a n/a 66
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.3 Segregation of functions and tasks op.acc.3 Segregation of functions and tasks 404 not found n/a n/a 43
op.acc.4 Access rights management process op.acc.4 Access rights management process 404 not found n/a n/a 40
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
PCI_DSS_v4.0 7.2.1 PCI_DSS_v4.0_7.2.1 PCI DSS v4.0 7.2.1 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is appropriately defined and assigned Shared n/a An access control model is defined and includes granting access as follows: • Appropriate access depending on the entity’s business and access needs. • Access to system components and data resources that is based on users’ job classification and functions. • The least privileges required (for example, user, administrator) to perform a job function. link 10
PCI_DSS_v4.0 7.2.3 PCI_DSS_v4.0_7.2.3 PCI DSS v4.0 7.2.3 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is appropriately defined and assigned Shared n/a Required privileges are approved by authorized personnel. link 8
PCI_DSS_v4.0 7.2.6 PCI_DSS_v4.0_7.2.6 PCI DSS v4.0 7.2.6 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is appropriately defined and assigned Shared n/a All user access to query repositories of stored cardholder data is restricted as follows: • Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. • Only the responsible administrator(s) can directly access or query repositories of stored CHD. link 8
PCI_DSS_v4.0 7.3.1 PCI_DSS_v4.0_7.3.1 PCI DSS v4.0 7.3.1 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is managed via an access control system(s) Shared n/a An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components. link 17
PCI_DSS_v4.0 7.3.2 PCI_DSS_v4.0_7.3.2 PCI DSS v4.0 7.3.2 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is managed via an access control system(s) Shared n/a The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. link 10
PCI_DSS_v4.0 7.3.3 PCI_DSS_v4.0_7.3.3 PCI DSS v4.0 7.3.3 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Access to system components and data is managed via an access control system(s) Shared n/a The access control system(s) is set to “deny all” by default. link 6
PCI_DSS_v4.0 8.2.4 PCI_DSS_v4.0_8.2.4 PCI DSS v4.0 8.2.4 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows: • Authorized with the appropriate approval. • Implemented with only the privileges specified on the documented approval. link 7
PCI_DSS_v4.0 8.6.1 PCI_DSS_v4.0_8.6.1 PCI DSS v4.0 8.6.1 Requirement 08: Identify Users and Authenticate Access to System Components Use of application and system accounts and associated authentication factors is strictly managed Shared n/a If accounts used by systems or a can be used for interactive login, they are managed as follows: • Interactive use is prevented unless needed for an exceptional circumstance. • Interactive use is limited to the time needed for the exceptional circumstance. • Business justification for interactive use is documented. • Interactive use is explicitly approved by management. • Individual user identity is confirmed before access to account is granted. • Every action taken is attributable to an individual user. link 2
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 79
SOC_2 CC6.2 SOC_2_CC6.2 SOC 2 Type 2 CC6.2 Logical and Physical Access Controls Access provisioning and removal Shared The customer is responsible for implementing this recommendation. Controls Access Credentials to Protected Assets — Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. • Removes Access to Protected Assets When Appropriate — Processes are in place to remove credential access when an individual no longer requires such access. • Reviews Appropriateness of Access Credentials — The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate indIviduals with credentials. 11
SWIFT_CSCF_v2022 2.11A SWIFT_CSCF_v2022_2.11A SWIFT CSCF v2022 2.11A 2. Reduce Attack Surface and Vulnerabilities Restrict transaction activity to validated and approved business counterparties. Shared n/a Implement RMA controls to restrict transaction activity with effective business counterparties. link 10
SWIFT_CSCF_v2022 5.1 SWIFT_CSCF_v2022_5.1 SWIFT CSCF v2022 5.1 5. Manage Identities and Segregate Privileges Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. Shared n/a Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. link 35
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add de770ba6-50dd-a316-2932-e0d972eaa734
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC