last sync: 2024-Oct-04 17:51:30 UTC

Authorize, monitor, and control voip | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Authorize, monitor, and control voip
Id e4e1f896-8a93-1151-43c7-0ad23b081ee2
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0025 - Authorize, monitor, and control voip
Additional metadata Name/Id: CMA_0025 / CMA_0025
Category: Operational
Title: Authorize, monitor, and control voip
Ownership: Customer
Description: Microsoft recommends that your organization authorize, monitor, and control Voice over Internet Protocol (VoIP) technologies used by the organization. For example, your organization can encrypt VoIP traffic to prevent it from unwanted disclosure or modification. Your organization should consider creating and maintaining System and Communications Protection policies and standard operating procedures that include processes for authorizing, monitoring, and controlling VoIP technologies used by your organization. In addition, Microsoft recommends your organization establish processes to configure VTC and VoIP devices along with secure signaling and data protocols which include encrypted and two way authentication and authorization mechanisms, access to authorized devices, removal of unused and prohibited functions, and individual logins for IP phones. In addition, your organization should use VoIP or traditional analogue phones in lobbies, use dedicated networks, host based firewalls on workstations, and access controls for softphones and webcams.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 27 compliance controls are associated with this Policy definition 'Authorize, monitor, and control voip' (e4e1f896-8a93-1151-43c7-0ad23b081ee2)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SC-19 FedRAMP_High_R4_SC-19 FedRAMP High SC-19 System And Communications Protection Voice Over Internet Protocol Shared n/a The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. Supplemental Guidance: Related controls: CM-6, SC-7, SC-15. References: NIST Special Publication 800-58. link 2
FedRAMP_High_R4 SI-4(4) FedRAMP_High_R4_SI-4(4) FedRAMP High SI-4 (4) System And Information Integrity Inbound And Outbound Communications Traffic Shared n/a The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. link 4
FedRAMP_Moderate_R4 SC-19 FedRAMP_Moderate_R4_SC-19 FedRAMP Moderate SC-19 System And Communications Protection Voice Over Internet Protocol Shared n/a The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. Supplemental Guidance: Related controls: CM-6, SC-7, SC-15. References: NIST Special Publication 800-58. link 2
FedRAMP_Moderate_R4 SI-4(4) FedRAMP_Moderate_R4_SI-4(4) FedRAMP Moderate SI-4 (4) System And Information Integrity Inbound And Outbound Communications Traffic Shared n/a The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. link 4
hipaa 0809.01n2Organizational.1234-01.n hipaa-0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 08 Network Protection 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Shared n/a Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 17
hipaa 0811.01n2Organizational.6-01.n hipaa-0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 08 Network Protection 0811.01n2Organizational.6-01.n 01.04 Network Access Control Shared n/a Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 23
hipaa 0815.01o2Organizational.123-01.o hipaa-0815.01o2Organizational.123-01.o 0815.01o2Organizational.123-01.o 08 Network Protection 0815.01o2Organizational.123-01.o 01.04 Network Access Control Shared n/a Requirements for network routing control are based on the access control policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses. The organization designed and implemented network perimeters so that all outgoing network traffic to the Internet passes through at least one application layer filtering proxy server. The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. 4
hipaa 0822.09m2Organizational.4-09.m hipaa-0822.09m2Organizational.4-09.m 0822.09m2Organizational.4-09.m 08 Network Protection 0822.09m2Organizational.4-09.m 09.06 Network Security Management Shared n/a Firewalls restrict inbound and outbound traffic to the minimum necessary. 7
hipaa 0825.09m3Organizational.23-09.m hipaa-0825.09m3Organizational.23-09.m 0825.09m3Organizational.23-09.m 08 Network Protection 0825.09m3Organizational.23-09.m 09.06 Network Security Management Shared n/a Technical tools such as an IDS/IPS are implemented and operating on the network perimeter and other key points to identify vulnerabilities, monitor traffic, detect attack attempts and successful compromises, and mitigate threats; and these tools are updated on a regular basis. 7
