compliance controls are associated with this Policy definition 'Function apps should use the latest TLS version' (f9d614c5-c173-4d56-95a7-b4437057d193)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1139 |
AU_ISM_1139 |
AU ISM 1139 |
Guidelines for Cryptography - Transport Layer Security |
Using Transport Layer Security - 1139 |
|
n/a |
Only the latest version of TLS is used. |
link |
6 |
| Azure_Security_Benchmark_v1.0 |
4.4 |
Azure_Security_Benchmark_v1.0_4.4 |
Azure Security Benchmark 4.4 |
Data Protection |
Encrypt all sensitive information in transit |
Shared |
Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater.
Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit |
n/a |
link |
10 |
| Azure_Security_Benchmark_v2.0 |
DP-4 |
Azure_Security_Benchmark_v2.0_DP-4 |
Azure Security Benchmark DP-4 |
Data Protection |
Encrypt sensitive information in transit |
Shared |
To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem
Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit |
n/a |
link |
12 |
| Azure_Security_Benchmark_v3.0 |
DP-3 |
Azure_Security_Benchmark_v3.0_DP-3 |
Microsoft cloud security benchmark DP-3 |
Data Protection |
Encrypt sensitive data in transit |
Shared |
**Security Principle:**
Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks.
**Azure Guidance:**
Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default.
**Implementation and additional context:**
Double encryption for Azure data in transit:
https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit
Understand encryption in transit with Azure:
https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
Information on TLS Security:
https://docs.microsoft.com/security/engineering/solving-tls1-problem
Enforce secure transfer in Azure storage:
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account |
n/a |
link |
15 |
| Azure_Security_Benchmark_v3.0 |
NS-8 |
Azure_Security_Benchmark_v3.0_NS-8 |
Microsoft cloud security benchmark NS-8 |
Network Security |
Detect and disable insecure services and protocols |
Shared |
**Security Principle:**
Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible.
**Azure Guidance:**
Use Azure Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. Disable insecure services and protocols that do not meet the appropriate security standard.
Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security group, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface.
**Implementation and additional context:**
Azure Sentinel insecure protocols workbook:
https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks |
n/a |
link |
2 |
| CIS_Azure_1.1.0 |
9.3 |
CIS_Azure_1.1.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
| CIS_Azure_1.3.0 |
9.3 |
CIS_Azure_1.3.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure web app is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
| CIS_Azure_1.4.0 |
9.3 |
CIS_Azure_1.4.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 AppService |
Ensure Web App is using the latest version of TLS encryption |
Shared |
The customer is responsible for implementing this recommendation. |
The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. |
link |
5 |
| CIS_Azure_2.0.0 |
9.3 |
CIS_Azure_2.0.0_9.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.3 |
9 |
Ensure Web App is using the latest version of TLS encryption |
Shared |
n/a |
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.
App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections. |
link |
5 |
| CIS_Azure_Foundations_v2.1.0 |
9.3 |
CIS_Azure_Foundations_v2.1.0_9.3 |
CIS Azure Foundations v2.1.0 9.3 |
AppService |
Ensure Web App is using the latest version of TLS encryption |
Shared |
n/a |
Ensure Web App is using the latest version of TLS encryption. |
|
2 |
| CIS_Azure_Foundations_v3.0.0 |
9.4 |
CIS_Azure_Foundations_v3.0.0_9.4 |
CIS Azure Foundations v3.0.0 9.4 |
9 |
Ensure Web App is Using the Latest Version of TLS Encryption |
Shared |
n/a |
Verify that the web application is configured to use the latest version of transport layer security (TLS) encryption. This control is crucial for ensuring secure communications by protecting data in transit from potential interception and vulnerabilities associated with outdated protocols. |
|
3 |
| CIS_Controls_v8.1 |
3.10 |
CIS_Controls_v8.1_3.10 |
404 not found |
|
|
|
n/a |
n/a |
|
8 |
| CIS_Controls_v8.1 |
4.1 |
CIS_Controls_v8.1_4.1 |
CIS Controls v8.1 4.1 |
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process. |
Shared |
1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).
2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. |
To ensure data integrity and safety of enterprise assets. |
|
44 |
| CMMC_2.0_L2 |
SC.L2-3.13.8 |
CMMC_2.0_L2_SC.L2-3.13.8 |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
| CMMC_L3 |
IA.3.084 |
CMMC_L3_IA.3.084 |
CMMC L3 IA.3.084 |
Identification and Authentication |
Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. |
link |
5 |
| CMMC_L3 |
SC.1.175 |
CMMC_L3_SC.1.175 |
CMMC L3 SC.1.175 |
System and Communications Protection |
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. |
link |
30 |
| CMMC_L3 |
SC.3.185 |
CMMC_L3_SC.3.185 |
CMMC L3 SC.3.185 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. |
link |
10 |
| CMMC_L3 |
SC.3.190 |
CMMC_L3_SC.3.190 |
CMMC L3 SC.3.190 |
System and Communications Protection |
Protect the authenticity of communications sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. |
link |
8 |
| CMMC_L3 |
SI.1.210 |
CMMC_L3_SI.1.210 |
CMMC L3 SI.1.210 |
System and Information Integrity |
Identify, report, and correct information and information system flaws in a timely manner. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.
Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. |
link |
7 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FedRAMP_High_R4 |
SC-8 |
FedRAMP_High_R4_SC-8 |
FedRAMP High SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
| FedRAMP_High_R4 |
SC-8(1) |
FedRAMP_High_R4_SC-8(1) |
FedRAMP High SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
| FedRAMP_Moderate_R4 |
SC-8 |
FedRAMP_Moderate_R4_SC-8 |
FedRAMP Moderate SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
| FedRAMP_Moderate_R4 |
SC-8(1) |
FedRAMP_Moderate_R4_SC-8(1) |
FedRAMP Moderate SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
| hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
| hipaa |
0812.01n2Organizational.8-01.n |
hipaa-0812.01n2Organizational.8-01.n |
0812.01n2Organizational.8-01.n |
08 Network Protection |
0812.01n2Organizational.8-01.n 01.04 Network Access Control |
Shared |
n/a |
Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
|
12 |
| hipaa |
0814.01n1Organizational.12-01.n |
hipaa-0814.01n1Organizational.12-01.n |
0814.01n1Organizational.12-01.n |
08 Network Protection |
0814.01n1Organizational.12-01.n 01.04 Network Access Control |
Shared |
n/a |
The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. |
|
11 |
| hipaa |
0949.09y2Organizational.5-09.y |
hipaa-0949.09y2Organizational.5-09.y |
0949.09y2Organizational.5-09.y |
09 Transmission Protection |
0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. |
|
6 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
455 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
431 |
| K_ISMS_P_2018 |
2.10.4 |
K_ISMS_P_2018_2.10.4 |
K ISMS P 2018 2.10.4 |
2.10 |
Establish Protective Measures when Working with Electronic Transactions or Fintech Services |
Shared |
n/a |
Establish and implement protective measures such as authentication and encryption to prevent information leakage, data alteration, or fraud when working with electronic transactions and Fintech services. In the event connections to external systems are required, safety must be checked. |
|
45 |
| K_ISMS_P_2018 |
2.10.5 |
K_ISMS_P_2018_2.10.5 |
K ISMS P 2018 2.10.5 |
2.10 |
Establish Secure Data Transmission Procedures with External Organizations |
Shared |
n/a |
Establish secure transmission policies, transmission methods, and technical measures for protecting personal information and important information if transmitting data to external organizations. Agreement on management responsibilities for data transmission must be established. |
|
30 |
| K_ISMS_P_2018 |
2.10.8 |
K_ISMS_P_2018_2.10.8 |
K ISMS P 2018 2.10.8 |
2.10 |
Apply the Latest Patches to Software and Hardware |
Shared |
n/a |
Apply the latest patches to software and hardware to prevent vulnerabilities in operating systems and security systems. If the latest patch cannot be applied, supplemental protective measures must be implemented such as exception approval. |
|
10 |
| New_Zealand_ISM |
17.4.16.C.01 |
New_Zealand_ISM_17.4.16.C.01 |
New_Zealand_ISM_17.4.16.C.01 |
17. Cryptography |
17.4.16.C.01 Using TLS |
|
n/a |
Agencies SHOULD use the current version of TLS (version 1.3). |
|
5 |
| NIST_SP_800-171_R2_3 |
.13.8 |
NIST_SP_800-171_R2_3.13.8 |
NIST SP 800-171 R2 3.13.8 |
System and Communications Protection |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. |
link |
16 |
| NIST_SP_800-53_R4 |
SC-8 |
NIST_SP_800-53_R4_SC-8 |
NIST SP 800-53 Rev. 4 SC-8 |
System And Communications Protection |
Transmission Confidentiality And Integrity |
Shared |
n/a |
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. |
link |
15 |
| NIST_SP_800-53_R4 |
SC-8(1) |
NIST_SP_800-53_R4_SC-8(1) |
NIST SP 800-53 Rev. 4 SC-8 (1) |
System And Communications Protection |
Cryptographic Or Alternate Physical Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. |
link |
14 |
| NIST_SP_800-53_R5 |
SC-8 |
NIST_SP_800-53_R5_SC-8 |
NIST SP 800-53 Rev. 5 SC-8 |
System and Communications Protection |
Transmission Confidentiality and Integrity |
Shared |
n/a |
Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. |
link |
15 |
| NIST_SP_800-53_R5 |
SC-8(1) |
NIST_SP_800-53_R5_SC-8(1) |
NIST SP 800-53 Rev. 5 SC-8 (1) |
System and Communications Protection |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. |
link |
14 |
| NZ_ISM_v3.5 |
CR-8 |
NZ_ISM_v3.5_CR-8 |
NZISM Security Benchmark CR-8 |
Cryptography |
17.4.16 Using TLS |
Customer |
n/a |
Whilst version 1.0 of SSL was never released, version 2.0 had significant security flaws leading to the development of SSL 3.0. SSL has since been superseded by TLS with the latest version being TLS 1.3 which was released in August 2018. SSL is no longer an approved cryptographic protocol |
link |
3 |
| NZISM_Security_Benchmark_v1.1 |
CR-7 |
NZISM_Security_Benchmark_v1.1_CR-7 |
NZISM Security Benchmark CR-7 |
Cryptography |
17.4.16 Using TLS |
Customer |
Agencies SHOULD use the current version of TLS. |
Whilst version 1.0 of SSL was never released, version 2.0 had significant security flaws leading to the development of SSL 3.0. SSL has since been superseded by TLS with the latest version being TLS 1.3 which was released in August 2018. SSL is no longer an approved cryptographic protocol |
link |
5 |
| RBI_CSF_Banks_v2016 |
10.1 |
RBI_CSF_Banks_v2016_10.1 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.1 |
|
n/a |
Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc |
|
15 |
| RBI_CSF_Banks_v2016 |
10.2 |
RBI_CSF_Banks_v2016_10.2 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.2 |
|
n/a |
Document and implement emailserver specific controls |
|
15 |
| RBI_CSF_Banks_v2016 |
13.1 |
RBI_CSF_Banks_v2016_13.1 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.1 |
|
n/a |
Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. |
|
21 |
| RBI_CSF_Banks_v2016 |
13.4 |
RBI_CSF_Banks_v2016_13.4 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.4 |
|
n/a |
Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway |
|
41 |
| RBI_ITF_NBFC_v2017 |
3.1.h |
RBI_ITF_NBFC_v2017_3.1.h |
RBI IT Framework 3.1.h |
Information and Cyber Security |
Public Key Infrastructure (PKI)-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. |
link |
31 |
| RMiT_v1.0 |
10.68 |
RMiT_v1.0_10.68 |
RMiT 10.68 |
Security of Digital Services |
Security of Digital Services - 10.68 |
Shared |
n/a |
A financial institution must implement additional controls to authenticate devices and users, authorise transactions and support non-repudiation and accountability for high-risk transactions or transactions above RM10,000. These measures must include, at a minimum, the following:
(a) ensure transactions are performed over secured channels such as the latest version of Transport Layer Security (TLS);
(b) both client and host application systems must encrypt all confidential information prior to transmission over the network;
(c) adopt MFA for transactions;
(d) if OTP is used as a second factor, it must be dynamic and time-bound;
(e) request users to verify details of the transaction prior to execution;
(f) ensure secure user and session handling management;
(g) be able to capture the location of origin and destination of each transaction;
(h) implement strong mutual authentication between the users' end-point devices and financial institutions' servers, such as the use of the latest version of Extended Validation SSL certificate (EV SSL); and
(i) provide timely notification to customers that is sufficiently descriptive of the nature of the transaction. |
link |
2 |
| SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
75 |
| SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
37 |
| SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
29 |
| SWIFT_CSCF_v2021 |
2.1 |
SWIFT_CSCF_v2021_2.1 |
SWIFT CSCF v2021 2.1 |
Reduce Attack Surface and Vulnerabilities |
Internal Data Flow Security |
|
n/a |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications. |
link |
14 |
| SWIFT_CSCF_v2021 |
2.6 |
SWIFT_CSCF_v2021_2.6 |
SWIFT CSCF v2021 2.6 |
Reduce Attack Surface and Vulnerabilities |
Operator Session Confidentiality and Integrity |
|
n/a |
Protect the confidentiality and integrity of interactive operator sessions connecting to the local or the remote (operated by a service provider) SWIFT-related infrastructure or applications. |
link |
8 |
|
U.05.1 - Cryptographic measures |
U.05.1 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
18 |
|
U.11.1 - Policy |
U.11.1 - Policy |
404 not found |
|
|
|
n/a |
n/a |
|
17 |
|
U.11.2 - Cryptographic measures |
U.11.2 - Cryptographic measures |
404 not found |
|
|
|
n/a |
n/a |
|
20 |