compliance controls are associated with this Policy definition 'API Management APIs should use only encrypted protocols' (ee7495e7-3ba7-40b6-bfee-c29e22cc75d4)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v3.0 |
DP-3 |
Azure_Security_Benchmark_v3.0_DP-3 |
Microsoft cloud security benchmark DP-3 |
Data Protection |
Encrypt sensitive data in transit |
Shared |
**Security Principle:**
Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks.
**Azure Guidance:**
Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default.
**Implementation and additional context:**
Double encryption for Azure data in transit:
https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security:
https://docs.microsoft.com/security/engineering/solving-tls1-problem
Enforce secure transfer in Azure storage:
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account |
n/a |
link |
15 |
DORA_2022_2554 |
9.3a |
DORA_2022_2554_9.3a |
DORA 2022 2554 9.3a |
9 |
Implement Secure Data Transfer Solutions for ICT Systems |
Shared |
n/a |
Leverage information and communication technology (ICT) solutions and processes that ensure the security of data transfer methods to protect against unauthorized access and data breaches. |
|
50 |
DORA_2022_2554 |
9.3b |
DORA_2022_2554_9.3b |
DORA 2022 2554 9.3b |
9 |
Minimize Risks of Data Corruption and Loss in ICT Processes |
Shared |
n/a |
Implement information and communication technology (ICT) processes that minimize the risk of data corruption or loss, unauthorized access, and technical flaws that may disrupt business activities. |
|
36 |
EU_AI_Act_2024_1689 |
15.5 |
EU_AI_Act_2024_1689_15.5 |
EU AI Act 2024 1689 15.5 |
15 |
Implement Cybersecurity Measures for High-Risk AI Systems |
Shared |
n/a |
Confirm high-risk AI systems are resilient against unauthorized attempts to alter their use or performance. Implement appropriate technical solutions to address vulnerabilities, including measures to prevent, detect, and respond to data poisoning, model poisoning, and adversarial attacks. |
|
6 |
EU_AI_Act_2024_1689 |
55.1d |
EU_AI_Act_2024_1689_55.1d |
EU AI Act 2024 1689 55.1d |
55 |
Ensure Cybersecurity for General-Purpose AI Models with Systemic Risk |
Shared |
n/a |
Ensure, as required for AI providers of general-purpose AI models with systemic risk, an adequate level of cybersecurity for both the model and its supporting physical infrastructure. |
|
6 |
K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
431 |
K_ISMS_P_2018 |
2.10.4 |
K_ISMS_P_2018_2.10.4 |
K ISMS P 2018 2.10.4 |
2.10 |
Establish Protective Measures when Working with Electronic Transactions or Fintech Services |
Shared |
n/a |
Establish and implement protective measures such as authentication and encryption to prevent information leakage, data alteration, or fraud when working with electronic transactions and Fintech services. In the event connections to external systems are required, safety must be checked. |
|
45 |
K_ISMS_P_2018 |
2.10.5 |
K_ISMS_P_2018_2.10.5 |
K ISMS P 2018 2.10.5 |
2.10 |
Establish Secure Data Transmission Procedures with External Organizations |
Shared |
n/a |
Establish secure transmission policies, transmission methods, and technical measures for protecting personal information and important information if transmitting data to external organizations. Agreement on management responsibilities for data transmission must be established. |
|
30 |
K_ISMS_P_2018 |
2.7.1b |
K_ISMS_P_2018_2.7.1b |
K ISMS P 2018 2.7.1b |
2.7 |
Ensure Data is Encrypted at Rest and In-Transit |
Shared |
n/a |
Ensure data is encrypted when storing and transmitting personal and important information. |
|
70 |
New_Zealand_ISM |
17.1.55.C.03 |
New_Zealand_ISM_17.1.55.C.03 |
New_Zealand_ISM_17.1.55.C.03 |
17. Cryptography |
17.1.55.C.03 Information and Systems Protection |
|
n/a |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. |
|
1 |
|
U.05.1 - Cryptographic measures |
U.05.1 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
18 |