hipaa 0830.09m3Organizational.1012-09.m hipaa-0830.09m3Organizational.1012-09.m 0830.09m3Organizational.1012-09.m 08 Network Protection 0830.09m3Organizational.1012-09.m 09.06 Network Security Management Shared n/a A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. 8
hipaa 0864.09m2Organizational.12-09.m hipaa-0864.09m2Organizational.12-09.m 0864.09m2Organizational.12-09.m 08 Network Protection 0864.09m2Organizational.12-09.m 09.06 Network Security Management Shared n/a Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. 4
hipaa 0866.09m3Organizational.1516-09.m hipaa-0866.09m3Organizational.1516-09.m 0866.09m3Organizational.1516-09.m 08 Network Protection 0866.09m3Organizational.1516-09.m 09.06 Network Security Management Shared n/a The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. 11
hipaa 0868.09m3Organizational.18-09.m hipaa-0868.09m3Organizational.18-09.m 0868.09m3Organizational.18-09.m 08 Network Protection 0868.09m3Organizational.18-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. 5
hipaa 1213.09ab2System.128-09.ab hipaa-1213.09ab2System.128-09.ab 1213.09ab2System.128-09.ab 12 Audit Logging & Monitoring 1213.09ab2System.128-09.ab 09.10 Monitoring Shared n/a Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. 2
hipaa 1218.09ab3System.47-09.ab hipaa-1218.09ab3System.47-09.ab 1218.09ab3System.47-09.ab 12 Audit Logging & Monitoring 1218.09ab3System.47-09.ab 09.10 Monitoring Shared n/a Automated systems support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. 7
hipaa 1220.09ab3System.56-09.ab hipaa-1220.09ab3System.56-09.ab 1220.09ab3System.56-09.ab 12 Audit Logging & Monitoring 1220.09ab3System.56-09.ab 09.10 Monitoring Shared n/a Monitoring includes inbound and outbound communications and file integrity monitoring. 4
hipaa 1411.09f1System.1-09.f hipaa-1411.09f1System.1-09.f 1411.09f1System.1-09.f 14 Third Party Assurance 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery Shared n/a The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. 9
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
ISO27001-2013 A.12.4.3 ISO27001-2013_A.12.4.3 ISO 27001:2013 A.12.4.3 Operations Security Administrator and operator logs Shared n/a System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. link 29
NIST_SP_800-171_R2_3 .13.14 NIST_SP_800-171_R2_3.13.14 NIST SP 800-171 R2 3.13.14 System and Communications Protection Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. Shared Microsoft and the customer share responsibilities for implementing this requirement. VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. [SP 800-58] provides guidance on Voice Over IP Systems. link 2
NIST_SP_800-53_R4 SC-19 NIST_SP_800-53_R4_SC-19 NIST SP 800-53 Rev. 4 SC-19 System And Communications Protection Voice Over Internet Protocol Shared n/a The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. Supplemental Guidance: Related controls: CM-6, SC-7, SC-15. References: NIST Special Publication 800-58. link 2
NIST_SP_800-53_R4 SI-4(4) NIST_SP_800-53_R4_SI-4(4) NIST SP 800-53 Rev. 4 SI-4 (4) System And Information Integrity Inbound And Outbound Communications Traffic Shared n/a The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. link 4
NIST_SP_800-53_R5 SI-4(4) NIST_SP_800-53_R5_SI-4(4) NIST SP 800-53 Rev. 5 SI-4 (4) System and Information Integrity Inbound and Outbound Communications Traffic Shared n/a (a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; (b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. link 4
op.exp.8 Recording of the activity op.exp.8 Recording of the activity 404 not found n/a n/a 67
SWIFT_CSCF_v2022 2.9 SWIFT_CSCF_v2022_2.9 SWIFT CSCF v2022 2.9 2. Reduce Attack Surface and Vulnerabilities Ensure outbound transaction activity within the expected bounds of normal business. Shared n/a Implement transaction detection, prevention, and validation controls to ensure outbound transaction activity within the expected bounds of normal business. link 7
SWIFT_CSCF_v2022 6.5A SWIFT_CSCF_v2022_6.5A SWIFT CSCF v2022 6.5A 6. Detect Anomalous Activity to Systems or Transaction Records Detect and contain anomalous network activity into and within the local or remote SWIFT environment. Shared n/a Intrusion detection is implemented to detect unauthorised network access and anomalous activity. link 17
SWIFT_CSCF_v2022 9.4 SWIFT_CSCF_v2022_9.4 SWIFT CSCF v2022 9.4 9. Ensure Availability through Resilience Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth Shared n/a Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add e4e1f896-8a93-1151-43c7-0ad23b081ee2
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC